GitHub 发布了一款新的 AI 工具,可以自动修复代码中的漏洞。名为 code scanning autofix 的工具的公开测试版已向所有 GitHub Advanced Security 用户开放。GitHub 长期以来一直使用名为 CodeQl 的工具自动扫描存储库以查找潜在的安全问题。该引擎现在与 GitHub Copilot API 结合使用,不仅可以自动查找漏洞,还可以建议开发人员如何修复发现的漏洞。代码扫描自动修复还提供了所提出建议的解释。有关如何修复错误的建议不限于单个文件,还可以包括对多个文件的更改。它还可能包含需要添加到项目中的依赖项。 GitHub 在一份公告中解释说,开发人员可以接受、修改或拒绝建议。
code scanning autofix 现在可以处理 JavaScript、Typescript、Java 和 Python 90% 以上的警报类型。该公司还表示,该系统可以修复超过三分之二的已发现错误,而开发人员自己几乎不需要进行任何调整。稍后将支持更多语言,首先会添加 C# 和 Go。
参考:https://github.blog/2024-03-20-found-means-fixed-introducing-code-scanning-autofix-powered-by-github-copilot-and-codeql/
GitHub has released a new AI tool that can automatically fix vulnerabilities in code. The tool, called code scanning autofix, has been made available in a public beta to all GitHub Advanced Security users. GitHub has long used a tool called CodeQL to automatically scan repositories for potential security issues. The engine now integrates with the GitHub Copilot API, allowing it not only to identify vulnerabilities automatically but also to suggest how developers can fix the discovered issues. The code scanning autofix also provides explanations for the proposed fixes. The suggested fixes are not limited to individual files and can include changes across multiple files. It may also include dependencies that need to be added to the project. According to GitHub’s announcement, developers have the option to accept, modify, or reject the suggestions.
Currently, code scanning autofix can handle over 90% of alert types for JavaScript, TypeScript, Java, and Python. The company also stated that the system can fix over two-thirds of the identified errors with minimal adjustments required from developers. Support for additional languages will be added later, with C# and Go being the first to be included.