Fixing security vulnerabilities with AI

A peek under the hood of GitHub Advanced Security code scanning autofix.

Tiferet Gazit
12 min readintermediate
--
View Original

Overview

The article discusses the launch of Copilot Autofix, an AI-powered tool that suggests fixes for security vulnerabilities in codebases. It details the underlying technology, including the use of CodeQL for code scanning and a large language model (LLM) for generating code edits, as well as the evaluation framework for testing and iteration.

What You'll Learn

1

How to leverage AI for fixing security vulnerabilities in code

2

Why CodeQL is essential for identifying security issues in codebases

3

How to implement a robust evaluation framework for AI-generated code fixes

Prerequisites & Requirements

  • Understanding of security vulnerabilities and code scanning techniques
  • Familiarity with GitHub and CodeQL(optional)

Key Questions Answered

What is code scanning autofix and how does it work?
Code scanning autofix is a feature that uses AI to suggest fixes for security vulnerabilities detected in codebases. It operates by analyzing alerts generated by CodeQL, sending relevant code and problem descriptions to a large language model, which then provides AI-generated code edits that developers can review and apply.
How does the autofix prompt function in the code scanning process?
The autofix prompt is constructed using information from CodeQL alerts, including vulnerability details and code snippets. This prompt is sent to a large language model, which generates a detailed response that includes instructions for fixing the vulnerability, the necessary code edits, and any new dependencies required.
What evaluation methods are used to improve the autofix feature?
The evaluation of the autofix feature involves an automated test harness that processes open source repositories with code scanning alerts. It collects data on alerts with test coverage and runs autofix on each alert to ensure that the suggested fixes remove the alerts without introducing new issues.
What are the key components of the architecture for code scanning autofix?
The architecture for code scanning autofix includes a backend service that integrates with existing code scanning infrastructure. It processes SARIF alert data, generates prompts for the LLM, and manages user interactions with suggested fixes, ensuring a seamless experience without requiring changes to existing workflows.

Key Statistics & Figures

Success rate improvement
Tripled
The success rate of autofix suggestions improved significantly through iterative testing and refinement.
LLM compute requirements reduction
Reduced by a factor of six
The optimization of the autofix process led to a substantial decrease in the computational resources needed for LLM operations.
Alerts collected for evaluation
Over 1,400
The evaluation process for JavaScript and TypeScript included a substantial dataset of alerts with test coverage.

Technologies & Tools

Some links below are affiliate links. We may earn a commission if you make a purchase.

Backend
Codeql
Used for semantic code analysis to detect security vulnerabilities.
Backend
AI
Utilized for generating code fixes based on detected vulnerabilities.
Data Format
Sarif
Format used for uploading code scanning results to the code scanning API.
Cloud Platform
Azure
Hosts the internally-deployed API running LLMs for generating code fixes.

Key Actionable Insights

1
Integrate CodeQL into your development workflow to enhance security scanning capabilities.
By using CodeQL, developers can proactively identify vulnerabilities in their codebases, allowing for timely fixes and improved security posture.
2
Utilize AI-generated code suggestions to streamline the process of fixing vulnerabilities.
AI can significantly reduce the time developers spend on identifying and fixing security issues, enabling them to focus on more complex tasks.
3
Establish a robust evaluation framework for AI tools to ensure quality and reliability.
Regular testing and iteration based on real-world data can help improve the effectiveness of AI-generated solutions and maintain high standards.

Common Pitfalls

1
Relying solely on AI-generated fixes without proper review can lead to introducing new vulnerabilities.
AI tools can suggest fixes, but developers must validate these suggestions to ensure they do not compromise code functionality or security.
2
Neglecting to monitor the performance of AI tools can result in missed opportunities for improvement.
Continuous monitoring and evaluation are crucial for understanding the effectiveness of AI solutions and making necessary adjustments.

Related Concepts

AI In Software Development
Code Scanning Techniques
Security Best Practices
Automated Testing Frameworks