GitHub's latest AI tool helps users automatically fix bugs and vulnerabilities in their code

Today, GitHub launched a new "Code Scan" feature (preview) for all Advanced Security (GHAS) licensed users, designed to help users discover in GitHub code Potential security vulnerabilities and coding errors.

This new feature leverages Copilot and CodeQL to detect potential vulnerabilities or errors in your code, classify them, and prioritize remediation. It's important to note that Code Scan will consume GitHub Actions minutes.

According to the introduction, "code scanning" can not only prevent developers from introducing new problems, but can also trigger scanning based on specific dates and times, or when specific events (such as pushes) occur in the repository.

If AI discovers that there may be a vulnerability or error in your code, GitHub will issue an alert in the repository and cancel the alert after the user fixes the code that triggered the alert.

To monitor the code scanning results of your repository or organization, you can take advantage of web hooks and the code scanning API. Additionally, code scanning can interoperate with third-party code scanning tools by exchanging output in the Static Analysis Results Data Format (SARIF).

Currently, there are three main ways to use CodeQL analysis for CodeScan:

• Quickly configure CodeQL analysis for CodeScan on your repository using default settings. The default settings automatically select the languages ​​to analyze, the query suites to run, and the events that trigger the scan, but you can manually select the query suites to run and the languages ​​to analyze if needed. When CodeQL is enabled, GitHub Actions will perform a workflow run to scan your code.
• Add a CodeQL workflow to the repository using advanced settings. This generates a customizable workflow file that uses github/codeql-action to run the CodeQL CLI.
• Run the CodeQL CLI directly in an external CI system and upload the results to GitHub.

GitHub promises that this AI system can fix more than two-thirds of the vulnerabilities it finds, so developers generally don't need to actively edit the code. The company also promises that code scanning automatic remediation will cover more than 90% of alert types in its supported languages, which currently includes JavaScript, Typescript, Java, and Python.

Reference materials:

• 《About code scanning - GitHub Docs》
• 《About code scanning with CodeQL - GitHub Docs》

The above is the detailed content of GitHub's latest AI tool helps users automatically fix bugs and vulnerabilities in their code. For more information, please follow other related articles on the PHP Chinese website!