Copilot (previously code scanning) Autofix: Preview Feedback and Resources #111094
Replies: 31 comments 44 replies
-
Love the feature, a couple of questions:
|
Beta Was this translation helpful? Give feedback.
-
When can independent open source maintainers get their hands on this lovely tool? After reading the announcement post, it seems it's intended for enterprise customers? |
Beta Was this translation helpful? Give feedback.
-
How do you create the ````suggestion` with "Outside changed files" targeting line 16 of package.json? |
Beta Was this translation helpful? Give feedback.
-
Hi, great to see this shipped! I hope eventually we can see autofix suggestions directly in an alert and create a PR from there? |
Beta Was this translation helpful? Give feedback.
-
@turbo can we use it with github enterprise plan in which we will have only 1 user/seat, and if not then why you guys are blocking this? Because nowadays in this Ai era everybody is talking about one person company powered by ai and we are not able to use such ai features for us... |
Beta Was this translation helpful? Give feedback.
-
Thanks for this new cool feature! I am (and I believe many developers among us) looking for C# support. Is this something on the roadmap already? Where to get a notification after it's released? |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Question! I'm wondering if and when this becomes available for its sister product, GitHub Advanced Security for Azure DevOps. What timeframe should we expect? |
Beta Was this translation helpful? Give feedback.
-
I have created several discussion posts related to CodeQL and AutoFix. They are here: "CodeQL XSS False Positives and XSS AutoFix incorrect location for defensive encoding" (#122802) (Now also reported here: github/codeql#16531), here: "CodeQL Findings Should be Reported in Filename Order in Pull Requests" (#123182) (Now also reported here: https://github.com/github/codeql/issues/16530), and here: "Relate Adoption of suggested AutoFixes to CodeQL Findings" (#122838). Some feedback from the GitHub team on these suggested enhancements would be appreciated. Also, rather than creating new Discussions like this, or posting comments here, is there a better/easier way to provide specific CodeQL/AutoFix feedback to the GitHub team, rather than in a public forum? For example, I adopted an AutoFix and it created a compilation error because one of the new methods in the AutoFix throws an additional type of Exception. I want to provide feedback on that specific issue, but posting those details here seems like not the right place for feedback that is super specific like this. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Is there a way to commit multiple suggestions at the same time? There doesn't seem to be a "Add suggestion to batch" as described in the general documentation for applying a suggested change |
Beta Was this translation helpful? Give feedback.
-
Would autofix be coming to public repositories as well? I'd like to try out the new C++ autofixes in my FOSS project and provide feedback. |
Beta Was this translation helpful? Give feedback.
-
If co-pilot is going to suggest an "autofix", it would be nice if implementing the "autofix" didn't also generate a CodeQL warning with a new "autofix". I'm about four levels deep into a "URL redirection from remote source" change. |
Beta Was this translation helpful? Give feedback.
-
I just noticed some |
Beta Was this translation helpful? Give feedback.
-
I noticed a slight UI bug - the Autofix "Beta - Give feedback" UI is appearing for alerts unrelated to CodeQL. Here's an example where it appears on an alert for a different tool that we upload results for into GitHub using SARIF files: |
Beta Was this translation helpful? Give feedback.
-
Can you please stop recommending use of strncpy(3)? It's not a string-copying function. It's a very specialized function, designed to be used on utmp(5) and tar(1); nothing else. |
Beta Was this translation helpful? Give feedback.
-
This rule is firing for us on names of static const Apex fields. The regex does not match the Salesforce style guide for such fields here. The rule is therefore generating false positives for this case. |
Beta Was this translation helpful? Give feedback.
-
Hi folks, The UI for autofix suggestions that suggest code that was not changed in the original PR is confusing. Here is an example: It is not clear what code this is alerting against - it almost makes it seem like the alert is for the code that is not part of the PR.I am not sure what the best UI/UX would be for this case, but it might be helpful to make the |
Beta Was this translation helpful? Give feedback.
-
I clicked on the 'Generate Fix' link. |
Beta Was this translation helpful? Give feedback.
-
Feedback: after clicking the "Generate Fix" button, it appears to be impossible to hide the auto-generated patch diff. This is frustrating, because the diff produces a lot of visual noise that can make it difficult to reevaluate the vulnerability that was originally reported. Suggestion: put this patch diff on a new tab on the same page. It would be convenient to be able to tab between the unadorned vulnerability report and the generated patch. |
Beta Was this translation helpful? Give feedback.
-
Is the screenshot posted in the blog page real? If so, this is a clear indication that the tool isn't even close to being production-ready (as any other AI-based coding "assistant" I'm aware of, though: this is only about AI hype, not about some useful value). I'll copy that screenshot here for context: Let's go through the screenshot. It identifies a prototype pollution vulnerability. Well done - though I can't verify whether the vulnerability is real based on two lines of code shown there. If that's copying a hardcoded config reference (no user input), the code is safe. Lets assume the best - the vuln is really there and should be mitigated. Let's now see what the "intelligent" suggestion says.
Now, let's look whether the reasoning is correct or adequate. Spoiler: no. After emitting two sentences, the tool rapidly confuses prototype pollution and script injection/XSS. That's why we see Finally, The tool as shown doesn't look like something that should be even considered to be run anywhere near production code. It might be a funny toy for fans. The claim that
are not justified - the snippet suggested by autofix can only be thrown away and reimplemented. Now, to wrap up my post: I'm not a JS developer, my primary language is Python, and I use JS/TS only occasionally. I'd warmly welcome a professional JS developer to join my post and confirm/disprove statements I'm trying to make. |
Beta Was this translation helpful? Give feedback.
-
Some quick feedback - I noticed that if an autofix is initiated from a code scanning security alert, the autofix suggestion UI removes some of the existing information from the alert. Could this information remain visible? For example, the "show paths" link is no longer accessible when the autofix suggestion is shown. The "show paths" information is critical when understanding the data flow resulting in a potential vulnerability. Thanks! |
Beta Was this translation helpful? Give feedback.
-
Hi, I've been trying this out lately, and one thing that's been bugging me has been how code scanning alert numbers in PR titles created by Copilot Autofix get linked to issues with that same number instead. Is there a way that code scanning alert numbers could somehow get disambiguated from issue numbers so that this kind of mixup doesn't happen? |
Beta Was this translation helpful? Give feedback.
-
Hey everyone! 👋🏾 I'm here to announce that, not only are Security Campaigns with Copilot Autofix now in public preview, but Copilot Autofix now supports partner code scanning tools as well! 🎉 Check out the announcement post here to learn more! [Public Preview] Security Campaigns w/ Copilot Autofix 🧑💻 |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
I being hacked they have my phone locked down |
Beta Was this translation helpful? Give feedback.
-
Welcome to the preview for code scanning autofix!
Autofix is an AI-powered expansion of code scanning that provides users with targeted recommendations to help them fix code scanning alerts in pull requests so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from CodeQL analysis.
Read our announcement blog here
This discussion is the place to provide feedback and ask questions about autofix.
Status
Autofix is available to all GitHub Advanced Security (GHAS) customers. Fix suggestions are available on private repositories with a working code scanning configuration.
Capabilities
Fix suggestions are currently generated for nearly all supported security queries for CodeQL. The alerts on PRs and existing alerts on the default branch are supported with the functionality.
To learn more about the capabilities, limitations, and fix generation process, please refer to our public transparency documentation.
For a more hands-on demo of autofix, take a look at this 5-minute walkthrough we've put together.
Beta Was this translation helpful? Give feedback.
All reactions