How GitHub’s New AI Auto‑Fixes Vulnerabilities in Real Time

Recently, technology giant Entry teamed up with GitHub to launch a new AI feature that significantly accelerates vulnerability remediation during coding.

The feature, now in public beta, is automatically enabled for all private repositories of GitHub Advanced Security (GHAS) customers.

Named “Code Scanning Autofix,” it leverages Copilot and CodeQL to discover potential bugs or security issues, classify them, and prioritize fixes. It can handle more than 90% of alert types in JavaScript, TypeScript, Java, and Python.

Note that code scanning consumes GitHub Actions minutes.

Code scanning also helps prevent developers and security teams from introducing new problems, supports scheduled scans, and can be triggered by specific repository events such as pushes.

If the AI detects a possible vulnerability, GitHub raises an alert in the repository and clears the alert once the triggering code is repaired.

Repositories or organizations can monitor scan results via webhooks and the Code Scanning API, and the service interoperates with third‑party scanners that export SARIF data.

There are three primary ways to run CodeQL analysis for code scanning:

Use the default settings to quickly configure CodeQL on a repository; the system automatically selects languages, query suites, and trigger events, with optional manual adjustments.

Add a custom CodeQL workflow using the advanced settings, which generates a customizable workflow file that runs the CodeQL CLI via github/codeql-action.

Run the CodeQL CLI in an external CI system and upload the results to GitHub.

Technical Mechanism

When a pull request is opened or a commit is pushed, the scanning process starts and integrates with the workflow or an external CI system. Results are formatted as SARIF and uploaded to the Code Scanning API.

The backend verifies language support and then invokes a fix generator CLI tool.

Relevant code snippets from the repository are fed into an Azure‑hosted service that calls a large language model (LLM). The LLM’s response is filtered to block harmful output, and the fix generator refines it into concrete code suggestions.

The generated suggestions are stored and presented alongside alerts in the pull‑request view, with caching to optimize LLM compute resources.

GitHub’s Pierre Tempel and Eric Tooley explain that each suggestion includes a natural‑language explanation and a preview of the code change, which developers can accept, edit, or reject. The suggestions may span the current file, multiple files, or even project dependencies, dramatically reducing the daily workload of security teams.

GitHub promises the AI system can automatically fix more than two‑thirds of detected vulnerabilities and will cover over 90% of alert types for supported languages. Future support for C# and Go is planned.

Developers should still verify that security issues are fully resolved, as the AI may propose partial fixes or changes that affect intended functionality.

The feature helps curb the growth of “application security debt” by making it easier for developers to address flaws as they code.

Last month, GitHub also enabled push protection by default for all public repositories to prevent accidental exposure of tokens and API keys.