Code scanning autofix: Preview Feedback and Resources #111094
Replies: 22 comments 27 replies
-
Love the feature, a couple of questions:
|
Beta Was this translation helpful? Give feedback.
-
When can independent open source maintainers get their hands on this lovely tool? After reading the announcement post, it seems it's intended for enterprise customers? |
Beta Was this translation helpful? Give feedback.
-
How do you create the ````suggestion` with "Outside changed files" targeting line 16 of package.json? |
Beta Was this translation helpful? Give feedback.
-
Hi, great to see this shipped! I hope eventually we can see autofix suggestions directly in an alert and create a PR from there? |
Beta Was this translation helpful? Give feedback.
-
@turbo can we use it with github enterprise plan in which we will have only 1 user/seat, and if not then why you guys are blocking this? Because nowadays in this Ai era everybody is talking about one person company powered by ai and we are not able to use such ai features for us... |
Beta Was this translation helpful? Give feedback.
-
Thanks for this new cool feature! I am (and I believe many developers among us) looking for C# support. Is this something on the roadmap already? Where to get a notification after it's released? |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Question! I'm wondering if and when this becomes available for its sister product, GitHub Advanced Security for Azure DevOps. What timeframe should we expect? |
Beta Was this translation helpful? Give feedback.
-
I have created several discussion posts related to CodeQL and AutoFix. They are here: "CodeQL XSS False Positives and XSS AutoFix incorrect location for defensive encoding" (#122802) (Now also reported here: github/codeql#16531), here: "CodeQL Findings Should be Reported in Filename Order in Pull Requests" (#123182) (Now also reported here: https://github.com/github/codeql/issues/16530), and here: "Relate Adoption of suggested AutoFixes to CodeQL Findings" (#122838). Some feedback from the GitHub team on these suggested enhancements would be appreciated. Also, rather than creating new Discussions like this, or posting comments here, is there a better/easier way to provide specific CodeQL/AutoFix feedback to the GitHub team, rather than in a public forum? For example, I adopted an AutoFix and it created a compilation error because one of the new methods in the AutoFix throws an additional type of Exception. I want to provide feedback on that specific issue, but posting those details here seems like not the right place for feedback that is super specific like this. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
Is there a way to commit multiple suggestions at the same time? There doesn't seem to be a "Add suggestion to batch" as described in the general documentation for applying a suggested change |
Beta Was this translation helpful? Give feedback.
-
Would autofix be coming to public repositories as well? I'd like to try out the new C++ autofixes in my FOSS project and provide feedback. |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Can we stop highlighting any use of http:// as a security error. |
Beta Was this translation helpful? Give feedback.
-
@turbo can i buy github copilot enterprise to use without enrolling for enterprise seat and if i have team or free plan in any organisation? |
Beta Was this translation helpful? Give feedback.
-
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
If co-pilot is going to suggest an "autofix", it would be nice if implementing the "autofix" didn't also generate a CodeQL warning with a new "autofix". I'm about four levels deep into a "URL redirection from remote source" change. |
Beta Was this translation helpful? Give feedback.
-
I just noticed some |
Beta Was this translation helpful? Give feedback.
-
I noticed a slight UI bug - the Autofix "Beta - Give feedback" UI is appearing for alerts unrelated to CodeQL. Here's an example where it appears on an alert for a different tool that we upload results for into GitHub using SARIF files: |
Beta Was this translation helpful? Give feedback.
-
Can you please stop recommending use of strncpy(3)? It's not a string-copying function. It's a very specialized function, designed to be used on utmp(5) and tar(1); nothing else. |
Beta Was this translation helpful? Give feedback.
-
This rule is firing for us on names of static const Apex fields. The regex does not match the Salesforce style guide for such fields here. The rule is therefore generating false positives for this case. |
Beta Was this translation helpful? Give feedback.
-
Hi folks, The UI for autofix suggestions that suggest code that was not changed in the original PR is confusing. Here is an example: ![]() ![]() I am not sure what the best UI/UX would be for this case, but it might be helpful to make the |
Beta Was this translation helpful? Give feedback.
-
Welcome to the preview for code scanning autofix!
Autofix is an AI-powered expansion of code scanning that provides users with targeted recommendations to help them fix code scanning alerts in pull requests so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from CodeQL analysis.
Read our announcement blog here
This discussion is the place to provide feedback and ask questions about autofix.
Status
Autofix is available to all GitHub Advanced Security (GHAS) customers. Fix suggestions are available on private repositories with a working code scanning configuration.
Capabilities
Fix suggestions are currently generated for nearly all supported security queries for JavaScript/TypeScript, Java, Python, and C#. We will be adding support for more languages soon. Only new alerts on Pull Requests are considered.
To learn more about the capabilities, limitations, and fix generation process, please refer to our public transparency documentation.
For a more hands-on demo of autofix, take a look at this 5-minute walkthrough we've put together.
Beta Was this translation helpful? Give feedback.
All reactions