Skip to content

Code scanning now suggests AI-powered autofixes for CodeQL alerts in pull request (beta)

Code scanning autofix is now available in public beta for all GitHub Advanced Security customers. Powered by GitHub Copilot, code scanning suggests fixes for Javascript, Typescript, Java, and Python alerts found by CodeQL.
This feature empowers developers to reduce the time and effort spent remediating alerts found in pull requests, and helps prevent new vulnerabilities from being introduced into your code base.

Autofix

The feature is automatically enabled on all private repositories for GitHub Advanced Security customers.
When code scanning analysis is performed on pull requests, autofixes will be generated for supported alerts. They include a natural language explanation of the suggested fix, together with a preview of the code suggestion that the developer can accept, edit, or dismiss. In addition to changes to the current file, these code suggestions can include changes to multiple files. Where needed, autofix may also add or modify dependencies.

You can see the total number of autofix suggestions provided for CodeQL alerts in open and closed pull requests in security overview:

Autofixes on the overview dashboard

You can configure code scanning autofix for a repository or organisation. You can also use Policies for Code security and analysis to allow autofix for CodeQL code scanning for an enterprise.

Enterprise settings

Code scanning autofix supports, on average, 90% of CodeQL Javascript, Typescript, Java, and Python alerts from queries in the Default code scanning suite. The fix generation for any given alert also depends on the context and location of the alert. In some cases, code scanning won’t display a fix suggestion for an alert if the suggested code change fails syntax tests or safety filtering.

This change is now available to all GitHub Advanced Security customers on GitHub.com. For more information, see About autofix for CodeQL code scanning.

Provide feedback for code scanning autofix here.

Enablement trends for security products (public beta)

You can now monitor enablement trends for all security products within your GitHub organization. This functionality is designed to give you a detailed overview of how your organization is implementing security product coverage.

new tool adoption report

Explore enablement trends for historical insights into the activation status of GitHub security features:
* Dependabot alerts
* Dependabot security updates
* Code scanning
* Secret scanning alerts
* Secret scanning push protection

Historical data is available from January 1, 2024, with the exception of Dependabot security updates data, which is available from January 17, 2024.

To access the enablement trends page, visit security overview at the organization level. You can find security overview by clicking on the “Security” tab.

This feature is now available as a public beta on GitHub Enterprise Cloud and will be available in GitHub Enterprise Server 3.13.

Learn more about security overview and join the discussion within the GitHub Community

See more

Logging SAML SSO and SCIM identity data in audit log events is generally available

Starting today for GitHub Enterprise Cloud and as part of GitHub Enterprise Server version 3.13, enterprise and organization audit log events will include the applicable SAML and SCIM identity data associated with the user. This data provides increased visibility into the identity of the user and enables logs from multiple systems to quickly and easily be linked using a common corporate identity. The SAML identity information will be displayed in the external_identity_nameid field and the SCIM identity data will be displayed in the external_identity_username field within the audit log payloads.

In GitHub Enterprise Cloud Classic, SAML SSO gives organization and enterprise owners a way to control and secure access to resources like repositories, issues, and pull requests. Organization owners can invite GitHub users to join an organization backed by SAML SSO, allowing users to become members of the organization while retaining their existing identity and contributions on GitHub.

If your Enterprise Cloud Classic organization uses SAML SSO, you can use SCIM to add, manage, and remove organization members’ access to your organization. For example, an administrator can deprovision an organization member using SCIM and automatically remove the member from the organization.

To learn more, read our documentation about SAML SSO authentication data in our audit logs.

See more
View all changes