diff --git a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md index 56b980f8d1..376c543250 100644 --- a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md +++ b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning.md @@ -27,6 +27,12 @@ You can use {% data variables.product.prodname_code_scanning %} to find, triage, If {% data variables.product.prodname_code_scanning %} finds a potential vulnerability or error in your code, {% data variables.product.prodname_dotcom %} displays an alert in the repository. After you fix the code that triggered the alert, {% data variables.product.prodname_dotcom %} closes the alert. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." +{% ifversion code-scanning-autofix %} + +Autofix will suggest fixes for alerts from {% data variables.product.prodname_codeql %} analysis in private repositories, allowing developers to prevent and reduce vulnerabilities with less effort. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)." + +{% endif %} + To monitor results from {% data variables.product.prodname_code_scanning %} across your repositories or your organization, you can use webhooks and the {% data variables.product.prodname_code_scanning %} API. For information about the webhooks for {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/webhooks-and-events/webhooks/webhook-events-and-payloads#code_scanning_alert)." For information about API endpoints, see "[AUTOTITLE](/rest/code-scanning)." diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning.md b/content/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning.md index 991b78e213..5aa8653bd1 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning.md @@ -1,7 +1,7 @@ --- title: About autofix for CodeQL code scanning shortTitle: Autofix for code scanning -intro: Learn how GitHub uses AI to suggest potential fixes for {% data variables.product.prodname_code_scanning %} alerts found by {% data variables.product.prodname_codeql %} in your pull request. +intro: Learn how GitHub uses AI to suggest potential fixes for {% data variables.product.prodname_code_scanning %} alerts found by {% data variables.product.prodname_codeql %}. product: '{% data reusables.rai.code-scanning.gated-feature-autofix %}' versions: feature: code-scanning-autofix @@ -15,20 +15,20 @@ topics: --- -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} ## About autofix for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %} -{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts in pull requests so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from {% data variables.product.prodname_codeql %} analysis. +{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts so they can avoid introducing new security vulnerabilities. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase and from {% data variables.product.prodname_codeql %} analysis. > [!NOTE] > While {% data variables.product.prodname_code_scanning %} autofix is powered by {% data variables.product.prodname_copilot %}, your enterprise does not need a subscription to {% data variables.product.prodname_copilot %} to use autofix. As long as your enterprise has {% data variables.product.prodname_GH_advanced_security %}, you will have access to autofix. -{% data variables.product.prodname_code_scanning_caps %} autofix generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. Autofix uses internal {% data variables.product.prodname_copilot %} APIs and private instances of OpenAI large language models such as GPT-4, which have sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes. +{% data variables.product.prodname_code_scanning_caps %} autofix generates potential fixes that are relevant to the existing source code and translates the description and location of an alert into code changes that may fix the alert. Autofix uses internal {% data variables.product.prodname_copilot %} APIs interfacing with the large language model GPT-4o from OpenAI, which has sufficient generative capabilities to produce both suggested fixes in code and explanatory text for those fixes. {% ifversion code-scanning-autofix %}While {% data variables.product.prodname_code_scanning %} autofix is allowed by default in an enterprise and enabled for every repository using {% data variables.product.prodname_codeql %}, you can choose to opt out and disable autofix. To learn how to disable autofix at the enterprise, organization and repository levels, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning)."{% endif %} -In an organization's security overview dashboard, you can view the total number of autofix suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#autofix-suggestions)" in the {% data variables.product.prodname_ghe_cloud %} documentation. +In an organization's security overview dashboard, you can view the total number of code suggestions generated on open and closed pull requests in the organization for a given time period. For more information, see "[AUTOTITLE](/enterprise-cloud@latest/code-security/security-overview/viewing-security-insights#autofix-suggestions)" in the {% data variables.product.prodname_ghe_cloud %} documentation. ## Developer experience @@ -40,35 +40,35 @@ After committing a suggested fix or modified fix, the developer should always ve ## Supported languages -{% data variables.product.prodname_code_scanning_caps %} autofix supports fix generation for a subset of queries included in the default and security-extended query suites for C#, C/C++, Go, Java/Kotlin, JavaScript/TypeScript, Python, and Ruby. For more information on these query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites)." +{% data variables.product.prodname_code_scanning_caps %} autofix supports fix generation for a subset of queries included in the default and security-extended query suites for {% data variables.code-scanning.code_scanning_autofix_languages %}. For more information on these query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#built-in-codeql-query-suites)." -## Autofix generation process +## Suggestion generation process -When autofix is enabled for a repository, {% data variables.product.prodname_code_scanning %} alerts that are identified in a pull request by supported {% data variables.product.prodname_codeql %} queries send input to the LLM. If the LLM can generate a potential fix, the fix is shown in the pull request as a suggestion comment. +When autofix is enabled for a repository, {% data variables.product.prodname_code_scanning %} alerts that are identified by supported {% data variables.product.prodname_codeql %} queries send input to the LLM. If the LLM can generate a potential fix, the fix is shown as a suggestion. -{% data variables.product.prodname_dotcom %} sends the LLM a variety of data from the pull request and from {% data variables.product.prodname_codeql %} analysis. +{% data variables.product.prodname_dotcom %} sends the LLM a variety of data from the {% data variables.product.prodname_codeql %} analysis. * {% data variables.product.prodname_codeql %} alert data in SARIF format. For more information, see “[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning).” -* Code from the current version of the pull request branch. +* Code from the current version of the branch. * Short snippets of code around each source location, sink location, and any location referenced in the alert message or included on the flow path. * First ~10 lines from each file involved in any of those locations. * Help text for the {% data variables.product.prodname_codeql %} query that identified the problem. For examples, see “[{% data variables.product.prodname_codeql %} query help](https://codeql.github.com/codeql-query-help/).” -Any autofix suggestions are generated and stored within the {% data variables.product.prodname_code_scanning %} backend. They are displayed as suggestion comments in the pull request. No user interaction is needed beyond enabling {% data variables.product.prodname_code_scanning %} on the codebase and creating the pull request. +Any autofix suggestions are generated and stored within the {% data variables.product.prodname_code_scanning %} backend. They are displayed as suggestions. No user interaction is needed beyond enabling {% data variables.product.prodname_code_scanning %} on the codebase and creating a pull request. The process of generating fixes does not gather or utilize any customer data beyond the scope outlined above. Therefore, the use of this feature is governed by the existing terms and conditions associated with {% data variables.product.prodname_GH_advanced_security %}. Moreover, data handled by {% data variables.product.prodname_code_scanning %} autofix is strictly not employed for LLM training purposes. For more information on {% data variables.product.prodname_GH_advanced_security %} terms and conditions, see "[AUTOTITLE](/free-pro-team@latest/site-policy/github-terms/github-terms-for-additional-products-and-features#advanced-security){% ifversion fpt %}."{% else %} in the Free, Pro, & Team documentation.{% endif %} -## Quality of autofix suggestions +## Quality of suggestions -{% data variables.product.prodname_dotcom %} uses an automated test harness to continuously monitor the quality of autofix suggestions. This allows us to understand how the autofix suggestions generated by the LLM change as the model develops. +{% data variables.product.prodname_dotcom %} uses an automated test harness to continuously monitor the quality of suggestions from autofix. This allows us to understand how the suggestions generated by the LLM change as the model develops. -The test harness includes a set of over 2,300 alerts from a diverse set of public repositories where the highlighted code has test coverage. Autofix suggestions for these alerts are tested to see how good they are, that is, how much a developer would need to edit them before committing them to the codebase. For many of the test alerts, autofixes generated by the LLM could be committed as-is to fix the alert while continuing to successfully pass all the existing CI tests. +The test harness includes a set of over 2,300 alerts from a diverse set of public repositories where the highlighted code has test coverage. Suggestions for these alerts are tested to see how good they are, that is, how much a developer would need to edit them before committing them to the codebase. For many of the test alerts, suggestions generated by the LLM could be committed as-is to fix the alert while continuing to successfully pass all the existing CI tests. In addition, the system is stress-tested to check for any potential harm (often referred to as red teaming), and a filtering system on the LLM helps prevent potentially harmful suggestions being displayed to users. -### How GitHub tests autofix suggestions +### How GitHub tests suggestions -We test the effectiveness of autofix suggestions by merging all suggested changes, unedited, before running {% data variables.product.prodname_code_scanning %} and the repository's unit tests on the resulting code. +We test the effectiveness of suggestions by merging all suggested changes, unedited, before running {% data variables.product.prodname_code_scanning %} and the repository's unit tests on the resulting code. 1. Was the {% data variables.product.prodname_code_scanning %} alert fixed by the suggestion? 1. Did the fix introduce any new {% data variables.product.prodname_code_scanning %} alerts? @@ -79,24 +79,23 @@ In addition, we spot check many of the successful suggestions and verify that th ### Effectiveness on other projects -The test set contains a broad range of different types of projects and alerts. We predict that autofixes for other projects using languages supported by autofix should follow a similar pattern. +The test set contains a broad range of different types of projects and alerts. We predict that suggestions for other projects using languages supported by autofix should follow a similar pattern. * Autofix is likely to add a code suggestion to the majority of alerts. -* When developers evaluate the autofix suggestions we expect that the majority of fixes can be committed without editing or with minor updates to reflect the wider context of the code. +* When developers evaluate the suggestions we expect that the majority of fixes can be committed without editing or with minor updates to reflect the wider context of the code. * A small percentage of suggested fixes will reflect a significant misunderstanding of the codebase or the vulnerability. However, each project and codebase is unique, so developers may need to edit a larger percentage of suggested fixes before committing them. Autofix provides valuable information to help you resolve {% data variables.product.prodname_code_scanning %} alerts, but ultimately it remains your responsibility to evaluate the proposed change and ensure the security and accuracy of your code. > [!NOTE] -> Fix generation for supported languages is subject to LLM operational capacity. In addition, each suggested fix is tested before it is added to a pull request. If no suggestion is available, or if the suggested fix fails internal testing, then no autofix suggestion is displayed. +> Fix generation for supported languages is subject to LLM operational capacity. In addition, each suggested fix is tested before it is added to a pull request. If no suggestion is available, or if the suggested fix fails internal testing, then no suggestion is displayed. -## Limitations of autofix suggestions +## Limitations of suggestions -When you review an autofix suggestion, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling autofix for {% data variables.product.prodname_code_scanning %}. For more information, see "[Mitigating the limitations of autofix suggestions](#mitigating-the-limitations-of-autofix-suggestions)." +When you review a suggestion from autofix, you must always consider the limitations of AI and edit the changes as needed before you accept the changes. You should also consider updating the CI testing and dependency management for a repository before enabling autofix for {% data variables.product.prodname_code_scanning %}. For more information, see "[Mitigating the limitations of suggestions](#mitigating-the-limitations-of-suggestions)." -### Limitations of autofix code suggestions +### Limitations of code suggestions -* _Programming languages:_ A subset of programming languages is supported. Support for additional languages will be added, but there is no intention to provide support for all {% data variables.product.prodname_codeql %} languages. * _Human languages:_ The system primarily uses English data, including the prompts sent to the system, the code seen by the LLMs in their datasets, and the test cases used for internal evaluation. Suggestions generated by the LLM may have a lower success rate for source code and comments written in other languages and using other character sets. * _Syntax errors:_ The system may suggest fixes that are not syntactically correct code changes, so it is important to run syntax checks on pull requests. * _Location errors:_ The system may suggest fixes that are syntactically correct code but are suggested at the incorrect location, which means that if a user accepts a fix without editing the location they will introduce a syntax error. @@ -104,7 +103,7 @@ When you review an autofix suggestion, you must always consider the limitations * _Security vulnerabilities and misleading fixes:_ The system may suggest fixes that fail to remediate the underlying security vulnerability and/or introduce new security vulnerabilities. * _Partial fixes:_ The system may suggest fixes that only partially address the security vulnerability, or only partially preserve the intended code functionality. The system sees only a small subset of the code in the codebase and does not always produce globally optimal or correct solutions. -### Limitations of autofix dependency suggestions +### Limitations of dependency suggestions Sometimes a suggested fix includes a change in the dependencies of the codebase. If you use a dependency management system, any changes will be highlighted automatically for the developer to review. Before merging a pull request always verify that any dependency changes are secure and maintain the intended behavior of the codebase. @@ -112,9 +111,9 @@ Sometimes a suggested fix includes a change in the dependencies of the codebase. * _Unsupported or insecure dependencies:_ The system does not know which versions of an existing dependency are supported or secure. * _Fabricated dependencies:_ The system has incomplete knowledge of the dependencies published in the wider ecosystem. This can lead to suggestions that add a new dependency on malicious software that attackers have published under a statistically probable dependency name. -## Mitigating the limitations of autofix suggestions +## Mitigating the limitations of suggestions -The best way to mitigate the limitations of autofix suggestions is to follow best practices. For example, using CI testing of pull requests to verify functional requirements are unaffected and using dependency management solutions, such as the dependency review API and action. For more information, see “[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).” +The best way to mitigate the limitations of suggestions from autofix is to follow best practices. For example, using CI testing of pull requests to verify functional requirements are unaffected and using dependency management solutions, such as the dependency review API and action. For more information, see “[AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review).” It is important to remember that the author of a pull request retains responsibility for how they respond to review comments and suggested code changes, whether proposed by colleagues or automated tools. Developers should always look at suggestions for code changes critically. If needed, they should edit the suggested changes to ensure that the resulting code and application are correct, secure, meet performance criteria, and satisfy all other functional and non-functional requirements for the application. @@ -123,12 +122,13 @@ It is important to remember that the author of a pull request retains responsibi {% ifversion code-scanning-autofix %} * "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" -* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts)" +* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request)" +* "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#generating-suggested-fixes-for-code-scanning-alerts) * "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning)" {% elsif fpt %} * "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts)" -* [AUTOTITLE](/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts) in the {% data variables.product.prodname_ghe_cloud %} documentation +* [AUTOTITLE](/enterprise-cloud@latest/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests#working-with-autofix-suggestions-for-alerts-on-a-pull-request) in the {% data variables.product.prodname_ghe_cloud %} documentation {% endif %} diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md b/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md index 79689d42d8..0558062234 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts.md @@ -23,6 +23,12 @@ You can configure {% data variables.product.prodname_code_scanning %} to check t By default, {% data variables.product.prodname_code_scanning %} analyzes your code periodically on the default branch and during pull requests. For information about managing alerts on a pull request, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." +{% ifversion code-scanning-autofix %} + +You can use autofix to generate fixes automatically for {% data variables.product.prodname_code_scanning %} alerts from {% data variables.product.prodname_codeql %} analysis. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#generating-suggested-fixes-for-code-scanning-alerts)." + +{% endif %} + {% data reusables.code-scanning.audit-code-scanning-events %} ## About alert details diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md b/content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md index c2803aa98c..bb9877f6a6 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/disabling-autofix-for-code-scanning.md @@ -13,15 +13,15 @@ topics: - AI --- -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} ## About disabling autofix for {% data variables.product.prodname_code_scanning %} -{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts in pull requests so they can avoid introducing new security vulnerabilities. To learn more about autofix for code scanning, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)." +{% data variables.product.prodname_code_scanning_caps %} autofix is a {% data variables.product.prodname_copilot %}-powered is an expansion of {% data variables.product.prodname_code_scanning %} that provides users with targeted recommendations to help them fix {% data variables.product.prodname_code_scanning %} alerts so they can avoid introducing new security vulnerabilities. To learn more about autofix for {% data variables.product.prodname_code_scanning %}, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)." {% data variables.product.prodname_code_scanning_caps %} autofix is allowed by default in an enterprise and enabled for every repository that uses {% data variables.product.prodname_codeql %}, regardless of whether it uses default or advanced setup for {% data variables.product.prodname_code_scanning %}. Administrators at the enterprise, organization and repository levels can choose to opt-out and disable autofix. -Note that disabling autofix at any level will close all open autofix comments from all open pull requests at the level that was disabled. If autofix is disabled and then subsequently enabled, autofix won't automatically suggest any fixes for pull requests that are already open. The suggestions will only be generated for pull requests that are opened after autofix is enabled, or after re-running {% data variables.product.prodname_codeql %} analysis on existing pull requests. +Note that disabling autofix at any level will close all open autofix comments. If autofix is disabled and then subsequently enabled, autofix won't automatically suggest fixes for any pull requests that are already open. The suggestions will only be generated for any pull requests that are opened after autofix is enabled, or after re-running {% data variables.product.prodname_codeql %} analysis on existing pull requests. ## Blocking use of autofix for an enterprise @@ -29,7 +29,7 @@ Enterprise administrators can disallow autofix for their enterprise. If you disa Note that allowing autofix for an enterprise does not enforce enablement of autofix, but means that organization and repository administrators will have the option to enable or disable autofix. -Disallowing autofix at the enterprise level will remove all open autofix comments from open pull requests across all repositories of all organizations within the enterprise. +Disallowing autofix at the enterprise level will remove all open autofix comments across all repositories of all organizations within the enterprise. {% data reusables.enterprise-accounts.access-enterprise %} {% data reusables.enterprise-accounts.policies-tab %} @@ -40,20 +40,18 @@ Disallowing autofix at the enterprise level will remove all open autofix comment If autofix is allowed at the enterprise level, organization administrators have the option to disable autofix for an organization. If you disable autofix for an organization, autofix cannot be enabled for any repositories within the organization. -Note that disabling autofix at the organization level will remove all open autofix comments from open pull requests across all repositories in the organization. +Note that disabling autofix at the organization level will remove all open autofix comments across all repositories in the organization. {% data reusables.profile.access_org %} {% data reusables.profile.org_settings %} - 1. In the "Security" section of the sidebar, click **{% octicon "codescan" aria-hidden="true" %} Code security** then **Global settings**. - 1. Under the "{% data variables.product.prodname_code_scanning_caps %}" section, deselect **Autofix for {% data variables.product.prodname_codeql %}**. For more information about configuring global {% data variables.product.prodname_code_scanning %} settings, see "[AUTOTITLE](/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization#configuring-global-code-scanning-settings)." ## Disabling autofix for a repository -If autofix is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable autofix for a repository. Disabling autofix at the repository level will remove all open autofix comments from all open pull requests across the repository. +If autofix is allowed at the enterprise level and enabled at the organization level, repository administrators have the option to disable autofix for a repository. Disabling autofix at the repository level will remove all open autofix comments across the repository. {% data reusables.repositories.navigate-to-repo %} {% data reusables.repositories.sidebar-settings %} diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository.md b/content/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository.md index baad3da6e9..c46a8a421c 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository.md @@ -116,7 +116,24 @@ Alternatively, to track a {% data variables.product.prodname_code_scanning %} al {% endif %} -## Fixing an alert +{% ifversion code-scanning-autofix %} + +## Generating suggested fixes for {% data variables.product.prodname_code_scanning %} alerts + +{% data reusables.rai.code-scanning.autofix-note %} + +{% data variables.product.prodname_code_scanning_caps %} autofix can generate fixes for alerts from {% data variables.product.prodname_codeql %} analysis in private repositories. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)." + +{% data reusables.repositories.navigate-to-repo %} +{% data reusables.repositories.sidebar-security %} +{% data reusables.repositories.sidebar-code-scanning-alerts %} +1. Click the name of an alert. +1. If autofix can suggest a fix, at the top of the page, click **{% octicon "shield-check" aria-label="Generate fix"%} Generate fix**. +1. Once the suggested fix has been generated, at the bottom of the page, you can click **Create PR with fix** to automatically generate a pull request with the suggested fix. + +{% endif %} + +## Fixing an alert {% ifversion code-scanning-autofix %}manually{% endif %} Anyone with write permission for a repository can fix an alert by committing a correction to the code. If the repository has {% data variables.product.prodname_code_scanning %} scheduled to run on pull requests, it's best to raise a pull request with your correction. This will trigger {% data variables.product.prodname_code_scanning %} analysis of the changes and test that your fix doesn't introduce any new problems. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning)" and "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests)." diff --git a/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md b/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md index 0171278b26..037ddea8cd 100644 --- a/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md +++ b/content/code-security/code-scanning/managing-code-scanning-alerts/triaging-code-scanning-alerts-in-pull-requests.md @@ -42,6 +42,12 @@ In repositories where {% data variables.product.prodname_code_scanning %} is con {% endnote %} {% endif %} +{% ifversion code-scanning-autofix %} + +{% data variables.product.prodname_code_scanning_caps %} autofix will suggest fixes for alerts from {% data variables.product.prodname_codeql %} analysis in private repositories. For more information on working with suggestions from autofix in pull requests, see "[Working with autofix suggestions for alerts on a pull request](#working-with-autofix-suggestions-for-alerts-on-a-pull-request)." + +{% endif %} + If you have write permission for the repository, you can see any existing {% data variables.product.prodname_code_scanning %} alerts on the **Security** tab. For information about repository alerts, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository)." In repositories where {% data variables.product.prodname_code_scanning %} is configured to scan each time code is pushed, {% data variables.product.prodname_code_scanning %} will also map the results to any open pull requests and add the alerts as annotations in the same places as other pull request checks. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#scanning-on-push)." @@ -118,9 +124,9 @@ Anyone with push access to a pull request can fix a {% data variables.product.pr {% ifversion code-scanning-autofix %} -## Working with autofix suggestions for alerts +## Working with autofix suggestions for alerts on a pull request -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} Autofix, powered by {% data variables.product.prodname_copilot %}, is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts in pull requests. The potential fixes are generated automatically by large language models (LLMs) using data from the codebase, the pull request, and from {% data variables.product.prodname_codeql %} analysis. @@ -135,6 +141,7 @@ When autofix is enabled for a repository, alerts are displayed in pull requests **Notes:** * Autofix supports a subset of {% data variables.product.prodname_codeql %} queries. For information about the availability of autofix, see the query tables linked from "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites#query-lists-for-the-default-query-suites)." * When analysis is complete, all relevant results are published to the pull request at once. If at least one alert in your pull request has an autofix suggestion, you should assume that the LLM has finished identifying potential fixes for your code. +* On alerts generated from queries that are not supported by autofix, you will see a note telling you that the query is not supported. If an autofix suggestion for a supported query fails to generate, you will see a note on the alert prompting you to try pushing another commit or to contact support. {% endnote %} @@ -144,11 +151,14 @@ Usually, when you suggest changes to a pull request, your comment contains chang ### Assessing and committing an autofix suggestion -Each autofix suggestion demonstrates a potential solution for a {% data variables.product.prodname_code_scanning %} alert in your codebase. You must assess the suggested changes to determine whether they are a good solution for your codebase and to ensure that they maintain the intended behavior. For information about the limitations of autofix suggestions, see "[Limitations of autofix suggestions](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning/#limitations-of-autofix-suggestions)" and "[Mitigating the limitations of autofix suggestions](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#mitigating-the-limitations-of-autofix-suggestions)" in "About autofix for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}." +Each autofix suggestion demonstrates a potential solution for a {% data variables.product.prodname_code_scanning %} alert in your codebase. You must assess the suggested changes to determine whether they are a good solution for your codebase and to ensure that they maintain the intended behavior. For information about the limitations of autofix suggestions, see "[Limitations of suggestions](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#limitations-of-suggestions)" and "[Mitigating the limitations of suggestions](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#mitigating-the-limitations-of-suggestions)" in "About autofix for {% data variables.product.prodname_codeql %} {% data variables.product.prodname_code_scanning %}." 1. Click **Edit** to display the editing options and select your preferred method. - * Select **Edit with codespaces** to open a codespace showing your branch with the suggested fix applied. - * Select **Edit locally with {% data variables.product.prodname_cli %}** to display instructions for applying the suggested fix to any local repository or branch. + * Under **Edit with {% data variables.product.prodname_cli %}**, follow the instructions for checking out the pull request locally and applying the suggested fix. + * Select **Edit FILENAME** to edit the file directly on {% data variables.product.prodname_dotcom %} with the suggested fix applied. +1. Optionally, if you prefer to apply the fix on a local repository or branch, select the {% octicon "copy" aria-hidden="true" %} dropdown menu on the suggestion. + * Select **View autofix patch** to display instructions for applying the suggested fix to any local repository or branch. + * Select **Copy modified line LINE_NUMBER** to copy a specific line of the suggestion. 1. Test and modify the suggested fix as needed. 1. When you have finished testing your changes, commit the changes, and push them to your branch. 1. Pushing the changes to your branch will trigger all the usual tests for your pull request. Confirm that your unit tests still pass and that the {% data variables.product.prodname_code_scanning %} alert is now fixed. diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/c-cpp-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/c-cpp-built-in-queries.md index 5858937291..629d33dee7 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/c-cpp-built-in-queries.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/c-cpp-built-in-queries.md @@ -20,6 +20,6 @@ topics: {% data reusables.code-scanning.codeql-query-tables.codeql-version-info %} -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} {% data reusables.code-scanning.codeql-query-tables.cpp %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/csharp-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/csharp-built-in-queries.md index 943ba335f7..fb4c41f28a 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/csharp-built-in-queries.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/csharp-built-in-queries.md @@ -20,6 +20,6 @@ topics: {% data reusables.code-scanning.codeql-query-tables.codeql-version-info %} -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} {% data reusables.code-scanning.codeql-query-tables.csharp %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/go-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/go-built-in-queries.md index 9290762843..2fca7e5a51 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/go-built-in-queries.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/go-built-in-queries.md @@ -20,6 +20,6 @@ topics: {% data reusables.code-scanning.codeql-query-tables.codeql-version-info %} -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} {% data reusables.code-scanning.codeql-query-tables.go %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/java-kotlin-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/java-kotlin-built-in-queries.md index 7de28cf309..e039a876d4 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/java-kotlin-built-in-queries.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/java-kotlin-built-in-queries.md @@ -22,6 +22,6 @@ topics: {% data reusables.code-scanning.codeql-query-tables.codeql-version-info %} -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} {% data reusables.code-scanning.codeql-query-tables.java %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/javascript-typescript-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/javascript-typescript-built-in-queries.md index 04dbc0c597..df5ef7e9ca 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/javascript-typescript-built-in-queries.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/javascript-typescript-built-in-queries.md @@ -20,6 +20,6 @@ topics: {% data reusables.code-scanning.codeql-query-tables.codeql-version-info %} -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} {% data reusables.code-scanning.codeql-query-tables.javascript %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/python-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/python-built-in-queries.md index 4729b85c93..e4296ede73 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/python-built-in-queries.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/python-built-in-queries.md @@ -20,6 +20,6 @@ topics: {% data reusables.code-scanning.codeql-query-tables.codeql-version-info %} -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} {% data reusables.code-scanning.codeql-query-tables.python %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/ruby-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/ruby-built-in-queries.md index 992dd11314..b2697b2ea2 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/ruby-built-in-queries.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/ruby-built-in-queries.md @@ -20,6 +20,6 @@ topics: {% data reusables.code-scanning.codeql-query-tables.codeql-version-info %} -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} {% data reusables.code-scanning.codeql-query-tables.ruby %} diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/swift-built-in-queries.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/swift-built-in-queries.md index 5762a01355..ba9b9faa31 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/swift-built-in-queries.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/swift-built-in-queries.md @@ -22,6 +22,6 @@ topics: {% data reusables.code-scanning.codeql-query-tables.codeql-version-info %} -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} {% data reusables.code-scanning.codeql-query-tables.swift %} diff --git a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md index 669f7b7fb0..9c3882c082 100644 --- a/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md +++ b/content/code-security/securing-your-organization/enabling-security-features-in-your-organization/configuring-global-security-settings-for-your-organization.md @@ -79,7 +79,7 @@ You can customize several {% data variables.product.prodname_global_settings %} ### Enabling autofix for {% data variables.product.prodname_codeql %} -You can select **Autofix for {% data variables.product.prodname_codeql %}** to enable autofix for all the repositories in your organization that use {% data variables.product.prodname_codeql %} default setup or {% data variables.product.prodname_codeql %} advanced setup. Autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts in pull requests. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)." +You can select **Autofix for {% data variables.product.prodname_codeql %}** to enable autofix for all the repositories in your organization that use {% data variables.product.prodname_codeql %} default setup or {% data variables.product.prodname_codeql %} advanced setup. Autofix is a {% data variables.product.prodname_copilot %}-powered expansion of {% data variables.product.prodname_code_scanning %} that suggests fixes for {% data variables.product.prodname_code_scanning %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)." {% endif %} diff --git a/content/code-security/security-overview/viewing-security-insights.md b/content/code-security/security-overview/viewing-security-insights.md index 1825cbec7b..75832fd75d 100644 --- a/content/code-security/security-overview/viewing-security-insights.md +++ b/content/code-security/security-overview/viewing-security-insights.md @@ -152,11 +152,11 @@ Alerts that are reopened and re-closed during the chosen time period are ignored ### Autofix suggestions -{% data reusables.rai.code-scanning.beta-autofix %} +{% data reusables.rai.code-scanning.autofix-note %} -Autofix, powered by {% data variables.product.prodname_copilot %}, is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts in pull requests. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)." +Autofix, powered by {% data variables.product.prodname_copilot %}, is an expansion of {% data variables.product.prodname_code_scanning %} that provides you with targeted recommendations to help you fix {% data variables.product.prodname_code_scanning %} alerts. For more information, see "[AUTOTITLE](/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning)." -The "Autofix suggestions" metric is the total number of Autofix suggestions generated in open and closed pull requests during the chosen time period. +The "Autofix suggestions" metric is the total number of autofix suggestions generated in open and closed pull requests during the chosen time period. {% endif %} diff --git a/data/reusables/rai/code-scanning/autofix-note.md b/data/reusables/rai/code-scanning/autofix-note.md new file mode 100644 index 0000000000..3272bb7f8c --- /dev/null +++ b/data/reusables/rai/code-scanning/autofix-note.md @@ -0,0 +1,6 @@ +{% ifversion code-scanning-autofix or fpt %} + +> [!NOTE] +> {% data variables.product.prodname_dotcom %} autofix for {% data variables.product.prodname_code_scanning %} is in beta. Functionality and documentation are subject to change. During this phase, the feature is restricted to alerts identified by {% data variables.product.prodname_codeql %} for private and internal repositories. If you have an enterprise account and use {% data variables.product.prodname_GH_advanced_security %}, your enterprise has access to the beta. + +{% endif %} diff --git a/data/reusables/rai/code-scanning/beta-autofix.md b/data/reusables/rai/code-scanning/beta-autofix.md deleted file mode 100644 index 6438952a51..0000000000 --- a/data/reusables/rai/code-scanning/beta-autofix.md +++ /dev/null @@ -1,6 +0,0 @@ -{% ifversion code-scanning-autofix or fpt %} - -> [!NOTE] -> {% data variables.product.prodname_dotcom %} autofix for {% data variables.product.prodname_code_scanning %} is in beta. Functionality and documentation are subject to change. During this phase, the feature is restricted to C#, C/C++, Go, Java/Kotlin, JavaScript/TypeScript, Python, and Ruby alerts identified by {% data variables.product.prodname_codeql %} for private and internal repositories. If you have an enterprise account and use {% data variables.product.prodname_GH_advanced_security %}, your enterprise has access to the beta. - -{% endif %} diff --git a/data/variables/code-scanning.yml b/data/variables/code-scanning.yml index 6cff5b42f7..386a8991ac 100644 --- a/data/variables/code-scanning.yml +++ b/data/variables/code-scanning.yml @@ -13,8 +13,10 @@ no_build_support: 'Java{% ifversion codeql-no-build-csharp %} and C#{% endif %}' compiled_languages: 'C/C++, C#, {% ifversion codeql-go-autobuild %} Go,{% endif %} {% ifversion codeql-swift-beta %} Java, and Swift{% else %} and Java{% endif %}' # List of languages where the libraries support expansion using CodeQL model packs at the repository level. - codeql_model_packs_support: '{% ifversion fpt or ghec or ghes > 3.12 %}C#, Java/Kotlin, and Ruby{% elsif ghes > 3.10 %}Java/Kotlin{% endif %}' # List of that allow threat models to be configurable for code scanning code_scanning_threat_model_support: 'Java/Kotlin{% ifversion fpt or ghec or ghes > 3.12 %} and C#{% endif %}' + +# List of languages that Copilot Autofix Agent supports +code_scanning_autofix_languages: ' C#, C/C++, Go, Java/Kotlin, Swift, JavaScript/TypeScript, Python, and Ruby' diff --git a/src/code-scanning/scripts/generate-code-scanning-query-list.ts b/src/code-scanning/scripts/generate-code-scanning-query-list.ts index b19f85c3fe..8b8902d0bb 100644 --- a/src/code-scanning/scripts/generate-code-scanning-query-list.ts +++ b/src/code-scanning/scripts/generate-code-scanning-query-list.ts @@ -58,28 +58,6 @@ import { program } from 'commander' import { getSupportedQueries } from '@github/cocofix/dist/querySuites.js' // eslint-disable-line import/no-extraneous-dependencies import { type Language } from '@github/cocofix/dist/codeql' // eslint-disable-line import/no-extraneous-dependencies -/** - * The list of languages for which autofix support has (publicly) shipped. - * - * We don't want to add documentation about autofix support for languages that have not shipped. - * - * Note that this is conceptually different from the list of languages for which we support autofix: - * some languages are supported, but only staff-shipped internally (currently, `go` and `ruby`). - * - * Supporting a language is a technical decision, and reflected in the list of supported queries - * returned by `getSupportedQueries`. Shipping a language, on the other hand, is a product decision, - * and is implemented by a feature flag in the monolith, so we cannot easily check it here. - * - * Instead we hard-code the list of shipped languages here and manually keep it in sync with - * https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-autofix-for-codeql-code-scanning#supported-languages. - * This sounds worse than it is, since CodeQL only supports a total of eight languages - * and we are on track to ship autofix support for all of them in the next few months. - * - * Note that we never publicly ship a language for which we don't have autofix support, so if a language - * has been shipped, we know for sure that it is supported. - */ -const AUTOFIX_SHIPPED_LANGUAGES = ['csharp', 'java', 'javascript', 'python', 'go', 'ruby', 'cpp'] - program .description('Generate a reusable Markdown for for a code scanning query language') .option('--verbose', 'Verbose outputs') @@ -213,20 +191,14 @@ async function main(options: Options, language: string) { return a.name.localeCompare(b.name) }) - // Omit the 'Autofix' column if the language has not been shipped - const includeAutofix = AUTOFIX_SHIPPED_LANGUAGES.includes(language) - console.warn(`${includeAutofix ? 'Including' : 'Excluding'} 'Autofix' column for ${language}`) - printQueries(options, entries, includeAutofix) + printQueries(options, entries) } -function printQueries(options: Options, queries: QueryExtended[], includeAutofix: boolean) { +function printQueries(options: Options, queries: QueryExtended[]) { const markdown: string[] = [] markdown.push('{% rowheaders %}') markdown.push('') // blank line - const header = ['Query name', 'Related CWEs', 'Default', 'Extended'] - if (includeAutofix) { - header.push('Autofix') - } + const header = ['Query name', 'Related CWEs', 'Default', 'Extended', 'Autofix'] markdown.push(`| ${header.join(' | ')} |`) markdown.push(`| ${header.map(() => '---').join(' | ')} |`) @@ -238,10 +210,7 @@ function printQueries(options: Options, queries: QueryExtended[], includeAutofix const defaultIcon = query.inDefault ? includedOcticon : notIncludedOcticon const extendedIcon = query.inExtended ? includedOcticon : notIncludedOcticon const autofixIcon = query.inAutofix ? includedOcticon : notIncludedOcticon - const row = [markdownLink, query.cwes.join(', '), defaultIcon, extendedIcon] - if (includeAutofix) { - row.push(autofixIcon) - } + const row = [markdownLink, query.cwes.join(', '), defaultIcon, extendedIcon, autofixIcon] markdown.push(`| ${row.join(' | ')} |`) } markdown.push('') // blank line