[Public Preview] Security Campaigns w/ Copilot Autofix 🧑‍💻

[ghostinhershell]

🔒 We’re excited to unveil two new Code Security features that will elevate your development experience! These enhancements are designed to help you identify and address vulnerabilities more efficiently, ensuring your code remains secure. Get ready to take your security practices to the next level—read on to learn more about these game-changing additions!

Security campaigns with Copilot Autofix are now in public preview

🚀 Exciting news! We’re thrilled to announce the public preview of Security Campaigns featuring Copilot Autofix!

Security campaigns help users of GitHub Advanced Security rapidly reduce their backlog of application security debt. By leveraging Copilot Autofix to generate contextual explanations and code suggestions for up to 1,000 historical code scanning alerts at a time, security campaigns help developers and security teams collaborate to fix vulnerabilities with speed and confidence.

Read more here

Copilot Autofix now supports partner code scanning tools

🌟 Great news! Copilot Autofix for Code Scanning now supports fix suggestions for problems detected by ESLint, expanding your ability to streamline security fixes. Autofixes are available both in pull requests and for historical alerts.

ESLint is the first partner tool supported by Copilot Autofix. Support for additional partner tools, such as JFrog SAST and Black Duck’s Polaris™ platform powered by Coverity®, will be announced by future changelogs when available.

Read more here.

---

🔐 Security is a topic that’s always in motion: Jump into the conversation with our GitHub Universe 2024 speakers by checking out these sessions:

• Go big! Efficiently deploy and customize security tooling at enterprise scale
• Enterprise Code Security 101: Getting started with GitHub Advanced Security (Universe 2024 Workshop 🪐 )
• Why (and how) IKEA, WirelessCar, and SAP adopted GitHub Advanced Security
• Tackling supply chain vulnerabilities with Dependabot [SEC1968D]
• Real talk on navigating code security in the age of AI

🚀 Interested in learning more about the Code Security Community here at GitHub? Check out our latest community check-in: Behind the Firewall: Checking into the Code Security Community 🤖🪐.

🧠 Looking to up-level your own security knowledge? Take the GitHub Advanced Security certification. We even have a prep course on the community to help you study!

[ghostinhershell]

For information about Advanced Security features that are in development, see GitHub Public Roadmap. For an overview of all security features, see GitHub Security Features. 🚀

[audunsolemdal]

Feature request

Since security campaigns focuses on CodeQL issues with the attribute autofix:supported I think it makes sense to be able to support generation of PRs / branches automatically or on demand via the security campaign GUI. This way we wouldn't have to go into one and one alert just to press "create branch" --> "create PR"

API support for generating branches / PRs on suggested fixes would also be useful

[jf205]

@audunsolemdal thanks so much for the feedback about your experiences with security campaigns ❤️

As you say, we don't yet support automatically generated PRs at scale yet, but we do make it easier to create PRs for multiple alerts directly from the campaigns UI in a specific repository. We have some docs on that here. Using this functionality you can easily group similar alerts into a single PR to make the fixes easier to review. Would that help you here?

[audunsolemdal]

That improves the workflow for sure.

I am wondering what triggers Copilot Autofix to generate code, is this when the security campaign is created, or go in and view the details of a security alert which supports autofix? IIRC this behaviour must have changed after release, didn't we use to have to manually request for copilot autofix like this:

While now we get this automatically after a security campaign is generated(?)

Anyway if the behaviour is

1. create campaign --> Copilot autofix automatically starts generating suggestions
2. group one or more alerts into a branch --> PR

I would say that is a pretty good workflow!

Beyond Security Campaigns, perhaps the "local" CodeQL workflow could be more streamlined. Put simply: The security campaign feature seems great, but it requires someone at the org level to initiate and adjust. If some teams want to initiate fixing CodeQL issues on their own (which they often do in my org), the workflow for autofixing CodeQL alerts seems to be fra less streamlined than when a security campaign is active in the repo.

E.g. When you go into the regular Code scanning, without a security campaign:

• searching for the autofix:supported tag is not supported.
• You have to go into specific alerts and click "Generate fix" manually
• I am not able to see a central method of grouping alerts together into branches PRs without going into one alert at a time

[jf205]

Thanks for the reply!

1. create campaign --> Copilot autofix automatically starts generating suggestions
2. group one or more alerts into a branch --> PR

I would say that is a pretty good workflow!

Yes, this is how it works: when you press 'Create campaign' Copilot Autofix attempts to suggest fixes for all alerts that are autofix:supported and the fix suggestions will become available a little while after (exact timing depends on how many fixes are being requested during any given time period).

The security campaign feature seems great, but it requires someone at the org level to initiate and adjust.

You are right about this. With lots of our users we commonly see that it's the security team who leads with prioritization and decision making about which alerts should be fixed and when -- that's why for the public preview of security campaigns only org owners or security managers (docs) are able create campaigns.

If some teams want to initiate fixing CodeQL issues on their own (which they often do in my org), the workflow for autofixing CodeQL alerts seems to be fra less streamlined than when a security campaign is active in the repo.

This is really valuable feedback too ❤️. We are learning more and more about how developer teams can sometimes take the lead with prioritizing the remediation of security alerts, so we will definitely consider how we streamline the autofix creation flow for outside the security team too.

[eyitemi-paystack]

Feature Request

I'm excited about the recent launch GitHub Security Campaigns with Copilot Autofix. However, it would greatly enhance our workflow if there was an option to create Jira tickets automatically from the newly created campaign. This feature would streamline tracking and remediation by directly linking issues between GitHub and our project management in Jira, allowing us to monitor progress and manage resolutions more effectively.

Additionally, I’d appreciate guidance on accessing a list of all security scanning alerts that Copilot Autofix can address. I can't seem to figure out a way to see this right now and This functionality would enable us to prioritize and target areas where automated fixes are available, significantly improving efficiency.

Thank you for considering these suggestions to improve integration and usability!

[jf205]

HI @eyitemi-paystack 👋🏻. Glad to see you are excited about using security campaigns with Copilot Autofix!

Additionally, I’d appreciate guidance on accessing a list of all security scanning alerts that Copilot Autofix can address

You can use the autofix:supported filter in the org-level list of code scanning alerts to filter only the alerts that are eligible for Copilot Autofix suggestions. There are some docs about some of the other useful filters you can use here.

it would greatly enhance our workflow if there was an option to create Jira tickets automatically from the newly created campaign.

Good to know, thanks. A few questions:

• When you say you'd like automated ticket creation, Do you mean one ticket per campaign. or one ticket per alert?
• Does your team also use GitHub issues or do you do all work tracking in Jira?
• Similarly, does your team use GitHub notifications or emails to track activities in their repos?
• Do you have any other communication channels you use (e.g. on Slack/Team) that would be useful to include in the campaigns UI to help coordinate/track campaign activities?