Grit automatically fixes technical debt by combining static analysis and machine learning to generate pull requests that clean up code and migrate to the latest frameworks.
How Grit.io can help you:Â
Why choose Grit.io: Key featuresÂ
Who should choose Grit.io:
Categories
GitHub rolls out AI-powered Autofix Copilot to catch and fix vulnerabilities in code - SiliconANGLE
GitHub rolls out AI-powered Autofix Copilot to catch and fix vulnerabilities in code In a "move fast and break things" world, Microsoft Corp.'s GitHub today announced the launch of a new way, using artificial intelligence, to move fast while fixing problems during software development before they become bigger issues down the line. The company said Autofix Copilot, an AI-powered vulnerability remediation tool in GitHub Advanced Security, is now generally available. Originally introduced in public beta test in March, the tool uses advanced generative AI during pull requests to detect vulnerabilities in new code and offers solutions to fix problems before they're pushed into production. "Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply," said Mike Hanley, chief security officer and senior vice president of engineering at GitHub. "In other words, finding vulnerabilities isn't the problem. Fixing them is." Autofix works similarly to the company's AI-powered co-assistance tool Copilot, which helps developers generate software quickly. The tool operates alongside software developers like a security expert partner that can scan through existing code, detect vulnerabilities and provide on-point explanations as to why a piece of code is problematic, alongside a fix that will resolve the problem. According to GitHub, based on customer data during the beta release of the product between May and July, customers saw excellent results in reducing the time needed to detect issues and fix them. The company said that overall, the median time to automatically commit a fix from pull-request alerts became three times faster with Autofix at 28 minutes, compared with 1.5 hours when done manually. Specific vulnerabilities such as cross-site scripting saw fixes happen even faster, the company claimed: 22 minutes using Copilot, compared with 2.8 hours manually, and 18 minutes using the AI-tool, compared with 3.7 hours for SQL injection. "Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity," said Kevin Cooper, principal engineer at American healthcare technology provider Optum Inc. "In the healthcare space, where security is critical, it helps us act on proven industry solutions quickly. This proactive approach to security helps us prevent potential issues, saving thousands of hours per month that would otherwise be spent on remediation." The ideal importance of Autofix is that it doesn't just provide meaningful fixes and remediation for vulnerabilities in scanned code as developers go about their everyday work, Hanley said. Developers who aren't necessarily security experts can rely on it to explain why its recommendation is necessary and how to implement the fix properly. That makes the AI tool not just a simple scanning device that's part of developers' arsenal in cybersecurity, but a way to upgrade their security awareness overall. Under the hood, Autofix uses a specialized code scanning engine called CodeQL in combination with OpenAI's flagship AI model GPT-4o to generate code fix suggestions. It can work with large swaths of internal private enterprise codebases provided by users and open-source code libraries. "As the global home of the open-source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open-source software is safer and more reliable for everyone," said Hanley.
SiliconANGLE
Wed, 14 Aug, 6:06 PM UTC
GitHub taps AI to eradicate software vulnerabilities with Copilot-powered security updates
With Copilot Autofix, developers and security teams can keep new vulnerabilities out of code and confidently remediate their backlog security debt GitHub, the world's leading AI-powered developer platform, announced the general availability of AI-powered remediation with Copilot Autofix in GitHub Advanced Security (GHAS). Copilot Autofix analyses vulnerabilities in code, explains why they matter, and offers code suggestions that help developers fix vulnerabilities as fast as they are found. During the public beta, GitHub found that developers were fixing code vulnerabilities more than three times faster than those who do so manually, a powerful example of how AI agents can radically simplify and accelerate secure software development. Developers can keep new vulnerabilities out of their code with Copilot Autofix in the pull request, and now also pay down the backlog of security debt by generating fixes for existing vulnerabilities. "Code scanning tools detect vulnerabilities, but they don't address the fundamental problem: remediation takes security expertise and time, two valuable resources in critically short supply. In other words, finding vulnerabilities isn't the problem. Fixing them is," said Mike Hanely, CSO and SVP of Engineering at GitHub. "With Copilot Autofix, we are one step closer to our vision where a vulnerability found means a vulnerability fixed," Hanely added. Since its introduction in public beta in March 2024, developers have used Copilot Autofix in their pull requests to help them quickly fix vulnerabilities in new code before they get merged to production where they can impact customers. Fixes can be generated for dozens of classes of code vulnerabilities, such as SQL injection and cross-site scripting, which developers can dismiss, edit, or commit in their pull request. Based on customer data from public beta between May through July 2024, Copilot Autofix has already shown dramatic reductions in the amount of time between detection and successful remediation: 3x faster. Overall, the median time for developers to use Copilot Autofix to automatically commit the fix for a pull request-time alert was 28 minutes, compared to 1.5 hours to resolve the same alerts manually.7x faster. Cross-site scripting vulnerabilities: 22 minutes, compared to almost three hours.12x faster. SQL injection vulnerabilities: 18 minutes, compared to 3.7 hours. Early users of Copilot Autofix have also reported dramatic improvements in efficiency and productivity. "Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity," says Kevin Cooper, principal engineer at Optum. "In the healthcare space, where security is critical, it helps us act on proven industry solutions quickly. This proactive approach to security helps us prevent potential issues, saving thousands of hours per month that would otherwise be spent on remediation." Just as GitHub Copilot helps developers code more quickly, Copilot Autofix accelerates the pace of remediation so security teams make real progress with the backlog of existing vulnerabilities, commonly known as security debt. When a developer is asked to fix vulnerabilities in code that they haven't seen in a while or aren't familiar with, it can take hours to assess the surrounding code and experiment with manual fixes. Copilot Autofix dramatically reduces this burden so developers can fix old vulnerabilities with more speed and confidence. Here's how it works. To initiate Copilot Autofix for vulnerabilities in existing code, a developer simply presses the "Generate fix" button on an alert in the GHAS code scanning alert. Copilot Autofix assesses the code and the vulnerability and returns an explanation and code suggestion for review. The developer can then press the "Create PR with fix" button to create a new pull request which includes code changes to fix the alert. With Copilot Autofix, teams can pay down years' worth of security debt-even those hard-to-prioritise low- and moderate-severity alerts-in just a matter of a few clicks. Behind the scenes, Copilot Autofix leverages the CodeQL engine, GPT-4o, and a combination of heuristics and GitHub Copilot APIs to generate code suggestions. Copilot Autofix builds an LLM prompt based on sources including CodeQL analysis and short snippets of code around the flow path. As the global home of the open source community, GitHub is uniquely positioned to help maintainers detect and remediate vulnerabilities so that open source software is safer and more reliable for everyone. GitHub believes that it's highly important to be both a responsible consumer of open source software and contributor back to it, which is why open source maintainers can already take advantage of GitHub's code scanning, secret scanning, dependency management, and private vulnerability reporting tools at no cost. Starting in September, GitHub will add Copilot Autofix in pull requests to this list and offer it for free to all open source projects. From GitHub Copilot Workspace to GHAS, GitHub is championing a future where AI doesn't just assist but helps transform businesses, from productivity and innovation to security and risk reduction. Within GHAS, GitHub is leveraging AI not only to help fix vulnerabilities in code, but also to improve the scope and accuracy of secret scanning, and with new workflows that scale Copilot Autofix for organisations with a high volume of security debt, all on the familiar platform that developers already know and love. About GitHub As the global home for all developers, GitHub is the world's leading AI-powered developer platform to build, scale, and deliver secure software. Over 100 million people, including developers from 90 of the Fortune 100 companies, use GitHub to build amazing things together across 420+ million repositories. With all the collaborative features of GitHub, it's never been easier for individuals and teams to write faster, better code.
CXOToday.com
Mon, 19 Aug, 2:08 PM UTC
How to Revive and Restructure Codebase with AI
A codebase can become messy and hard to manage over time. This happens because of quick fixes, outdated features, or just not enough time to clean things up. When code becomes difficult to read or change, it slows down progress and can even cause bugs. To keep a codebase healthy and easy to work with, you'll need to take care of it. Improving and organizing old code can feel like a big task, but there are tools and methods that can make it easier. This guide will show how to refresh your codebase step by step which will make it simpler to work with and less likely to cause issues. Code reviews are essential for catching issues early, improving readability, and ensuring long-term maintainability. Reviewing your own code or someone else's involves more than just scanning for errors - you'll also want to make sure each part is clear, efficient, and follows good practices. Here's a step-by-step approach to help you review code effectively, with practical strategies, tools, and what to look for during the process. There are a number of tools out there that can help streamline your code reviews, whether you're checking your own code or collaborating with others: Linters check for syntax errors, code smells, and style guide violations. They are especially useful for catching minor issues, like inconsistent formatting or unused variables. We will discuss ESLint more in an upcoming section. These tools analyze code for deeper issues like security vulnerabilities, code duplication, and complex functions that might need refactoring. Running tests can verify that code changes don't introduce new bugs. Use testing frameworks like Jest for JavaScript, PyTest for Python, or JUnit for Java to confirm your code behaves as expected. Let's say you encounter a long function with multiple responsibilities. The goal is to split it into smaller, focused functions. Here's how you can do that: Breaking down the process into smaller functions makes the code cleaner, more readable, and easier to test. Each function now has a single responsibility, which helps reduce bugs and makes future updates simpler. Technical debt refers to the accumulation of issues within a codebase that arise when development shortcuts are taken, often to meet tight deadlines or speed up releases. While these shortcuts may enable quicker progress initially, they lead to complications down the line. Technical debt requires proactive management. If you leave it unchecked, it can reduce productivity, create bugs, and slow down development. Think of technical debt like financial debt: taking on debt can be helpful in the short term, but failing to address it or pay it down will lead to greater challenges. Common causes of technical debt include: Technical debt manifests in different ways. Here are some common examples: 1. Code Duplication: Repeated code across multiple places within a project can lead to inconsistencies, as fixing an issue or updating a feature in one area may not carry over to others. Refactoring duplicate code into reusable functions or components is an effective way to reduce this debt. Example: In a web application, you might find similar code for user authentication scattered across different modules. Instead, centralizing this logic into a single authentication module ensures consistent updates. 2. Outdated Dependencies and Frameworks: Using old libraries or frameworks can slow down development and introduce security vulnerabilities. Over time, dependencies may lose support or become incompatible with new features, making them costly to maintain. Solution: Regularly update libraries and frameworks, and monitor for deprecations or vulnerabilities. This can be streamlined by using dependency managers, which help check for updates and security patches. 3. Complex, Long Functions with Multiple Responsibilities: Large, complex functions that handle multiple tasks are difficult to understand, test, and modify. Known as "God functions," these make debugging cumbersome and increase the risk of introducing new bugs. Solution: Follow the Single Responsibility Principle (SRP). This means that each function or method should accomplish one task. Breaking down large functions into smaller, focused units makes the code easier to read and test. Code that lacks proper error handling can lead to bugs and unexpected behavior, especially in larger systems. Without clear error messages, diagnosing and fixing issues can be challenging. Solution: Include comprehensive error handling and ensure that meaningful error messages are displayed. Log errors in a way that helps developers track and diagnose issues. 5. Hardcoded Values: Hardcoding values directly into code makes it difficult to adjust settings without modifying the source code. For example, using fixed URLs or credentials directly in the codebase can create security risks and maintenance headaches. Solution: Use configuration files or environment variables to store values that might change. This improves security and allows for easy updates. 6. Lack of Documentation and Testing: Documentation and testing are often neglected when time is short. But without proper documentation and test coverage, the code becomes challenging to understand and validate, slowing down development and increasing the risk of bugs. Solution: Implement test-driven development (TDD) or include time in the development cycle for creating documentation and writing tests. Aim for at least basic test coverage for critical paths and functions. Identifying technical debt is crucial if you want to address and improve it. Here are some strategies you can follow: Here's a practical example to demonstrate how refactoring can help address technical debt, specifically by removing code duplication. Let's say we have two functions that send different types of emails but use repeated code: Each function has a similar structure, so refactoring can make the code cleaner and reduce duplication. This example demonstrates how consolidation can reduce repetition and make the code more flexible. Proactively managing technical debt helps reduce it over time. Here are ways to avoid accumulating more debt: Code quality tools can help you find issues that might not be obvious. They can point out things like unused variables, code that's hard to read, or security problems. Popular tools include for , for , and for different programming languages. Here's how to set up a simple code check with ESLint: ESLint can automatically fix some issues for you. To do this, use the flag: This command will automatically correct issues like indentation, unused variables, and missing semicolons where possible. But it's important to review the changes to ensure they align with your intended functionality. Reviewing code, spotting technical debt, and using quality tools help keep the codebase healthy. If you follow these steps, your project will be easier to manage and less likely to break. Using AI tools to restructure code makes improving code quality much faster and easier. These tools help find issues, suggest changes, and can even automate some parts of the refactoring process. I'll share some AI tools that can help you with code analysis, refactoring, and dependency management, based on my own experience and what I've found useful. AI-powered tools are becoming more common, and they offer different ways to boost code quality and simplify refactoring. Here are some I've found helpful: GitHub Copilot is like a coding assistant that provides smart suggestions as you write code. It can complete code snippets, suggest new functions, and help rework existing code to make it more efficient. I've found it useful for writing repetitive code blocks or coming up with quick refactorings. For example, let's say you need to rewrite a function to be more efficient: GitHub Copilot might suggest optimizing the function like this: The updated version checks factors only up to the square root of , making it faster for large numbers. QodoGen provides automated suggestions for refactoring and can detect common code issues, like unused variables or large functions doing too many tasks. It also helps split complex code into smaller, more manageable pieces and can explain sections of the code base or the entire codebase which will facilitate the restructuring process. This tool is capable of doing this because, unlike other AI assistants and general purpose code generation tools, Qodo focuses on code integrity, while generating tests that help you understand how your code behaves. This can help you discover edge cases and suspicious behaviors, and make your code more robust. For example, if you have a function handling multiple tasks, QodoGen might suggest breaking it down: Separating the steps makes the code easier to maintain and test. ChatGPT can act as a helpful companion when working on code restructuring tasks. Arguably the most used coding assistant, it provides advice on refactoring strategies, explains how to implement changes, or offers example snippets. It's like having an expert to consult whenever you need guidance or ideas. For instance, if you're unsure how to optimize a function or restructure a class, ChatGPT can provide sample code or describe best practices. You can also ask it for help with understanding errors or fixing specific problems in your code. Just make sure you double-check the code it provides (same goes for all these AI assistants) as it can hallucinate and make mistakes. AI tools not only assist with writing code but also with analyzing it for quality improvements: SonarQube scans the code to detect bugs, vulnerabilities, and code smells. It generates reports with suggestions on what to fix, helping maintain a healthy codebase. This tool integrates with Visual Studio and offers automatic refactoring options. It highlights code that can be simplified or cleaned up and suggests ways to optimize the codebase. AI tools like DepCheck help find unused dependencies in JavaScript projects, keeping package files clean. Using AI tools like GitHub Copilot, QodoGen, and ChatGPT speeds up the process of code restructuring. They provide suggestions that save time and catch issues early, making the code easier to maintain. Combining these tools with automated analysis tools like SonarQube and ReSharper ensures all aspects of the codebase are covered, from quality checks to refactoring. These AI tools have other features that facilitate this process: for example, they all have a chat feature that lets you ask questions and get replies about your code and any best practices you should be following. Also, QodoGen allows you to add parts of or the whole codebase for context with the click of a button, along with other features for test generation and pull request reviews. When restructuring your codebase, having a variety of AI tools can make the process smoother and more efficient. This is AI usage at its best. Version control keeps track of code changes, making it easier to manage updates, collaborate with others, and fix issues. Following some best practices can help maintain a clean and organized codebase. Let's look at how to manage code changes, track updates, and ensure quality through code reviews. Git branching helps keep different versions of the code separate, allowing multiple developers to work without affecting the main codebase. Here are some common strategies: Feature branches allow developers to work on a new feature without changing the main codebase. Each feature gets its own branch, and once complete, it can be merged into the main branch. This strategy involves using multiple branches for different stages of development, such as feature, develop, and release. It separates development work and allows smoother integration and deployment. Example: Documenting code changes helps keep the team informed and makes it easier to understand what was done later. Here are some tips for tracking updates: Commit messages should explain what was changed and why. A clear message helps others know the purpose of each update. Example: Tags can be used to label important points in the project's history, such as release versions. This makes it easier to find stable versions of the code. A changelog lists the changes made in each version, helping developers and users see what was updated or fixed. Example format for a changelog: Code reviews help catch errors, share knowledge, and ensure code stays clean and maintainable. Here are some practices to follow for effective code reviews: Smaller changes are easier to review, making it more likely to spot mistakes. Large changes can be broken down into smaller parts. Pull requests create a space for discussion around changes. Team members can review the changes, suggest improvements, and approve the updates. Code reviews should aim to improve the code without discouraging the developer. Suggest better ways to solve problems and explain the reasoning. Example comments during a code review: Using these practices helps ensure code changes are managed effectively, updates are well-documented, and the quality of the codebase remains high. Regular code reviews and proper branching strategies make it easier for teams to collaborate and keep the project on track. Reviving and restructuring a codebase can seem like a big task, but taking small, planned steps makes it manageable. Start by checking the current state of the code and making a list of areas that need work. Set clear goals and create a plan to improve the code, step by step. Using the tools we discussed here can help find issues, suggest changes, and even automate some tasks. Version control practices, such as branching strategies and code reviews, keep changes organized and ensure the quality stays high. With a solid approach, even the messiest codebase can become clean, efficient, and easier to work with.
freeCodeCamp
Tue, 29 Oct, 6:32 PM UTC
GitHub rolls out new tool to fix code errors even before you see them
GitHub has announced the general availability of Copilot Autofix within its GitHub Advanced Security (GHAS) suite, designed to prevent new vulnerabilities from entering code before you even see them. The tool, announced by Chief Security Officer Mike Hanley in a blog post, will also tackle existing vulnerabilities in code, which was previously unmanageable without automation. Besides identifying code vulnerabilities, Copilot Autofix also promises to explain their significance and offer automated code suggestions to fix them. According to the company's research, the tool has already proven to be around three times more efficient than doing the process manually. Early adopters like Optum and Otto Group have also reported saving thousands of hours monthly on remediation tasks. Kevin Cooper, Principal Engineer at Optum, commented: "Since implementing Copilot Autofix, we've observed a 60% reduction in the time spent on security-related code reviews and a 25% increase in overall development productivity." In the announcement, Hanley was proud to highlight Copilot Autofix's ability to address the backlog of security debt - vulnerabilities that linger in software for extended periods, often going unnoticed. Tackling these types of vulnerabilities can significantly reduce the risk of costly security breaches. Hanley added: "Vulnerabilities can live forever, and the longer they've remained dormant, the harder and more expensive they are to fix." In addition to serving enterprise customers, GitHub will offer the tool to the open-source community for no cost from September 2024. Maintainers will be able to enhance the security of their own software, which aligns with the Microsoft-owned company's commitment to creating a safer software scene. Hanley concluded by stating that "AI agents can help relieve much of the burden" in a world of limited security talent, adding that Copilot Autofix will help ensure that "a vulnerability found means a vulnerability fixed."
TechRadar
Fri, 16 Aug, 12:04 PM UTC
CodeRabbit raises $16M to bring AI to code reviews | TechCrunch
Code reviews -- peer reviews of code that help devs improve code quality -- are time-consuming. According to one source, 50% of companies spend two to five hours a week on them. Without enough people, code reviews can be overwhelming and take devs away from other important work. Harjot Gill thinks that code reviews can be largely automated using artificial intelligence. He's the co-founder and CEO of CodeRabbit, which analyzes code using AI models to provide feedback. Prior to starting CodeRabbit, Gill was the senior director of technology at datacenter software company, Nutanix. He joined the company when Nutanix acquired his startup, Netsil, in March 2018. CodeRabbit's other founder, Gur Singh, previously led dev teams at white-label healthcare payments platform, Alegeus. According to Gill, CodeRabbit's platform automates code reviews using "advanced AI reasoning" to "understand the intent" behind code and deliver "actionable," "human-like" feedback to devs. "Traditional static analysis tools and linters are rule-based and often generate high false-positive rates, while peer reviews are time-consuming and subjective," Gill told TechCrunch. "CodeRabbit, by contrast, is an AI-first platform." These are bold claims with a lot of buzzwords. Unfortunately for CodeRabbit, anecdotal evidence suggests that AI-powered code reviews tend to be inferior compared to human-in-the-loop ones. In a blog post, Graphite's Greg Foster talks about internal experiments to apply OpenAI's GPT-4 to code reviews. While the model would catch some useful things -- like minor logical errors and spelling mistakes -- it generated lots of false positives. Even attempts at fine-tuning didn't dramatically reduce these, according to Foster. These aren't revelations. A recent Stanford study found that engineers who use code-generating systems are more likely to introduce security vulnerabilities in the apps they develop. Copyright is an ongoing concern, as well. There are also logistical drawbacks of using AI for code reviews. As Foster notes, more traditional code reviews force engineers to learn through sessions and conversations with their developer peers. Offloading reviews threatens this knowledge sharing. Gill feels differently. "CodeRabbit's AI-first approach improves code quality and significantly reduces the manual effort required in the code review process," he said. Some folks are buying the sales pitch. Around 600 organizations are paying for CodeRabbit's services today, Gill claims, and CodeRabbit is in pilots with "several" Fortune 500 companies. It also has investments: CodeRabbit today announced a $16 million Series A funding round led by CRV, with participation from Flex Capital and Engineering Capital. Bringing the company's total raised to just under $20 million, the new cash will be put toward expanding CodeRabbit's 10-person sales and marketing functions and product offerings, with a focus on enhancing its security vulnerability analysis capabilities. "We'll invest in deeper integrations with platforms like Jira and Slack, as well as AI-driven analytics and reporting tools," Gill said, adding that Bay Area-based CodeRabbbit is in the process of setting up a new office in Bangalore as it roughly doubles the size of the team. "The platform will also introduce advanced AI automation for dependency management, code refactoring, unit test generation and documentation generation."
TechCrunch
Thu, 15 Aug, 4:06 PM UTC
Your Daily Dose of Curated AI News
Don’t drown in AI news. We cut through the noise - filtering, ranking and summarizing the most important AI news, breakthroughs and research daily. Spend less time searching for the latest in AI and get straight to action.
