"Refounded" GitHub boasts new AI tools to spot insecure code in real-time, let devs use natural language

“Our model targets the most common vulnerable coding patterns, including hardcoded credentials, SQL injections, and path injections" says "refounded" company.

"Refounded" GitHub boasts new AI tools to spot insecure code in real-time, let devs use natural language

It’s 8:58am and a packed conference room in Silicon Valley awaits the arrival of Thomas Dohmke, CEO of GitHub, the largest software collaboration platform in the world. What the audience didn’t expect was Microsoft CEO, Satya Nadella joining him –  but he’s a fitting guest as it is  Redmond's generative AI "Copilots" that are really taking centre stage.

Dohmke and Nadella are the first to announce the new features GitHub is rolling out over the coming months, marking a new era for the Microsoft-owned and 100 million user-strong platform: "Just as GitHub was founded in Git, today we are refounded on Copilot,” Dohmke says.

Among them, a new AI-powered vulnerability prevention system that blocks developers’ “insecure coding patterns” in real time: “Our model targets the most common vulnerable coding patterns, including hardcoded credentials, SQL injections, and path injections,” GitHub says.

(It announced the new  tools days after Microsoft vowed to fundamentally overhaul its own development practices, and amid broader industry pressure from regulators to ensure “secure by design” software.)

With The Stack’s analysis having shown a startling rise in SQL Injection vulnerabilities among the bugs in NIST’s CVE catalogue and the OpenSSF having earlier described an “endemic problem” of insecure code, the initiative is welcome; although the cost may not be to those on a budget.

Top 25 most dangerous CWE (Common Weakness Enumeration) codes as reflected in CVEs 2018-2022; analysis by The Stack shows a spike in SQLi and XSS bugs.

These security updates will be available only to Copilot Enterprise subscribers within the Advanced Security add-on at $49 per month per active committer; a cost that will prove considerable at enterprise scale, although GitHub promised that it would include “AI secret scanning for generic secrets and our new regular expression generator for custom patterns…making it easier to find leaked secrets with low false positives.”

The company said it is introducing slash commands and context variables to GitHub Copilot: i.e. Devs can enter /fix and generate tests starting with /tests; Copilot is also coming to the JetBrains suite of IDEs. (Preview.)

GitHub AI announcements

The duo took the stage following the release of GitHub’s annual “Octoverse” developer survey, which showed that there are now 450 million projects on GitHub, with 4.5 billion contributions in 2023 alone.

The two executives also announced new natural language capabilities with GitHub Copilot Chat. This lets developers ask programming questions or query repositories, files, or documentation in natural language. (Another stake in the heart, arguably, of Stack Overflow…).

 “[We want people to] feel empowered, they feel they can do their very best work,” Microsoft CEO Satya Nadella said, adding: “It’s about ultimately removing the drudgery and bringing the joy back… Natural language is about accessibility and making the barrier to entry lower.”

For developers facing a growing security burden as part of a “DevSecOps” or “shift left” drive that in many organisations has simply meant “give devs more responsibilities and compliance burdens”, automated assistance in writing more secure code will no doubt be welcome.

See also: India to have the world's most developers on GitHub by 2027

“This will radically transform the traditional definition of Shift Left,” GitHub says. From now on, Shifting Left will mean more than catching vulnerable code before it reaches production – it will mean preventing vulnerable code from ever being written, the company suggests. 

(As CSO Mike Hanley phrased it earlier this year: “It’s not only our responsibility to protect developers’ code but ensure that we’re enabling a seamless developer experience in one integrated platform so developers can focus on what they do best: building great software.”)

Copilot Chat and personalised AI

“ChatGPT is the most consequential development in technology since internet browser,” Dohmke tells the room. GitHub is harnessing its power. Copilot Chat, a GPT-4-powered application that can also identify security vulnerabilities in the IDE, is launching as part of GitHub’s “refounding” in December. Copilot Chat, says the company, will let developers ask questions about code in natural language, whichever one it is they speak, and allow them to find errors, write unit tests or debug code quickly. 

Subscribers will also be able to connect Copilot to private repositories, custom-train AI models, and generate pull request summaries.

For Nadella, this is just the beginning: “We have 100m plus people on GitHub, but my dream is how can we empower a billion people?”

Follow The Stack on LinkedIn