GitHub Copilot Autofix uses LLM to suggest security vulnerability fixes directly in pull requests
Security vulnerabilities detected by code scanning required manual developer effort to understand and fix, with no automated mechanism to suggest fixes alongside alerts.
The initial approach of asking the LLM to output a standard diff patch directly failed because it exacerbated the model's known arithmetic difficulties, producing incorrect line number computations.
Iterative prompt and heuristic refinement tripled the fix success rate while reducing LLM compute requirements by a factor of six; Copilot Autofix is now generally available.
Frequently asked questions
What did this team achieve with this AI workflow?
Iterative prompt and heuristic refinement tripled the fix success rate while reducing LLM compute requirements by a factor of six; Copilot Autofix is now generally available.
What tools did this team use?
CodeQL, LLM, Azure, GitHub Codespace, GitHub CLI.
What results were reported?
Fix success rate: tripled; LLM compute requirements: a factor of six reduction; Evaluation dataset size: over 1,400 alerts (source-reported, not independently verified).
What failed first in this deployment?
The initial approach of asking the LLM to output a standard diff patch directly failed because it exacerbated the model's known arithmetic difficulties, producing incorrect line number computations.
How is this quality assurance AI workflow structured?
PR opened or commit pushed → CodeQL scans repository → Fix generator builds LLM prompt → LLM generates code fix → Harmful content filtering → Post-processing and error correction → Fix suggestion rendered in PR → Developer reviews and applies fix.