quality_assurance · workflow

GitHub Copilot Autofix uses LLM to suggest security vulnerability fixes directly in pull requests

Security vulnerabilities detected by code scanning required manual developer effort to understand and fix, with no automated mechanism to suggest fixes alongside alerts.

How it works
Common implementation structure
How this type of workflow is generally built, generalized across documented cases — not tied to any one vendor's stack. Click any stage to read what happens there. Specific products that implement these stages appear in “Tools commonly seen” below.
Stage 1 · PR opened or commit pushed
The user opens a pull request or pushes a commit.
Tools used
CodeQLLLMAzureGitHub CodespaceGitHub CLI
Outcome

Iterative prompt and heuristic refinement tripled the fix success rate while reducing LLM compute requirements by a factor of six; Copilot Autofix is now generally available.

What failed first

The initial approach of asking the LLM to output a standard diff patch directly failed because it exacerbated the model's known arithmetic difficulties, producing incorrect line number computations.

Results
Volumetripled
Running sinceNovember 2023
Source

https://github.blog/engineering/platform-security/fixing-security-vulnerabilities-with-ai/

How we source this →

Grounding & classification
Source type: technical build writeup
23 fields verified against source quotes.
code generationcode diff prfailure mode describedhuman review describedmetric backedproduction runtime claimedtools describedworkflow describedsoftwarecost reductionemployee productivityerror reductiontechnical build writeupquality assuranceai draft human approval