Code scanning: security campaigns and autofixes for historical CodeQL alerts (outside the PR experience)

[github-product-roadmap]

Summary

Currently, code scanning CodeQL can scan code in a repository when there is a push to the default or any protected branch. Alternatively, it can also scan code on schedule depending on the setup configuration. If there are any alerts detected on the main or default branches outside of a pull request, code scanning will detect them.

Code scanning will provide the ability for security teams to define security campaigns to help facilitate collaboration with developers and speed up remediation of historical code scanning alerts with the help of AI-powered autofix.

When a security campaign is created code scanning will propose AI-generated fixes for any support code scanning alerts. These fixes help developers resolve alerts faster and prevent introducing new vulnerabilities into codebases. Developers will review the suggested autofix and choose to accept, dismiss, or edit the suggestion.

All GHAS customers on GitHub will have access to this functionality.

Intended Outcome

Users can fix existing security vulnerabilities on the main or default branches faster with the help of code scanning AI-generated autofixes. It helps reduce the number of active vulnerabilities and improves the security posture more quickly. Additionally, the UX will allow users to jump into an editing environment for developers to make any adjustments to the proposed fix.

How will it work?

Following the CodeQL analysis, an LLM will provide a fix for alerts where possible. These AI-generated remediation suggestions are then posted as a code scanning autofix for an alert.