Der Leitfaden ist inspiriert vom Engineering System Success Playbook (ESSP) von GitHub, das Strategien und Metriken für die Verbesserung von Engineeringsystemen empfiehlt.
Wenn du mit dem Rollout von Copilot beginnst, empfehlen wir, deine Ziele zu definieren, den Rollout entsprechend zu planen und die Ziele klar an Mitarbeitende zu kommunizieren. Weitere Informationen findest du unter Achieving your company's engineering goals with GitHub Copilot.
1. Identify barriers to success
Der erste Schritt, der vom ESSP empfohlen wird, besteht darin, ein klares Verständnis der Hindernisse zu entwickeln, die Verbesserungen in deinem Unternehmen verhindern. Wenn du die aktuelle Baseline, den gewünschten zukünftigen Zustand und die Hindernisse für Fortschritt kennst, kannst du sicherstellen, dass Änderungen gezielt und effektiv sind.
As development teams works to deliver new features and keep their applications running smoothly, their focus is often on speed and functionality. However, over time, small issues can accumulate, such as:
- Known security weaknesses that haven't been fixed
- Reliance on older software components with potential flaws
- Delays in addressing problems when they are discovered
For many organizations, this accumulation of unresolved security issues and outdated components creates a significant backlog—a security debt.
This debt carries real risks. The longer it goes unaddressed, the larger it can grow and the more costly it becomes to resolve. A large security debt can leave systems vulnerable to attacks, expose sensitive data, and ultimately erode customer trust and impact the bottom line.
The challenge is to balance the need for rapid development with the crucial responsibility of maintaining a secure and stable software environment.
2. Evaluate your options
Der nächste Schritt besteht darin, Lösungen für die in Schritt 1 identifizierten Hindernisse zu bewerten und auszuwählen. In diesem Leitfaden konzentrieren wir uns auf die Auswirkungen, die GitHub Copilot auf das von dir identifizierte Ziel haben kann. Denke daran, dass erfolgreiche Rollouts eines neuen Tools auch Änderungen an Kultur und Prozessen erfordern.
Du führst Testversionen neuer Tools und Prozesse mit Pilotgruppen aus, um Feedback zu sammeln und den Erfolg zu messen. Informationen zu Schulungsressourcen und Metriken, die in der Testversion verwendet werden sollen, findest du in den Abschnitten 3. Implementieren von Änderungen und Zu überwachende Metriken.
How Copilot can help
GitHub Copilot can help mitigate security debt by integrating security considerations directly into the development lifecycle. Its capabilities can make it easier for developers to proactively identify and address potential vulnerabilities and keep their projects up-to-date.
Copilot can help reduce security vulnerabilities throughout the software development lifecycle.
During development
Copilot proactively reviews code as it's written, leveraging its understanding of common security flaws and patterns to flag areas that might be susceptible to exploitation. This real-time analysis can surface hidden vulnerabilities that might otherwise be missed during standard development or initial security reviews.
When issues are identified, Copilot can instantly suggest actionable code changes to remediate vulnerabilities, empowering developers to address weaknesses early in the development cycle and prevent security debt from accumulating.
Ongoing maintenance
Copilot integrates with GitHub's code scanning capabilities to keep your existing codebase secure. When code scanning identifies a potential security alert, Copilot Autofix can intelligently analyze the vulnerability and provide targeted, context-specific recommendations to resolve it.
These concrete fix suggestions streamline remediation, reducing the time developers spend researching vulnerabilities and figuring out how to address them. As a result, security alerts are resolved more efficiently and are less likely to linger or contribute to ongoing security debt.
Cultural considerations
Neben dem Rollout von GitHub Copilot solltest du auch alle sozialen oder kulturellen Faktoren angehen, die dich daran hindern könnten, deine Ziele zu erreichen.
Die folgenden Beispiele stammen aus dem Abschnitt „Anti-Patterns“ im ESSP.
- Teams might ignore or defer security debt, allowing inefficient and vulnerable systems to persist. This could be caused by a deadline-driven focus on features, or a lack of education about the long-term impact of security debt.
- Teams might build overly complex solutions for simple problems, which makes code harder to maintain and security issues harder to detect. This could be caused by a desire to future-proof unnecessarily or pressure to add value through complexity.
3. Implement changes
Wenn du den richtigen Ansatz zur Überwindung der Hindernisse identifiziert hast, skaliere die von dir identifizierten Lösungen. Damit der Rollout eines neuen Tools oder Prozesses erfolgreich ist, ist es wichtig, Besitz für jeden Teil des Rollouts zuzuweisen, deine Ziele transparent zu kommunizieren, effektive Schulungen anzubieten und deine Ergebnisse zu messen.
Dieser Abschnitt enthält Beispielszenarien, bewährte Methoden und Ressourcen für Entwickelnde. Wir empfehlen die Verwendung dieses Abschnitts, um die Kommunikation und Schulungssitzungen zu planen, damit Mitarbeitende Copilot entsprechend deiner Ziele nutzen können.
- Analyze your code for security vulnerabilities
- Use Copilot Autofix for code scanning alerts
- Best practices for developers
- Resources for developers
Analyze your code for security vulnerabilities
Depending on the size of your codebase, Copilot may not be able to analyze the entire project while developers are writing code, due to context restraints. However, developers can adopt a practice of asking Copilot to analyze specific files for insecure code practices.
-
Open the files to analyze in Visual Studio Code.
-
In Copilot Chat, ask:
Analyze this code for potential security vulnerabilities and suggest fixesYou can also use the
#filechat variable to specifically include a file's content in the prompt, or use prompt files and custom instructions to guide Copilot's responses. -
Copilot Chat will analyze the code, identify the security vulnerabilities, and suggest the appropriate fixes.
-
Review the suggested changes and apply them as appropriate.
Other examples of prompts include:
Are there any security vulnerabilities in my code? If so, can you explain them and suggest fixes?Does this code follow secure code best practices? If not, what specific improvements can I make?What are the potential security risks in this code if it were deployed to production? How can I mitigate them?
Use Copilot Autofix for code scanning alerts
Copilot Autofix is a component of GitHub Code Security that can suggest potential fixes to code scanning alerts. Copilot Autofix is available in public repositories and repositories with a license for GitHub Code Security.
When someone runs a code scan on a repository, potential issues are raised as code scanning alerts in the repository. Developers can resolve the alerts by following this flow:
- Open an alert on GitHub.
- Click Generate fix, which is displayed if Copilot can resolve the alert.
- Copilot Autofix will generate a potential fix for this alert, showing you the code changes in the alert itself. It then gives you the option to commit this code change to a new branch or an existing branch.
- At this point you can test the code, then open a pull request to move the changes to the main branch.
- Once you move the changes to the main branch and code scanning verifies the alert is fixed, the alert will be closed automatically.
Best practices for developers
Developers should:
- Use Copilot Chat regularly to analyze code snippets for vulnerabilities: Make it a habit to proactively check code for security issues before committing changes.
- Leverage Copilot Autofix for code scanning alerts: When alerts appear, use Copilot Autofix as a first step to quickly address them.
- Provide clear and specific prompts to Copilot Chat: The more detailed your request, the better Copilot can analyze the code and suggest relevant fixes. For example, include the programming language and specific areas of concern in your prompts.
- Combine Copilot with existing security tools: Use Copilot as an additional layer of security analysis, not as a replacement for dedicated security scanners and practices.
Developers should not:
- Automatically accept Copilot's security suggestions: Always review and test the code changes suggested by Copilot to ensure they are appropriate and effective.
- Rely solely on Copilot for comprehensive security audits: Copilot is a helpful tool, but it should not replace thorough security reviews and penetration testing.
- Ignore code scanning alerts: Address all alerts promptly, even if they seem minor, to prevent the accumulation of security debt.
- Use Copilot as an excuse to avoid learning secure coding practices: Continue to educate yourself and your team on security best practices.
- Assume Copilot will catch every vulnerability: Security is an ongoing process, and vigilance is always necessary.
- Use Copilot to bypass security policies: Adhere to your organization's security protocols, and use Copilot as a tool to enhance them, not circumvent them.
Resources for developers
- Copilot Chat in GitHub
- Finding existing vulnerabilities in code
- GitHub Skills - Getting Started with GitHub Copilot
Metrics to watch
Um Testversionen neuer Tools zu bewerten und sicherzustellen, dass deine vollständigen Rollouts konsistente Verbesserungen bieten, solltest du die Ergebnisse überwachen und bei Bedarf Anpassungen vornehmen. Im Allgemeinen empfehlen wir, die Schlüsselbereiche Qualität, Geschwindigkeit und Entwicklerzufriedenheit zu berücksichtigen und zu prüfen, wie diese Bereiche zusammen zu Geschäftsergebnissen beitragen.
Hier sind einige Metriken, die du anschauen solltest, um die Auswirkung von Copilot auf dieses bestimmte Ziel zu bewerten.
- Security debt ratio: Use security overview to see if the number of alerts falls over time.
- Time to remediate security issues: Use security overview to see if the time to remediate security issues falls over time.