Reducing security debt in your company with GitHub Copilot

Understand features, enable developers, and measure Copilot's impact.

Quem pode usar esse recurso?

GitHub Copilot Business or GitHub Copilot Enterprise

Neste artigo

O guia é inspirado pelo ESSP (Guia estratégico do sistema de engenharia) do GitHub, que recomenda estratégias e métricas para impulsionar melhorias em sistemas de engenharia.

Se você estiver iniciando uma distribuição do Copilot, recomendamos definir suas metas, planejar a distribuição adequadamente e comunicar as metas com clareza à equipe. Confira Alcançar as metas de engenharia da sua empresa com o GitHub Copilot.

1. Identify barriers to success

A primeira etapa recomendada pelo ESSP é desenvolver uma compreensão clara dos obstáculos que impedem melhorias na empresa. Ao entender sua linha de base atual, seu estado futuro desejado e as barreiras que impedem o progresso, você pode garantir alterações direcionadas e eficazes.

As development teams works to deliver new features and keep their applications running smoothly, their focus is often on speed and functionality. However, over time, small issues can accumulate, such as:

  • Known security weaknesses that haven't been fixed
  • Reliance on older software components with potential flaws
  • Delays in addressing problems when they are discovered

For many organizations, this accumulation of unresolved security issues and outdated components creates a significant backlog—a security debt.

This debt carries real risks. The longer it goes unaddressed, the larger it can grow and the more costly it becomes to resolve. A large security debt can leave systems vulnerable to attacks, expose sensitive data, and ultimately erode customer trust and impact the bottom line.

The challenge is to balance the need for rapid development with the crucial responsibility of maintaining a secure and stable software environment.

2. Evaluate your options

A próxima etapa é avaliar e concordar com soluções para resolver as barreiras identificadas na etapa um. Neste guia, vamos focar o impacto que o GitHub Copilot pode ter na meta identificada. Lembre-se de que distribuições bem-sucedidas de uma nova ferramenta também exigem alterações na cultura e nos processos.

Você executará testes de novas ferramentas e processos com grupos piloto para coletar comentários e medir o sucesso. Para recursos de treinamento e métricas a serem usados durante as avaliações, leia as seções 3. Implementar alterações e Métricas a observar.

Sign up for Copilot

How Copilot can help

GitHub Copilot can help mitigate security debt by integrating security considerations directly into the development lifecycle. Its capabilities can make it easier for developers to proactively identify and address potential vulnerabilities and keep their projects up-to-date.

Copilot can help reduce security vulnerabilities throughout the software development lifecycle.

During development

Copilot proactively reviews code as it's written, leveraging its understanding of common security flaws and patterns to flag areas that might be susceptible to exploitation. This real-time analysis can surface hidden vulnerabilities that might otherwise be missed during standard development or initial security reviews.

When issues are identified, Copilot can instantly suggest actionable code changes to remediate vulnerabilities, empowering developers to address weaknesses early in the development cycle and prevent security debt from accumulating.

Ongoing maintenance

Copilot integrates with GitHub's code scanning capabilities to keep your existing codebase secure. When code scanning identifies a potential security alert, Correção automática do Copilot can intelligently analyze the vulnerability and provide targeted, context-specific recommendations to resolve it.

These concrete fix suggestions streamline remediation, reducing the time developers spend researching vulnerabilities and figuring out how to address them. As a result, security alerts are resolved more efficiently and are less likely to linger or contribute to ongoing security debt.

Cultural considerations

Além da distribuição do GitHub Copilot, você também deve abordar fatores sociais ou culturais que possam impedir que você atinja suas metas.

Os exemplos a seguir são extraídos da seção "Anti-Patterns" no ESSP.

  • Teams might ignore or defer security debt, allowing inefficient and vulnerable systems to persist. This could be caused by a deadline-driven focus on features, or a lack of education about the long-term impact of security debt.
  • Teams might build overly complex solutions for simple problems, which makes code harder to maintain and security issues harder to detect. This could be caused by a desire to future-proof unnecessarily or pressure to add value through complexity.

3. Implement changes

Quando você identificar a abordagem certa para superar suas barreiras, dimensionará as soluções identificadas. Para uma distribuição bem-sucedida de uma nova ferramenta ou processo, é importante atribuir a propriedade a cada parte da distribuição, comunicar-se de modo transparente sobre suas metas, fornecer treinamento eficaz e medir seus resultados.

Esta seção apresenta exemplos cenários, práticas recomendadas e recursos para desenvolvedores. É recomendável usar esta seção para planejar as sessões de comunicação e treinamento para ajudar os funcionários a usar o Copilot de um modo alinhado à meta.

Analyze your code for security vulnerabilities

Depending on the size of your codebase, Copilot may not be able to analyze the entire project while developers are writing code, due to context restraints. However, developers can adopt a practice of asking Copilot to analyze specific files for insecure code practices.

  1. Open the files to analyze in Visual Studio Code.

  2. In Copilot Chat, ask: Analyze this code for potential security vulnerabilities and suggest fixes

    You can also use the #file chat variable to specifically include a file's content in the prompt, or use prompt files and custom instructions to guide Copilot's responses.

  3. Copilot Chat will analyze the code, identify the security vulnerabilities, and suggest the appropriate fixes.

  4. Review the suggested changes and apply them as appropriate.

Other examples of prompts include:

  • Are there any security vulnerabilities in my code? If so, can you explain them and suggest fixes?
  • Does this code follow secure code best practices? If not, what specific improvements can I make?
  • What are the potential security risks in this code if it were deployed to production? How can I mitigate them?

Use Correção automática do Copilot for code scanning alerts

Correção automática do Copilot is a component of GitHub Code Security that can suggest potential fixes to code scanning alerts. Correção automática do Copilot is available in public repositories and repositories with a license for GitHub Code Security.

When someone runs a code scan on a repository, potential issues are raised as code scanning alerts in the repository. Developers can resolve the alerts by following this flow:

  1. Open an alert on GitHub.
  2. Click Generate fix, which is displayed if Copilot can resolve the alert.
  3. Correção automática do Copilot will generate a potential fix for this alert, showing you the code changes in the alert itself. It then gives you the option to commit this code change to a new branch or an existing branch.
  4. At this point you can test the code, then open a pull request to move the changes to the main branch.
  5. Once you move the changes to the main branch and code scanning verifies the alert is fixed, the alert will be closed automatically.

Best practices for developers

Developers should:

  • Use Copilot Chat regularly to analyze code snippets for vulnerabilities: Make it a habit to proactively check code for security issues before committing changes.
  • Leverage Correção automática do Copilot for code scanning alerts: When alerts appear, use Correção automática do Copilot as a first step to quickly address them.
  • Provide clear and specific prompts to Copilot Chat: The more detailed your request, the better Copilot can analyze the code and suggest relevant fixes. For example, include the programming language and specific areas of concern in your prompts.
  • Combine Copilot with existing security tools: Use Copilot as an additional layer of security analysis, not as a replacement for dedicated security scanners and practices.

Developers should not:

  • Automatically accept Copilot's security suggestions: Always review and test the code changes suggested by Copilot to ensure they are appropriate and effective.
  • Rely solely on Copilot for comprehensive security audits: Copilot is a helpful tool, but it should not replace thorough security reviews and penetration testing.
  • Ignore code scanning alerts: Address all alerts promptly, even if they seem minor, to prevent the accumulation of security debt.
  • Use Copilot as an excuse to avoid learning secure coding practices: Continue to educate yourself and your team on security best practices.
  • Assume Copilot will catch every vulnerability: Security is an ongoing process, and vigilance is always necessary.
  • Use Copilot to bypass security policies: Adhere to your organization's security protocols, and use Copilot as a tool to enhance them, not circumvent them.

Resources for developers

Metrics to watch

Para analisar avaliações de novas ferramentas e garantir que suas distribuições completas estejam fornecendo melhorias consistentes, monitore os resultados e faça ajustes quando necessário. Em geral, recomendamos considerar as principais zonas de qualidade, velocidade e satisfação do desenvolvedor e como essas zonas se reúnem para contribuir com os resultados dos negócios.

Aqui estão algumas métricas que recomendamos analisar para avaliar o impacto do Copilot nessa meta específica.

  • Security debt ratio: Use security overview to see if the number of alerts falls over time.
  • Time to remediate security issues: Use security overview to see if the time to remediate security issues falls over time.

See Avaliando o risco de segurança do seu código.