AI-generated security fixes in Snyk Code now available
2023年5月9日
0 分で読めますFinding and fixing security issues in your code has its challenges. Chief among them is the important step of actually changing your code to fix the problem. Getting there is a process: sorting through security tickets, deciphering what those security findings mean and where they come from in the source code, and then determining how to fix the problem so you can get back to development. Not to worry — AI will take care of everything, right? Well, once it learns to produce secure code as a default and not to copy its work from the IP of others… or to share your IP with the world.
At our April SnykLaunch event, we debuted our newest capability using AI to provide a fix right in the IDE so a developer can simply click the suggestion and automatically implement the fix in their code. Today, we’re happy to announce that this AI-powered fix functionality is now available in open beta! Snyk AI fixes are purpose-built for security fixes, free from the worries of infringement or your proprietary code getting passed along to others.
Snyk AI-powered fix suggestions in your IDE: two examples
In the above example, a SQL injection issue is identified by Snyk Code. This high-risk issue and can be particularly tricky to fix because the point in code where the call to the database is made might be completely separate from the area in the code where the database query and variables are assembled. Tracing this security issue back to its source is a challenge and then deciding how to change the code to fix it is even more work. But here we see Snyk’s AI fix suggestion handling the issue for us, going back to the source of the issue, and providing a fix in our IDE.
In this second example, hardcoded credentials have been detected in the source code. Snyk AI’s fix removes the hardcoded credentials, using a session variable in its place.
Purpose-built AI for trustworthy security fixes
Loads of demos abound showing various AI tools generating code that looks interesting. But several questions have been asked as engineers and security experts dive deeper and consider the implications:
Can I trust that the AI-generated code isn’t introducing more security issues?
And, if the AI is learning from existing code in open repositories, am I in danger of incorporating someone else’s copyrighted work, or code from open source projects that have restrictive licenses?
These are both valid concerns and the AI tools generating code in these demos make no explicit statement about where their code comes from, whether it is indeed secure, nor any of the license restrictions that may be inherited with the code that the AI produces.
Because the Snyk AI fix suggestions are meant to solve security problems, we wanted to build this capability with these concerns in mind. To wit, our AI models are trained only on open source projects with explicit permissively open source licensed code. In addition, Snyk AI’s fix suggestions are small, discrete changes rather than generating long sections of code. The demonstrations above show the types of fix suggestions that Snyk AI makes.
As to ensuring Snyk AI’s fixes are not introducing new problems, before Snyk AI provides a fix suggestion to a developer, the AI engine passes the fix suggestions through the Snyk Code security engine to ensure that: (1) the fix solves the issue at hand, and (2) does not introduce new problems. The fix is only provided to the developer the AI fix to Snyk Code test feedback loop is confident in the result. And, as a developer, you are always in control of whether or not to apply and accept the fix.
Finally, there are questions about the safety and safe handling of one’s own code when using AI. Will the models use my code to learn, and in turn potentially share my code, intellectual property, and sensitive information with others? Snyk’s AI does not store our customers’ code beyond the short-term caching needed to run the security analysis. Our policies are clearly documented in our article “How Snyk handles your data,” which includes our policy for AI training: “Snyk Code does not use any customer code (1) for engine training purposes or (2) to extract examples to show possible fixes.”
How to turn on Snyk AI fix suggestions
In this initial open beta, we are offering the new capability for JavaScript through the Snyk IDE plugins for Visual Studio Code and Eclipse. We will gradually extend the coverage to more languages and continue to refine the experience. To receive fix suggestions, you'll need to enable the feature in the Snyk Preview tab.
Make sure to install or update the Snyk Extension for Visual Studio Code or Snyk Eclipse Plugin. To ensure the latest version is in use, it always helps to restart the IDE.