Safety specialists from Snyk conducted a study that revealed GitHub Copilot’s ability to generate vulnerable code if existing issues are present in the initial project. The algorithms used by Copilot simply analyze the code base without truly understanding its functionality.
During the experiment, the Snyk team requested Copilot to generate a SQL request. The first request provided by the assistant was deemed high-quality and secure, utilizing named parameters to eliminate the risk of injections.
Subsequently, the researchers intentionally wrote a vulnerable SQL request in a separate project file and once again asked Copilot to generate code. This time, the assistant produced code that increased the vulnerability risk within the project.
By using vulnerable code as a reference point, Copilot not only replicated existing issues but potentially exacerbated the number of vulnerabilities present in the project. Researchers caution that involving inexperienced developers in such projects could significantly elevate the risk of multiple vulnerabilities.
Snyk highlights several factors that worsen the use of GitHub Copilot:
- Consolidation of a poor approach: Novice developers relying on AI assistance may unknowingly introduce mistakes, assuming that code generated by artificial intelligence is automatically secure.
- Lack of checks: AI helpers cannot evaluate the security of their suggestions, and developers often overlook this step, thereby increasing the likelihood of vulnerabilities in the project.
- Use of outdated patterns: GitHub Copilot may propose outdated code segments that are considered vulnerable by professionals in the field.
- Ignoring security issues: Copilot prioritizes code generation over security assessment, potentially causing developers to overlook vulnerabilities while focusing on functionality.
To address these concerns, experts recommend integrating AI code generation with traditional security practices such as code analysis and developer training. This approach aims to strike a balance between innovation and the reliability of the code.