GitHub Updates Copilot’s AI Component, Reduces Unwanted Suggestions

GitHub recently announced it updated its Copilot’s AI model aiming to boost its efficiency and security to deliver faster, high-quality suggestions to its users.

The improved AI component will start rolling out to users this week and should allow software developers to become more efficient by increasing the acceptance rate of code suggestions.

Copilot is GitHub’s cloud-based artificial intelligence tool that helps users of Visual Studio, Visual Studio Code, JetBrains and Neovim IDE (integrated development environments) by autocompleting their code.

Updating the tool’s underlying Codex model is expected to make developers faster by giving them better, more accurate, and more responsive code suggestions. The company introduced the following critical improvements in the update:

  • Upgraded Copilot to a new OpenAI Codex model to deliver better code synthesis results
  • Added a lightweight client-side model to VS Code’s GitHub Copilot extension to increase the overall code suggestion acceptance rate by leveraging basic information about the user’s context
  • Added a new paradigm called “Fill-In-The-Middle” (FIM) that understands more about the user’s intended code and offers better craft prompts for code suggestions

Copilot’s update also introduces an AI vulnerability filtering mechanism that prevents the tool from suggesting insecure coding patterns in real time. The revamped model targets commonly known vulnerabilities, including path injections, SQL injections and hardcoded credentials.

“The new system leverages LLMs to approximate the behavior of static analysis tools—and since GitHub Copilot runs advanced AI models on powerful compute resources, it’s incredibly fast and can even detect vulnerable patterns in incomplete fragments of code,” reads the company’s announcement. “This means insecure coding patterns are quickly blocked and replaced by alternative suggestions.”

Last but not least, GitHub acknowledges the importance of employing vulnerability-detection tools upon releasing or building apps (as opposed to during the coding phase) on entire repositories for the following reasons:

  • Completed code is easier to analyze since the scanning tools have the full context, including the code’s dependencies
  • Build or release phases are not time-sensitive, allowing static analysis tools to perform thorough, longer analyses of the code
  • Static analysis tools are more accurate by leveraging language compilers, assuming the code is syntactically correct