Canary Agentic Autofix With Failure Classes and Reliability Gates GitHub announced agentic autofix for code scanning alerts in public preview on July 10, 2026. A developer proposed an evaluation framework using canary testing with failure classes and reliability gates to measure the tool's effectiveness beyond simple patch generation rates. GitHub announced agentic autofix for code scanning alerts in public preview on July 10, 2026. Primary source: GitHub Changelog, July 10, 2026 https://github.blog/changelog/2026-07-10-agentic-autofix-for-code-scanning-alerts-in-public-preview/ . The wrong metric is “percentage of alerts with a generated patch.” Generation is only the first transition: php alert - candidate - build - tests - security oracle - human review - merge - post-merge observation This is an evaluation proposal, not a benchmark or assessment of GitHub's preview. Start with repositories that have active owners, deterministic builds, relevant isolated tests, reversible releases, and no automatic production deployment from candidate patches. Exclude abandoned code, safety-critical paths, and repositories with unreliable tests. Assign the canary deterministically—for example, hash a stable alert ID into a fixed percentage. Do not move difficult results out of the cohort after seeing them. Record every attempt, including abstentions and failures: attempt id: "