Microsoft has announced the limited public preview of Copilot Autofix for GitHub Advanced Security for Azure DevOps, extending AI-powered vulnerability remediation to teams using Azure Repos. The new capability automatically analyzes security vulnerabilities identified by CodeQL, generates proposed fixes using GitHub Copilot's coding agent, and creates pull requests that developers can review and merge through their existing workflows. The release represents Microsoft's latest step toward embedding AI directly into software security, shifting the focus from simply identifying vulnerabilities to accelerating their remediation.
The announcement builds on GitHub's existing Copilot Autofix capabilities and brings them to organizations that have standardized on Azure DevOps rather than GitHub repositories. Instead of requiring developers to interpret CodeQL findings and implement fixes manually, the platform now combines static analysis with large language models to recommend context-aware code changes, reducing the time between vulnerability detection and remediation while maintaining human oversight through pull request reviews.
For years, static application security testing (SAST) tools have excelled at identifying vulnerabilities but have often left developers with the time-consuming task of understanding alerts, researching mitigation strategies, and implementing fixes. Microsoft argues that this "last mile" of application security has become one of the biggest bottlenecks in secure software delivery. Copilot Autofix seeks to address that problem by pairing CodeQL's deep semantic analysis with GitHub Copilot's code generation capabilities. When CodeQL raises a supported security alert, developers can generate an AI-produced remediation directly from the Advanced Security interface. The coding agent analyzes the vulnerability alongside the surrounding application context before producing a proposed code change and automatically opening a pull request for review. Rather than modifying only the flagged line, the generated fix may include coordinated changes across multiple files where necessary to resolve the underlying issue correctly.
Although the remediation process is AI-assisted, Microsoft emphasizes that developers remain responsible for validating every proposed fix. Copilot Autofix recommendations are generated by a large language model and are not guaranteed to be complete or free from unintended side effects. As a result, the generated pull requests move through the same review, testing, and approval processes already established within Azure DevOps.
This approach reflects a broader trend in AI-assisted software engineering. Rather than allowing autonomous agents to make production changes independently, many enterprise platforms are positioning AI as an assistant that accelerates repetitive engineering tasks while preserving existing governance, compliance, and quality assurance practices.
The announcement also continues Microsoft's effort to close the feature gap between GitHub and Azure DevOps. GitHub Advanced Security for Azure DevOps already provides secret scanning, dependency scanning, CodeQL-based code scanning, and security dashboards for Azure Repos. Copilot Autofix extends that portfolio by adding AI-generated remediation, allowing organizations to progress from identifying vulnerabilities to producing candidate fixes without leaving their existing development environment.
The release follows Microsoft's broader strategy of integrating GitHub technologies more deeply into Azure DevOps while maintaining support for customers who continue to use Azure Repos rather than GitHub repositories. Previous updates have brought features such as CodeQL default setup, MCP integration, and expanded GitHub Advanced Security capabilities to Azure DevOps, with Copilot Autofix representing the latest step in that convergence.
The launch reflects a broader evolution in application security across the software industry. Security teams have recognized that finding vulnerabilities is only part of the challenge; organizations must also remediate them quickly enough to keep pace with modern software delivery. As AI accelerates code generation, the volume of code requiring security validation is growing rapidly, creating new pressure on development teams.
AI-assisted remediation has emerged as one response to this challenge. By combining static analysis with generative AI, platforms aim to reduce developer effort while shortening the window during which vulnerabilities remain unresolved. Rather than replacing secure development practices, AI is increasingly being used to automate routine remediation work so engineers can focus on higher-risk architectural and business logic issues.
Microsoft is not alone in embedding AI into secure software development. GitHub has expanded Copilot Autofix across GitHub Advanced Security, while companies including GitLab, Snyk, Sonar, and Checkmarx are integrating AI into vulnerability analysis, code review, and remediation workflows. The common objective is to move security closer to developers by making remediation as seamless as detection.
At the same time, recent research suggests that AI-generated fixes still require careful validation. Studies examining agent-generated pull requests have found that while AI can significantly accelerate software maintenance, many proposed fixes are ultimately rejected because of incomplete implementations, incorrect assumptions, or failures during testing and CI validation. These findings reinforce Microsoft's decision to position Copilot Autofix as a reviewable assistant rather than a fully autonomous security engineer.