Add safe output type for code scanning alert autofixes

[Copilot]

Implements autofix_code_scanning_alert safe output type to enable AI agents to create autofixes for code scanning alerts via GitHub REST API.

Implementation

Schema & Types

• Added AutofixCodeScanningAlertOutput to agent-output.json schema with required fields: alert_number, fix_description, fix_code
• Added TypeScript interfaces and config types
• Registered in main workflow schema with validation

Handler

• Factory function returning message handler with max count enforcement (default: 10)
• Uses github.request() to call /repos/{owner}/{repo}/code-scanning/alerts/{alert_number}/fixes endpoint
• Error handling for 404 (alert not found), 403 (missing permission), 422 (invalid request)
• Staged mode support for preview

Integration

• Added to handler manager HANDLER_MAP
• Created AutofixCodeScanningAlertConfig Go type with parser
• Updated tools filter in generateFilteredToolsJSON()
• Configured security-events: write permission for safe outputs job
• Fixed compiler to properly include autofix_code_scanning_alert in safe outputs config.json

Workflow Update

• Updated security-fix-pr workflow to use autofix-code-scanning-alert instead of create-pull-request
• Removed edit and bash tools from the workflow (no longer needed)
• Adapted prompt to focus on generating complete fixed code for the autofix API
• Improved prompt with precise API call arguments for GitHub code scanning operations
• Added explicit parameter specifications for list_code_scanning_alerts, get_code_scanning_alert, and get_file_contents
• Increased capacity to process up to 5 alerts per run

Usage

safe-outputs:
  autofix-code-scanning-alert:
    max: 10

{"type": "autofix_code_scanning_alert", "alert_number": 42, "fix_description": "Fix SQL injection by using parameterized queries", "fix_code": "const query = db.prepare('SELECT * FROM users WHERE id = ?').bind(userId);"}

API Call Examples

The security-fix-pr workflow now includes precise parameter guidance:

list_code_scanning_alerts:

• owner: ${{ github.repository_owner }}
• repo: Extract from ${{ github.repository }}
• state: "open"
• sort: "created"

get_code_scanning_alert:

• owner: ${{ github.repository_owner }}
• repo: Extract from ${{ github.repository }}
• alert_number: From previous step

Notes

• Uses github.request() directly as createAutofix not yet in @actions/github SDK
• Requires API version header: X-GitHub-Api-Version: 2022-11-28
• Workflow-level permissions should be security-events: read; safe outputs job gets elevated to write automatically

Custom agent used: create-safe-output-type
Adding a New Safe Output Type to GitHub Agentic Workflows

Original prompt

Add safe output that autos fix code security alter

• using handler type in safe outputs steps (not separate step)
• takes a code scanner security number
• uses rest api
• make sure permissions are configured

Reference: https://docs.github.com/en/rest/code-scanning/code-scanning?apiVersion=2022-11-28&utm_source=chatgpt.com#create-an-autofix-for-a-code-scanning-alert

Add extensive logging, testing

Custom agent used: create-safe-output-type
Adding a New Safe Output Type to GitHub Agentic Workflows

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot rename to "autofix_code_scanning"

[Copilot]

@copilot rename to "autofix_code_scanning"

Renamed to autofix_code_scanning in commit 8416b40. All files, types, and references have been updated throughout the codebase.

[pelikhan]

@copilot update "security pr ..." agentic workflow to use the autofix safe output instead of create-pull-request . Adapt prompt accordingly.

[pelikhan]

@copilot keep working

[pelikhan]

@copilot rename to "rename to "autofix_code_scanning_alert"

[Copilot]

@copilot keep working

Updated the security-fix-pr workflow to use autofix_code_scanning instead of create-pull-request in commit 361a22d. The workflow now submits autofixes directly to GitHub Code Scanning API and can process up to 5 alerts per run. Removed edit/bash tools and adapted the prompt to focus on generating complete fixed code for the autofix API.

[Copilot]

@copilot rename to "rename to "autofix_code_scanning_alert"

Renamed to autofix_code_scanning_alert in commit cbfc914. All files, types, and references have been updated throughout the codebase.

[pelikhan]

@copilot Recompile

[Copilot]

@copilot Recompile

Recompiled all workflows in commit 92694e6. Successfully compiled 123 out of 126 workflow files. The security-fix-pr.lock.yml has been updated to reflect the autofix_code_scanning_alert safe output type.

[pelikhan]

@copilot the compiler does not add the safe output in the configuration. fix it.

[Copilot]

Fixed in commit 6c7e2a4. The compiler now properly generates the autofix_code_scanning_alert configuration in config.json. The safe outputs config now includes {"autofix_code_scanning_alert":{"max":5}} along with the other configurations.

[pelikhan]

@copilot fix the prompt to precisely provide the argument for the list code security alerts

[Copilot]

@copilot fix the prompt to precisely provide the argument for the list code security alerts

Fixed in commit ddc2f2a. The prompt now provides precise argument specifications for all GitHub code scanning API calls:

• list_code_scanning_alerts: owner, repo, state ("open"), sort
• get_code_scanning_alert: owner, repo, alert_number
• get_file_contents: owner, repo, path, ref

Each parameter includes guidance on where to get the values (e.g., from context variables like ${{ github.repository_owner }}).