Video

How to Use AI-Assisted Code Remediation: Perforce QAC [DEMO]

Steve Howard
Steve Howard

AI,

Security & Compliance,

DevOps

 

Back to top

Overview: Accelerate Code Fixes With AI-Assisted Code Remediation in Perforce QAC 

Static analysis tells you what’s wrong. AI-assisted code remediation helps you fix it.  

 Watch as Perforce expert Steve Howard demonstrates how to: 

  • Generate AI-powered fixes directly from QAC findings: See how developers can trigger AI-assisted remediation from within the IDE, using QAC’s diagnostic context to produce accurate fixes aligned with coding standards.  
  • Leverage deep analysis context for more accurate remediation: Watch how QAC’s inter-procedural analysis and MCP server provide rich context, enabling AI to deliver more precise, explanation-backed fix recommendations. 
  • Automatically validate fixes with reanalysis: Learn how QAC re-runs analysis after every AI-generated change to confirm the issue is resolved, and that no new issues are introduced. 
  • Maintain full developer control with review and approval workflows: See how developers review, refine, document, and approve AI-generated fixes before committing, ensuring compliance and control in safety-critical environments. 
Back to top

Experience the power of AI-Assisted Code Remediation for Yourself 

See how your team can move from find → fix → verify faster — with the accuracy and confidence needed for safety-critical code — in a QAC free trial. 

Request Free Trial 

Back to top
Back to top

Full Transcript 

Today, I'm going to demonstrate the new QAC AI-assisted remediation features that we have within the QAC product suite. 

In this case, we're going to be using Visual Studio Code. However, this will also be possible from other IDEs and with other code assist tools. 

I started by loading one of our sample projects. This is the MISRA C++: 2023 example set. And within my Visual Studio Code, I have included the installation of the GitHub Copilot Chat and also the Perforce static analysis tools, which, in this case, are configured to use the QAC analysis engine. 

I've also got my QAC MCP server, which is what we're going to use to provide the information that the AI tools need in order to propose fixes for issues and understand the deep context information from the QAC analysis engine, in order to make sure that's accurate. 

In this case, my GitHub Copilot Chat is just a standard free account, which is using the public LLMs. So, this is probably not something that would be typically permitted in your own organization. However, your IT team, if you're using GitHub Copilot, will hopefully have their own accounts, and that would mean that you only get the approved, IT-approved private LLM models, and maybe cloud instances or local LLMs as well, if they've gone through the process of setting that up. So, any of those will be possible to select. In my case, as I say, it's the public LLMs that are available with the default account. 

So, once I've got everything set up, and I've opened my project, which, as I say, was this set of examples, each one of these files represents one of the rules from the standard for the MISRA C++: 2023 standard. And when I open up my file there, you can see that, as part of that opening, my analysis runs to update the results for the project, in this case, this particular file. And I have three instances of issues reported within my problems window in Visual Studio Code. And those are all the same instance, are all violations of MISRA C++ rule C++: 2023, rule 0.1.2.  

Now, when we have the Perforce Static Analysis extension set up for QAC, the right-hand context menu for the problems window will give us three additional options to do with the message help for the particular issue that's reported in QAC. The rule help, if there is one, so in this case we have the actual rule help for MISRA C++ standard 0.1.2, and that's obviously then under license, and all of that's paid for as part of your QAC local desktop installation. And we have this option, most importantly, to actually use AI tools now with the QAC context data to fix the problem.  

So, when I click on that, that then sends the information, or the request or prompt, to GitHub Copilot to go and use our QAC MCP server in order to determine what this problem is and how we can go about fixing it. And at that point, we can kind of leave AI and QAC to do their thing, and all of that will hopefully just work away in the background.  

So, as a developer, I can go and make more changes, be working on the next thing, and so on and so forth. But you can see there now it's retrieved the diagnostics information. Again, it's communicating with the MCP server, getting the message help, and so on and so forth, and then hopefully coming up with a proposed fix for this issue.  

So, there we go. It's just working through that now. And there's our response. Now, nice as well here that the GitHub Copilot explains why it's proposing this fix and the logic behind it. And you can see that, obviously, in this case, it's a relatively simple fix. But most importantly, as a result of that change, now automatically we're reanalyzing the project with QAC to make sure that that particular issue indeed has been fixed and that we haven't introduced new issues as a result of that change. You can see all of that update automatically without further developer interaction.  

Also, because we have the full context of that diagnostic information, understanding, processing, and fixing within the GitHub Copilot Chat, we can now also refer back to that with additional requests. For example, we could ask GitHub Copilot to add a comment to the code describing the fix and include the original MISRA C+ rule reference.  

Okay, so that hopefully will allow GitHub Copilot, again, based on that previous context of what's happened, to add a little comment just to describe this fix so that, when we submit this code for review at some point later, someone will understand why it is that we made this particular change or we allowed AI to make this change and then indeed implemented it.  

Again, the analysis will trigger automatically in the background, just to make sure there is no changes, and indeed there aren't.  

So finally, it's down to the developer to make a call as to whether they want to accept this fix or otherwise. That's very important for safety-critical systems; it's always a developer-in-the-loop approval that is required finally before this change is kept. So, I can just say key, and there we go, that's now stored that change for me. Again, the analysis would run in the background, just to check that's still good. And you can then submit that, and hopefully it will pass the review.  

Thank you very much for watching, and hopefully you will get to try these new features within your own QAC installations in the near future. Goodbye. 

Back to top