AutoFix
This capability is in Beta, and not generally available. Please contact Customer Success if you need assistance.
Qwiet AI AutoFix uses large language models (LLMs) to generate potential code fix suggestions for findings produced by preZero analyses. In addition to code changes, AutoFix also provides steps to address the vulnerability findings.
AutoFix suggestions are provided in context of a particular analysis and the existing application source code. To generate the fix, the LLM uses data available in the Code Property Graph (CPG) generated during the application analysis, including relevant source code snippets captured only when this capability is enabled. Qwiet AI AutoFix LLMs are deployed in Qwiet AI's virtual private cloud, and none of the data is shared with any third party.
AutoFix suggestions are generated automatically while the application is being analyzed in the cloud. This is an asynchronous process, and will not slow down the reporting of findings. Suggestions might take several seconds to be available for a particular finding. At the moment, AutoFix suggestions are generated for the top ten findings for each application, sorted by severity in descending order (critical, high, medium, low).
Viewing and using AutoFix suggestions
The main goal of Qwiet AI AutoFix suggestions is to help software developers and security practitioners fix vulnerability findings faster.
AutoFix suggestions generally include the updated code and steps to address the vulnerability finding. The user can copy the code and paste it in an IDE or code editor, verify that the code works as intended, and then re-analyze the application. The user can also ignore the code and use the steps to address the finding to write their own code, and then re-analyze the application. A combination of both approaches could also work well.
To view an AutoFix suggestion, click on a finding in the Vulnerabilities tab in the application details page, and then click on the AutoFix tab.
To help streamline the amount of information displayed, you can toggle on Qwiet the Noise, which filters for only critical and high severity vulnerabilities. You can also enable the AutoFix Available filter, which lists only findings that have an AutoFix suggestion available.
Please provide feedback by scrolling down to the bottom of the AutoFix suggestion panel, and clicking the thumbs up/down button. Optionally, select a reason for the thumbs up/down, type in additional feedback, and click the Submit button.
Enabling or disabling AutoFix suggestions
This capability is in Beta, and not generally available. Please contact Customer Success if you need assistance.
AutoFix can be configured at the organization level in the Organization Settings page. Use the Enable AutoFix toggle to turn the feature on or off. When enabled, AutoFix will work for all applications in the organization unless it's explicitly disabled, since the default application setting for AutoFix is Inherit (see below).
Autofix can also be configured at the application level, in each application's Settings page. The AutoFix section has three options: Inherit (which is the default), Enable, and Disable. When the Inherit option is selected, AutoFix will be enabled or disabled for this application based on the organization settings. When Enable or Disable are selected, Autofix will be enabled or disabled irrespective of the organization settings.
AutoFix pull requests
AutoFix pull requests only work with GitHub. Additional providers will be available at a later time
AutoFix can manually or automatically submit a pull request once an application analysis is completed and AutoFix suggestions are available.
To enable this functionality, provide the repository owner (e.g. the name of the GitHub organization) and a GitHub personal access token in the Enable AutoFix section of the Organization Settings page. Please note that if your GitHub organization has SAML SSO enabled, you must authorize the PAT after its creation before it can access repositories in the organization.
You can choose whether the pull request should be created automatically (default) or manually with the Create Pull Request button, when reviewing findings that have an AutoFix suggestion available. Go to Viewing and using AutoFix suggestions to see an example.
Note that if the pull request remains open, subsequent analyses will amend the existing pull request, instead of creating a new one.
Supported languages
Qwiet AI AutoFix is available for applications written in the following programming languages:
- C/C++
- C#
- Go
- Java
- JavaScript
- PHP
- Python
- TypeScript
In most cases, only the latest "src" CPG frontend is supported (e.g. --jssrc
instead of --js
, --javasrc
instead of --java
, --pythonsrc
instead of --python
). This is the default behavior when language detection is in use.
Limitations
Users must always consider the limitations of AI and review and edit the suggestion to ensure that the resulting code and application are correct, secure, performant, compliant, etc.
Qwiet AI AutoFix capability has the following known limitations:
- The system primarily uses English data. If code and comments are written in other languages, the quality of the suggestions might be diminished
- The AutoFix suggestion might contain code that is not syntactically correct. Linters and proper test coverage should help mitigate this issue
- AutoFix suggestions might change the semantics of the application. Good test coverage should help mitigate this issue
- Some AutoFix suggestions might not fix or resolve the vulnerability finding, and in some cases it might introduce additional issues. Review suggestions carefully
For further assistance or inquiries, please contact your Customer Success representative.