AutoFix
This capability is not enabled by default. Please contact Customer Success if you need assistance.
Qwiet AI AutoFix uses large language models (LLMs) to generate potential code fix suggestions for findings produced by preZero analyses. In addition to code changes, AutoFix also provides steps to address the vulnerability findings.
AutoFix suggestions are provided in context of a particular analysis and the existing application source code. To generate the fix, the LLM uses data available in the Code Property Graph (CPG) generated during the application analysis, including relevant source code snippets captured only when this capability is enabled. Qwiet AI AutoFix LLMs are deployed in Qwiet AI's virtual private cloud, and none of the data is shared with any third party.
Qwiet AI does NOT do any model training with customer data
AutoFix suggestions are generated automatically while the application is being analyzed in the cloud. This is an asynchronous process, and will not slow down the reporting of findings. Suggestions might take several seconds to be available for a particular finding. At the moment, AutoFix suggestions are generated for the top ten SAST findings for each application, sorted by severity in descending order (critical, high, medium, low).
Limitations
Users must always consider the limitations of AI and review and edit the suggestion or pull request to ensure that the resulting code and application are correct, secure, performant, compliant, etc.
Qwiet AI AutoFix capability has the following known limitations:
- The system primarily uses English data. If code and comments are written in other languages, the quality of the suggestions might be diminished
- The AutoFix suggestion might contain code that is not syntactically correct. Linters and proper test coverage should help mitigate this issue
- AutoFix suggestions might change the semantics of the application. Good test coverage should help mitigate this issue
- Some AutoFix suggestions might not fix or resolve the vulnerability finding, and in some cases it might introduce additional issues. Review suggestions carefully
Viewing and using AutoFix suggestions
The main goal of Qwiet AI AutoFix suggestions is to help software developers and security practitioners fix vulnerability findings faster.
AutoFix suggestions generally include the updated code and steps to address the vulnerability finding. The user can copy the code and paste it in an IDE or code editor, verify that the code works as intended, and then re-analyze the application. The user can also ignore the code and use the steps to address the finding to write their own code, and then re-analyze the application. A combination of both approaches could also work well.
To view an AutoFix suggestion, click on a finding in the Vulnerabilities tab in the application details page, and then click on the AutoFix tab.
To help streamline the amount of information displayed, you can toggle on Qwiet the Noise, which filters for only critical and high severity vulnerabilities. You can also enable the AutoFix Available filter, which lists only findings that have an AutoFix suggestion available.
Please provide feedback by scrolling down to the bottom of the AutoFix suggestion panel, and clicking the thumbs up/down button. Optionally, select a reason for the thumbs up/down, type in additional feedback, and click the Submit button.
Agentic Workflow
By default, the AutoFix capability is powered by multiple AI agents. These agents collaborate with each other to provide a final result for the user, as well as individual results that could help in the resolution of a finding.
The final result appears at the top of the AutoFix tab, and it's usually provided by Catherine AppSec Team Lead or Nova Refactoring Engineer (for cases where a code refactoring was necessary).
To view additional results, scroll down and click on View results from other agents >>.
The following agents are currently available:
- Scout Threat Analyst: Cybersecurity expert. Identifies potential attack vectors in vulnerable code and generates attack payloads
- Toby Test Engineer: Cybersecurity expert and Quality Assurance Engineer. Generates test cases based on attack payloads provided by Scout
- Clara AppSec Engineer: Application Security Engineer. Analyzes mitigation notes and test cases provided by Toby and fixes the code accordingly
- Evan Security Engineer: Security expert and Software Engineer. Examines the vulnerable code and provides notes suggesting a more effective and improved approach that mitigates the vulnerability
- Hal Dependency Inspector: Software and Security Engineer. Assesses the reliability of the dependencies/imports suggested in the fixed code
- Nova Refactoring Engineer: Refactoring Engineer. Identifies and rectifies dependency issues, refactoring the code as necessary
- Catherine AppSec Team Lead: AppSec team lead. Reviews results from other agents in the team and fixes any additional issues, ensuring that every piece of code maintains high standards of efficiency and security
Enabling or disabling AutoFix suggestions
AutoFix can be configured at the organization level in the Organization Settings page. Use the Enable AutoFix toggle to turn the feature on or off. When enabled, AutoFix will work for all applications in the organization unless it's explicitly disabled, since the default application setting for AutoFix is Inherit (see below).
Autofix can also be configured at the application level, in each application's Settings page. The AutoFix section has three options: Inherit (which is the default), Enable, and Disable. When the Inherit option is selected, AutoFix will be enabled or disabled for this application based on the organization settings. When Enable or Disable are selected, Autofix will be enabled or disabled irrespective of the organization settings.
AutoFix pull requests
AutoFix pull requests only work with GitHub. Additional providers will be available at a later time
AutoFix can manually or automatically submit a pull request once an application analysis is completed and AutoFix suggestions are available. Note that if the pull request remains open, subsequent analyses will amend the existing pull request, instead of creating a new one.
To enable this functionality, you will need to provide the repository owner (e.g. the name of the GitHub organization) and a GitHub personal access token. These credentials can be provided at the application, team, and organization levels. AutoFix will look for the credentials in the following order:
- Application Settings
- Team Settings
- Organization Settings
For example: if the credentials are provided in an Application's settings, it will use that and ignore any Team and Organization credentials.
Required scopes
The following scopes are required for Tokens (classic):
repo
The following scopes are required for Fine-grained tokens:
Read and Write access to pull requestsRead access to metadata(automatically added by GitHub)
Please note that if your GitHub organization has SAML SSO enabled (e.g. GitHub Enterprise Managed Users), you must authorize the PAT after its creation before it can access repositories in the organization.
Organization-level GitHub PAT configuration
For the Organization, provide GitHub credentials in the Enable AutoFix section of the Organization Settings page.
You can choose whether the pull request should be created automatically (default) or manually with the Create Pull Request button, when reviewing findings that have an AutoFix suggestion available. Go to Viewing and using AutoFix suggestions to see an example.
Team-level GitHub PAT configuration
For teams, provide the GitHub credentials in the Manage Teams page by clicking on the Pull Requests button.
Application-level GitHub PAT configuration
For apps, provide the GitHub credentials in the Application Settings page, under the AutoFix section.
Once a pull request is created by AutoFix, it can be treated as a normal pull request (e.g. reviewed, approved, receive additional commits).
Supported languages
Qwiet AI AutoFix is available for applications written in the following programming languages:
- C#
- Go
- Java
- JavaScript
- PHP
- Python
- TypeScript
Coming soon:
- C/C++
- Ruby
In most cases, only the latest "src" CPG frontend is supported (e.g. --jssrc instead of --js, --javasrc instead of --java, --pythonsrc instead of --python). This is the default behavior when language detection is in use.
For further assistance or inquiries, please contact your Customer Success representative.