Skip to main content

Using the bestfix script to obtain remediation and scan improvement suggestions

The bestfix script provides remediation and scan improvement suggestions for your application's key Qwiet preZero findings.


Before proceeding, please ensure that:

  • You have Python 3.9 (or later) installed on your workstation;
  • You have scanned your application at least once using Qwiet preZero;
  • You have wkhtmltopdf installed if you'd like reports in PDF format.

We recommend that users on macOS use pyenv.

Access token

Before proceeding, create an environment variable called SHIFTLEFT_ACCESS_TOKEN. Set its value to your access token, which is available in the dashboard).

How to run the bestfix script

  1. Clone Qwiet's field integrations repo to your local machine.

  2. Navigate into the repo's shiftleft-utils directory.

  3. Run pip3 install -r requirements.txt to install the dependencies required by bestfix.

  4. Run bestfix by providing the following in the terminal:

    python3 --all-ratings -a <yourApp> -s <pathToSourceCode>`

    Note that all parameters are optional. If you provide no parameters, the script will, by default, generate information about reachable OSS findings and critical- and high-severity vulnerabilities.


    -s <pathToApp>The path to the application's directory; provide if the source code is available on the local workstation
    -a <appName>The name of the application whose findings you'd like fix/remediation suggestions for; if omitted, bestfix runs for all apps in your Qwiet organization
    -o <path>The location where you would like bestfix to save the HTML copy of your results; if omitted, bestfix saves the report to the directory from which you ran bestfix
    --all-ratingsInclude vulnerabilities of all severities in the results

Sample usage

python3 -a HelloShiftLeft -o /Users/janesmith/reports -s /Users/janesmith/demoApp

Reviewing results

bestfix prints your results to the terminal, but you can also access an HTML copy saved to the location where you executed (optionally, you can provide an alternative directory using -o <directory/where/report/should/be/saved>).

In the results, you'll find the following information:

  • Fix suggestions for OSS vulnerabilities: a list of the reachable OSS findings present in your application, and the suggested upgrades to those packages that will remediate the findings
  • Fix suggestions for vulnerabilities: a list of suggested fixes for findings present in your application
  • Findings similarity analysis: groups of like vulnerabilities (i.e., bestfix groups together all directory traversal/deserialization/etc. vulnerabilities); applying remediation to any one of these findings in a given group should correct all of the issues that are grouped with it
  • Suggestions for scan improvements: a list of improvements that you can make to improve the performance or the usability of your results (e.g., tagging your results with the branch name for easy cross-referencing)

PDF reports

The bestfix script can automatically export the report in PDF format. It uses pdfkit, so you must have wkhtmltopdf installed.


Non-admin users on Windows may see the following error:

ERROR: Could not install packages due to an OSError: [WinError 5] Access is denied

To work around this, pass the --user flag as shown:

python -m pip install --upgrade pip --user
python -m pip install -r .\requirements.txt --user