When you use Contrast AI SmartFix, you agree that your code and other data will be submitted to an LLM of your choice. Both the submission of data to the LLM and the output generated by the LLM will be subject to the terms of service of that LLM. Use of Contrast AI SmartFix is entirely at your own risk.
Welcome to Contrast AI SmartFix! SmartFix is an AI-powered agent that automatically generates code fixes for vulnerabilities identified by Contrast Assess. It integrates into your developer workflow via GitHub Actions, creating Pull Requests (PRs) with proposed remediations.
Key Benefits:
- Automated Remediation: Reduces the manual effort and time required to fix vulnerabilities.
- Developer-Focused: Delivers fixes as PRs directly in your GitHub repository, fitting naturally into existing workflows.
- Runtime Context: Leverages Contrast Assess's runtime analysis (IAST) to provide more accurate and relevant fixes.
SmartFix supports three distinct coding agents for vulnerability remediation on GitHub:
-
SmartFix Agent (Recommended): Uses Contrast vulnerability data with a team of agentic AIs to analyze, fix, and validate vulnerability remediations. This agent creates a complete fix, ensures your project builds successfully, and verifies that existing tests continue to pass. Requires API keys for your preferred LLM provider.
-
GitHub Copilot Agent: Leverages GitHub Copilot for vulnerability fixes through GitHub Issues. SmartFix creates a detailed GitHub Issue with vulnerability information and assigns it to GitHub Copilot for resolution. Copilot then attempts the fix and creates a Pull Request. Requires your repository to enable GitHub Issues and Copilot.
-
Claude Code Agent: Leverages Anthropic's Claude Code bot for vulnerability fixes through GitHub Issues. SmartFix creates a detailed GitHub Issue with vulnerability information and mentions the Claude Code bot in the Issue title. Claude Code then attempts the fix and creates a Pull Request. Requires your repository to install the Claude Code GitHub App.
Please follow the specific setup instructions link for the coding agent of your choice:
- Support for Multiple Coding Agents: Choose to use either the internal SmartFix coding agent or GitHub Copilot to remediate your project's vulnerabilities
- Bring Your Own LLM (BYOLLM): Flexibility to use your preferred LLM provider and model with the SmartFix Coding Agent.
- Configurable PR Throttling: Control the volume of automated PRs using
max_open_prs. - Debug Mode: Enable
debug_mode: 'true'for verbose logging in the GitHub Action output.
- Q: Can I use SmartFix if I don't use Contrast Assess?
- A: No, SmartFix relies on vulnerability data from Contrast Assess. In the future we plan to expand to include more.
- Q: How often does SmartFix run?
- A: This is determined by the
scheduletrigger in your GitHub Actions workflow file. You can customize it.
- A: This is determined by the
- Q: What happens if the AI cannot generate a fix?
- A: The agent will log this, and no PR will be created for that specific vulnerability attempt. It will retry on a future run.
- Q: Can SmartFix fix multiple vulnerabilities in one PR?
- A: No, each PR addresses a single vulnerability.
- Q: Will SmartFix add new library dependencies?
- A: Generally, SmartFix aims to use existing libraries and frameworks. We have instructed it not to make major architectural changes or add new dependencies.
For further assistance or to provide feedback on SmartFix, please contact your Contrast Security representative.