Skip to main content

Contrast AI SmartFix

Legal Disclaimer

When you use Contrast AI SmartFix, you agree that your code and other data will be submitted to an LLM of your choice. Both the submission of data to the LLM and the output generated by the LLM will be subject to the terms of service of that Contrast AI SmartFix LLM. Use of Contrast AI SmartFix is entirely at your own risk.

Contrast AI SmartFix is an AI-powered agent designed to streamline the process of vulnerability remediation. It automatically generates code fixes for security vulnerabilities that Contrast IAST technology (Assess) and Contrast SAST technology identify. The agent seamlessly integrates into your existing workflow through GitHub Actions. It creates pull requests (PRs) with its proposed remediations.

SmartFix benefits

  • Automated remediation: SmartFix significantly reduces the manual effort and time that you typically require to fix vulnerabilities.

  • Developer-focused: The tool is designed with developers in mind. It delivers fixes directly as pull requests within your GitHub repository. This behavior allows it to fit naturally into your existing development workflows.

  • Runtime context: By using the runtime analysis from Contrast IAST technology (Assess), SmartFix can provide more accurate and relevant code fixes.

  • SAST source mapping: For SAST findings, SmartFix uses the file path and line number from the static finding to locate and fix the target code.

SmartFix features

  • Bring Your Own LLM (BYOLLM): SmartFix lets you use your preferred Large Language Model (LLM) provider and model.

  • Configurable PR throttling: You control the volume of automated PRs that SmartFix creates by using the max_open_prs input setting.

  • Build command integration: To ensure that the generated changes can build successfully, you provide a build_command. Ideally, this command also runs your tests to ensure that the agent does not break existing tests.

  • Code formatting: If your project requires specific code formatting, you can provide a formatting_command to ensure that the generated code adheres to your project's style guide. Use this command before the build runs.

  • Debug mode: For more detailed logging in the GitHub Action output, set debug_mode to true.

  • Supported languages: Java, .NET Core, .NET Framework, Node.js, and Python.

  • Operate in SAST-only mode: If your organization uses Northstar for static analysis (SAST), SmartFix can operate in SAST-only mode. To do this, omit the contrast_app_id and contrast_app_ids inputs from your workflow configuration. SmartFix will target SAST findings from Northstar rather than IAST findings from Contrast Assess. A Contrast account and organization ID are still required.

SmartFix status changes in Contrast

Contrast: For each vulnerability, when SmartFix opens a pull request (PR) or the pull request is merged, the Notes tab on the Vulnerabilities page in the web interface includes SmartFix activity including a link to the PR.

Northstar: For each issue, when SmartFix opens a pull request (PR) or the pull request is merged, the Activity tab in an Issues detail view includes SmartFix activity including a link to the PR.

The status for the vulnerability or issue changes to SmartFix Remediated.

SmartFix activity dashboard

AppSec managers can view a SmartFix usage chart in the Organization Settings page of the Contrast web interface. The chart shows monthly pull request (PR) activity for your organization over the past 12 months so that you can track adoption and report on remediation value. The X-axis spans the current partial month plus the 12 preceding complete calendar months. Months with no activity appear as zero values.

Note

Any user with the View permission on the Organization can see the SmartFix activity chart. No additional role is required.

To find the chart:

  • Northstar: The SmartFix activity chart appears as a widget in the Insights area

    AI-Activity-NS.png
  • Contrast: In the Organization settings, scroll down to the SmartFix activity chart

    SmartFix-Usage-Contrast.png

The chart only appears when your organization has SmartFix data. If no SmartFix runs have occurred, the chart is not displayed.

The chart shows PRs attempted versus accepted line chart displays two data series every month:

  • PRs created (PRs attempted): the number of pull requests that SmartFix opened in that month

  • PRs accepted (PRs merged): the number of those pull requests that were merged

See also

Set up Contrast AI SmartFix

Contrast AI SmartFix Troubleshooting