Set up Contrast AI SmartFix
Legal Disclaimer
When you use Contrast AI SmartFix, you agree that your code and other data will be submitted to an LLM of your choice. Both the submission of data to the LLM and the output generated by the LLM will be subject to the terms of service of that Contrast AI SmartFixLLM. Use of is entirely at your own risk.
To use Contrast AI SmartFix, add a workflow file to your GitHub repository (for example, .github/workflows/smartfix.yml)
.
Note
For access to this feature, contact your Contrast representative.
Before you begin
Contrast Assess: Ensure that Contrast Assess is enabled for your applications.
Supported vulnerabilities: Critical and High
GitHub: Verify your project is hosted on GitHub and uses GitHub Actions.
API-only user: Create an API-only service user in Contrast with a role that has the View organization and Edit application actions.
Contrast credentials: You need the host name of your Contrast installation, the Organization ID, application ID, Authorization Key, and API Key.
You can find the Organization ID, Authorization Key, and API key in your user settings in the Contrast web interface. To find the application ID, in the Applications page in the Contrast web interface, select an application. The number after
applications/
in the URL is the ID.Build command: Ensure you have a reliable command to build your application and run tests. For example, you could use commands such as
mvn clean verify
andgradle clean build test
.This command must be in the SmartFix workflow.
Large Language Model (LLM) account and API key: For example, an AWS account for Bedrock or an Anthropic account for direct Anthropic API.
Recommended LLM: Anthropic Claude Sonnet (for example, Claude 3.7 Sonnet with AWS Bedrock or direct Anthropic API).
LiteLLM documentation contains details for the
agent_model
strings.Exclusions: Cross-Site Request Forgery (CSRF) is currently excluded due to the complexity of fixes often requiring API changes. Other specific vulnerability types may be excluded based on ongoing testing by Contrast.
SmartFix best practices
Start with a single application: Start with a single application to familiarize yourself with the SmartFix workflow and to fine-tune your configuration.
Review and test PRs: While the goal of SmartFix is to provide accurate fixes, always review and test the generated PRs before merging them into your codebase.
Fine-tune
max_open_prs
: Adjust themax_open_prs
setting based on your team's capacity to review and merge PRs.Use a specific LLM version: To ensure consistent results, pin the LLM you are using to a specific version in your configuration.
Steps
Create the workflow file: In your GitHub repository, create a new workflow file.
Use the workflow example as a guide or go to the full example in https://github.com/Contrast-Security-OSS/contrast-ai-smartfix-action/blob/main/contrast-ai-smartfix.yml.template.
Configure your Contrast credentials: In the workflow file, include these Contrast credentials.
contrast_host
: The host name of your Contrast instance, including the protocol. For example:https://yourcompany.contrastsecurity.com
.contrast_org_id
: Contrast organization UUIDcontrast_app_name
: The Contrast application UUID for the specific repositorycontrast_authorization_key
: Recommended: Create a service user and use the authorization key for that user.contrast_api_key
: Organization API key
Recommendation: Store all sensitive values, such as API keys and authorization keys, as GitHub Secrets.
Configure GitHub settings: Configure settings for GitHub, including the
github_token
and thebase_branch
for the pull requests.Set the build command: SmartFix requires a
build_command
to ensure that its changes work correctly with your project. Use a command that is appropriate for your project, such asmvn clean install
.Configure Your LLM: Choose an LLM provider and configure the necessary credentials in the workflow file.
Recommended: Anthropic Claude Sonnet.
SmartFix workflow example
This example shows how to set up SmartFix in a .github/workflows/smartfix.yml
workflow file. It uses Anthropic Claude Sonnet as the LLM.
name: Contrast AI SmartFix on: pull_request: types: - closed # For notifying backend when a SmartFix PR is closed without merging schedule: - cron: '0 0 * * *' # Runs daily at midnight UTC. Adjust as needed. workflow_dispatch: # Allows manual triggering permissions: contents: write pull-requests: write jobs: generate_fixes: name: Generate Fixes runs-on: ubuntu-latest if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' steps: - name: Checkout repository uses: actions/checkout@v4 with: fetch-depth: 0 # Required for SmartFix to analyze code history - name: Run Contrast AI SmartFix - Generate Fixes uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1 # Use the latest appropriate version with: # --- Contrast Configuration (Required) --- contrast_host: ${{ vars.CONTRAST_HOST }} # e.g., https://app.contrastsecurity.com contrast_org_id: ${{ vars.CONTRAST_ORG_ID }} contrast_app_id: ${{ vars.CONTRAST_APP_ID }} contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }} contrast_api_key: ${{ secrets.CONTRAST_API_KEY }} # --- GitHub Configuration (Required) --- github_token: ${{ secrets.GITHUB_TOKEN }} # For PR creation base_branch: main # Or your project's default branch # --- Build Configuration (Required) --- build_command: mvn clean verify # IMPORTANT: Replace with your project's build command that includes tests. e.g., gradle clean build test\' # --- LLM Configuration (BYOLLM - Choose ONE provider) --- # Option 1: Anthropic Claude Sonnet via AWS Bedrock (Recommended) agent_model: bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0 # Check LiteLLM docs for latest model strings aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws_region_name: us-east-1 # Or your AWS region # aws_session_token: ${{ secrets.AWS_SESSION_TOKEN }} # Optional # aws_profile_name: ${{ vars.AWS_PROFILE_NAME }} # Optional # aws_role_name: ${{ vars.AWS_ROLE_NAME }} # Optional # aws_session_name: ${{ vars.AWS_SESSION_NAME }} # Optional # aws_web_identity_token: ${{ secrets.AWS_WEB_IDENTITY_TOKEN }} # Optional # aws_bedrock_runtime_endpoint: ${{ vars.AWS_BEDROCK_RUNTIME_ENDPOINT }} # Optional, for custom Bedrock endpoints # Option 2: Anthropic Claude Sonnet via Direct Anthropic API # agent_model: anthropic/claude-3-7-sonnet-20250219 # anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }} # Option 3: Google Gemini Pro via Google AI Studio (Experimental) # agent_model: gemini/gemini-2.5-pro-latest # gemini_api_key: ${{ secrets.GEMINI_API_KEY }} # Option 4: Azure OpenAI (Experimental) # agent_model: azure/<your-deployment-name> # e.g., azure/gpt-4-turbo # azure_api_key: ${{ secrets.AZURE_API_KEY }} # azure_api_base: ${{ vars.AZURE_API_BASE }} # e.g., https://<your-resource-name>.openai.azure.com # azure_api_version: ${{ vars.AZURE_API_VERSION }} # e.g., 2024-02-15-preview # --- Optional Configuration --- formatting_command: mvn spotless:apply # If your project uses a code formatter max_open_prs: 5 debug_mode: false # Set to true for verbose logs # enable_full_telemetry: true # Set to false to disable full telemetry # skip_writing_security_test: false # max_qa_attempts: 6 # Max number of QA Agent runs SmartFix will attempt to fix the vulnerability and get the build in a passing state before giving up. # max_events_per_agent: 120 # Max number of "turns" each agent can take before giving up handle_pr_merge: name: Handle PR Merge runs-on: ubuntu-latest if: github.event.pull_request.merged == true && contains(github.event.pull_request.head.ref, 'smartfix/remediation-') steps: - name: Checkout repository uses: actions/checkout@v4 - name: Notify Contrast on PR Merge uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1 with: run_task: merge github_token: ${{ secrets.GITHUB_TOKEN }} contrast_host: ${{ vars.CONTRAST_HOST }} contrast_org_id: ${{ vars.CONTRAST_ORG_ID }} contrast_app_id: ${{ vars.CONTRAST_APP_ID }} contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }} contrast_api_key: ${{ secrets.CONTRAST_API_KEY }} env: GITHUB_EVENT_PATH: ${{ github.event_path }} handle_pr_closed: # Handles PRs closed WITHOUT merging name: Handle PR Close runs-on: ubuntu-latest if: github.event.pull_request.merged == false && contains(github.event.pull_request.head.ref, 'smartfix/remediation-') steps: - name: Checkout repository uses: actions/checkout@v4 - name: Notify Contrast on PR Closed uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1 with: run_task: closed github_token: ${{ secrets.GITHUB_TOKEN }} contrast_host: ${{ vars.CONTRAST_HOST }} contrast_org_id: ${{ vars.CONTRAST_ORG_ID }} contrast_app_id: ${{ vars.CONTRAST_APP_ID }} contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }} contrast_api_key: ${{ secrets.CONTRAST_API_KEY }} env: GITHUB_EVENT_PATH: ${{ github.event_path }}
SmartFix configuration inputs
The action.yml
file in the SmartFix GitHub Action repository contains the most up-to-date and complete list of inputs and their defaults.
Input | Description | Required? | Default |
---|---|---|---|
| LLM model to use | No |
|
| Default branch for the repository | No |
|
| Command to build the application (for example, | Yes | |
| Contrast API key | Yes | |
| Contrast application ID for the repository | Yes | |
| Contrast Security API host (for example: | Yes | |
| Contrast organization ID | Yes | |
| Enable verbose logging. | No |
|
| Control how much telemetry data is sent to Contrast. When set to | No |
|
| Command to format code | No | |
| Maximum number of events per internal agent processing a vulnerability | No |
|
| Maximum number of open PRs SmartFix can create. | No |
|
| Maximum QA intervention attempts if build fails after implementing a fix | No |
|
| Contrast authorization key. | Yes | |
| GitHub token for PR operations | Yes | |
| Skip the QA review step (build verification) | No |
|
| Skip attempting to write a security test for the fix | No |
|
LLM settings
Recommended: Direct Anthropic API settings:
Set
agent_model
to the appropriate model string for Anthropic (for example,anthropic/claude-3-7-sonnet-20250219)
.Specify your
anthropic_api_key
.
Recommended: AWS Bedrock settings
Set
agent_model
to the appropriate model string (for example:bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0
).Specify your AWS credentials:
aws_access_key_id
,aws_secret_access_key
, andaws_region_name
.
Experimental: Google Gemini Pro settings (for example, Gemini 2.5 Pro)
Set
agent_model
to the appropriate model string (for example:gemini/gemini-1.5-pro-latest
).Specify your
gemini_api_key
.