Set up Contrast AI SmartFix

Legal Disclaimer

When you use Contrast AI SmartFix, you agree that your code and other data will be submitted to an LLM of your choice. Both the submission of data to the LLM and the output generated by the LLM will be subject to the terms of service of that Contrast AI SmartFix LLM. Use of Contrast AI SmartFix is entirely at your own risk.

To use Contrast AI SmartFix, add a workflow file to your GitHub repository (for example, .github/workflows/smartfix.yml).

Note

For access to this feature, contact your Contrast representative.

Before you begin

Contrast Assess: Ensure that Contrast Assess is enabled for your applications.
Supported vulnerabilities: Critical and High
GitHub: Verify your project is hosted on GitHub and uses GitHub Actions.
API-only user: Create an API-only service user in Contrast with a role that has the View organization and Edit application actions.
Contrast credentials: You need the host name of your Contrast installation, the Organization ID, application ID, Authorization Key, and API Key.
You can find the Organization ID, Authorization Key, and API key in your user settings in the Contrast web interface. To find the application ID, in the Applications page in the Contrast web interface, select an application. The number after applications/ in the URL is the ID.
Build command: Ensure you have a reliable command to build your application and run tests. For example, you could use commands such as mvn clean verify and gradle clean build test.
This command must be in the SmartFix workflow.
Large Language Model (LLM) account and API key: For example, an AWS account for Bedrock or an Anthropic account for direct Anthropic API.
Recommended LLM: Anthropic Claude Sonnet (for example, Claude 3.7 Sonnet with AWS Bedrock or direct Anthropic API).
LiteLLM documentation contains details for the agent_model strings.
Exclusions: Cross-Site Request Forgery (CSRF) is currently excluded due to the complexity of fixes often requiring API changes. Other specific vulnerability types may be excluded based on ongoing testing by Contrast.

SmartFix best practices

Start with a single application: Start with a single application to familiarize yourself with the SmartFix workflow and to fine-tune your configuration.
Review and test PRs: While the goal of SmartFix is to provide accurate fixes, always review and test the generated PRs before merging them into your codebase.
Fine-tune max_open_prs: Adjust the max_open_prs setting based on your team's capacity to review and merge PRs.
Use a specific LLM version: To ensure consistent results, pin the LLM you are using to a specific version in your configuration.

Steps

Create the workflow file: In your GitHub repository, create a new workflow file.
Use the SmartFix workflow example as a guide or go to the full example in https://github.com/Contrast-Security-OSS/contrast-ai-smartfix-action/blob/main/contrast-ai-smartfix.yml.template.
Configure your Contrast credentials: In the workflow file, include these Contrast credentials.
- contrast_host: The host name of your Contrast instance, including the protocol. For example: https://yourcompany.contrastsecurity.com.
- contrast_org_id: Contrast organization UUID
- contrast_app_id: The Contrast application UUID for the specific repository
- contrast_authorization_key: Recommended: Create a service user and use the authorization key for that user.
- contrast_api_key: Organization API key
Recommendation: Store all sensitive values, such as API keys and authorization keys, as GitHub Secrets.
Configure GitHub settings: Configure settings for GitHub, including the github_token and the base_branch for the pull requests.
Set the build command: SmartFix requires a build_command to ensure that its changes work correctly with your project. Use a command that is appropriate for your project, such as mvn clean install.
Configure Your LLM: Choose an LLM provider and configure the necessary credentials in the workflow file.
Recommended: Anthropic Claude Sonnet.

SmartFix workflow example

This example shows how to set up SmartFix in a .github/workflows/smartfix.yml workflow file. It uses Anthropic Claude Sonnet as the LLM.

#-
# #%L
# Contrast AI SmartFix
# %%
# Copyright (C) 2025 Contrast Security, Inc.
# %%
# Contact: support@contrastsecurity.com
# License: Commercial
# NOTICE: This Software and the patented inventions embodied within may only be
# used as part of Contrast Security’s commercial offerings. Even though it is
# made available through public repositories, use of this Software is subject to
# the applicable End User Licensing Agreement found at
# https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
# between Contrast Security and the End User. The Software may not be reverse
# engineered, modified, repackaged, sold, redistributed or otherwise used in a
# way not consistent with the End User License Agreement.
# #L%
#

name: Contrast AI SmartFix

on:
  pull_request:
    types:
      - closed
  schedule:
     - cron: '0 0 * * *' # <-- Customer configured schedule
  workflow_dispatch: # Allows manual triggering

permissions:
  contents: write
  pull-requests: write

jobs:
  generate_fixes:
    name: Generate Fixes
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
          aws-region: ${{ vars.AWS_REGION }}

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          
      - name: Run Contrast AI SmartFix - Generate Fixes Action
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1
        with:
          # --- Max Open PRs ---
          max_open_prs: 5
          # --- Base Branch ---
          base_branch: '${{ github.event.repository.default_branch }}'
          # --- Build Command ---
          build_command: 'mvn clean test'
          # --- Formatting Command ---
          formatting_command: 'mvn spotless:apply'
          # --- Max QA Intervention loop attempts ---
          max_qa_attempts: 6
          # --- GitHub Token ---
          github_token: ${{ secrets.GITHUB_TOKEN }}
          # --- Contrast API Credentials ---
          contrast_host: ${{ vars.CONTRAST_HOST }}
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}
          # --- Google Gemini API Credentials ---
          gemini_api_key: ${{ secrets.GEMINI_API_KEY }}
          # --- Anthropic API Credentials ---
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          # --- Azure Open API Credentials ---
          # azure_api_key: ${{ secrets.AZURE_API_KEY }}
          # azure_api_base: ${{ secrets.AZURE_API_BASE }}
          # azure_api_version: ${{ secrets.AZURE_API_VERSION }}
          # --- Agent Configuration ---
          agent_model: ${{ vars.AGENT_MODEL || 'bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0' }}
          # Other Optional Inputs (see action.yml for defaults and more options)
          # formatting_command: 'mvn spotless:apply' # Or the command appropriate for your project to correct the formatting of SmartFix\'s changes.  This ensures that SmartFix follows your coding standards.
          # max_open_prs: 5 # This is the maximum limit for the number of PRs that SmartFix will have open at single time
          # enable_full_telemetry: 'false' # Set to false to disable full telemetry

  handle_pr_merge:
    name: Handle PR Merge
    runs-on: ubuntu-latest
    if: github.event.pull_request.merged == true && contains(github.event.pull_request.head.ref, 'smartfix/remediation-')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Notify Contrast on PR Merge
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1
        with:
          run_task: merge 
          # --- GitHub Token ---
          github_token: ${{ secrets.GITHUB_TOKEN }}
          # --- Contrast API Credentials ---
          contrast_host: ${{ vars.CONTRAST_HOST }}
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}
        env: 
          GITHUB_EVENT_PATH: ${{ github.event_path }}
  
  handle_pr_closed:
    name: Handle PR Close
    runs-on: ubuntu-latest
    if: github.event.pull_request.merged == false && contains(github.event.pull_request.head.ref, 'smartfix/remediation-')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Notify Contrast on PR Closed
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1
        with:
          run_task: closed
          # --- GitHub Token ---
          github_token: ${{ secrets.GITHUB_TOKEN }}
          # --- Contrast API Credentials ---
          contrast_host: ${{ vars.CONTRAST_HOST }}
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}
        env: 
          GITHUB_EVENT_PATH: ${{ github.event_path }}

SmartFix configuration inputs

The action.yml file in the SmartFix GitHub Action repository contains the most up-to-date and complete list of inputs and their defaults.

Input	Description	Required?	Default
`agent_model`	LLM model to use	No	`bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0`
`base_branch`	Default branch for the repository	No	`main`
`build_command`	Command to build the application (for example, `mvn clean verify` or `gradle clean build test`)	Yes
`contrast_api_key`	Contrast API key	Yes
`contrast_app_id`	Contrast application ID for the repository	Yes
`contrast_host`	Contrast Security API host (for example: `https://app.contrastsecurity.com`)	Yes
`contrast_org_id`	Contrast organization ID	Yes
`debug_mode`	Enable verbose logging.	No	`false`
`enable_full_telemetry`	Control how much telemetry data is sent to Contrast. When set to `true`, it sends complete log files and build commands. When set to `false`, sensitive build commands and full logs are omitted.	No	`true`
`formatting_command`	Command to format code	No
`max_events_per_agent`	Maximum number of events per internal agent processing a vulnerability	No	`128`
`max_open_prs`	Maximum number of open PRs SmartFix can create.	No	`5`
`max_qa_attempts`	Maximum QA intervention attempts if build fails after implementing a fix	No	`6`
`secrets.contrast_authorization_key`	Contrast authorization key. You should store this value as a GitHub Secret.	Yes
`secrets.github_token`	GitHub token for PR operations You should store this value as a GitHub Secret.	Yes
`skip_qa_review`	Skip the QA review step (build verification)	No	`false`
`skip_writing_security_test`	Skip attempting to write a security test for the fix	No	`false`

LLM settings

Recommended: Direct Anthropic API settings:
- Set agent_model to the appropriate model string for Anthropic (for example, anthropic/claude-3-7-sonnet-20250219).
- Specify your anthropic_api_key.
Recommended: AWS Bedrock settings
- Set agent_model to the appropriate model string (for example: bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0).
- Specify your AWS credentials: aws_access_key_id, aws_secret_access_key, and aws_region.
Experimental: Google Gemini Pro settings (for example, Gemini 2.5 Pro)
- Set agent_model to the appropriate model string (for example: gemini/gemini-1.5-pro-latest).
- Specify your gemini_api_key.