Skip to main content

Set up Contrast AI SmartFix

Legal Disclaimer

When you use Contrast AI SmartFix, you agree that your code and other data will be submitted to an LLM of your choice. Both the submission of data to the LLM and the output generated by the LLM will be subject to the terms of service of that Contrast AI SmartFixLLM. Use of is entirely at your own risk.

To use Contrast AI SmartFix, add a workflow file to your GitHub repository (for example, .github/workflows/smartfix.yml).

Note

For access to this feature, contact your Contrast representative.

Before you begin

  • Contrast Assess: Ensure that Contrast Assess is enabled for your applications.

  • Supported vulnerabilities: Critical and High

  • GitHub: Verify your project is hosted on GitHub and uses GitHub Actions.

  • API-only user: Create an API-only service user in Contrast with a role that has the View organization and Edit application actions.

  • Contrast credentials: You need the host name of your Contrast installation, the Organization ID, application ID, Authorization Key, and API Key.

    You can find the Organization ID, Authorization Key, and API key in your user settings in the Contrast web interface. To find the application ID, in the Applications page in the Contrast web interface, select an application. The number after applications/ in the URL is the ID.

  • Build command: Ensure you have a reliable command to build your application and run tests. For example, you could use commands such as mvn clean verify and gradle clean build test.

    This command must be in the SmartFix workflow.

  • Large Language Model (LLM) account and API key: For example, an AWS account for Bedrock or an Anthropic account for direct Anthropic API.

  • Recommended LLM: Anthropic Claude Sonnet (for example, Claude 3.7 Sonnet with AWS Bedrock or direct Anthropic API).

    LiteLLM documentation contains details for the agent_model strings.

  • Exclusions: Cross-Site Request Forgery (CSRF) is currently excluded due to the complexity of fixes often requiring API changes. Other specific vulnerability types may be excluded based on ongoing testing by Contrast.

SmartFix best practices

  • Start with a single application: Start with a single application to familiarize yourself with the SmartFix workflow and to fine-tune your configuration.

  • Review and test PRs: While the goal of SmartFix is to provide accurate fixes, always review and test the generated PRs before merging them into your codebase.

  • Fine-tune max_open_prs: Adjust the max_open_prs setting based on your team's capacity to review and merge PRs.

  • Use a specific LLM version: To ensure consistent results, pin the LLM you are using to a specific version in your configuration.

Steps

  1. Create the workflow file: In your GitHub repository, create a new workflow file.

    Use the workflow example as a guide or go to the full example in https://github.com/Contrast-Security-OSS/contrast-ai-smartfix-action/blob/main/contrast-ai-smartfix.yml.template.

  2. Configure your Contrast credentials: In the workflow file, include these Contrast credentials.

    • contrast_host: The host name of your Contrast instance, including the protocol. For example: https://yourcompany.contrastsecurity.com.

    • contrast_org_id: Contrast organization UUID

    • contrast_app_name: The Contrast application UUID for the specific repository

    • contrast_authorization_key: Recommended: Create a service user and use the authorization key for that user.

    • contrast_api_key: Organization API key

    Recommendation: Store all sensitive values, such as API keys and authorization keys, as GitHub Secrets.

  3. Configure GitHub settings: Configure settings for GitHub, including the github_token and the base_branch for the pull requests.

  4. Set the build command: SmartFix requires a build_command to ensure that its changes work correctly with your project. Use a command that is appropriate for your project, such as mvn clean install.

  5. Configure Your LLM: Choose an LLM provider and configure the necessary credentials in the workflow file.

    Recommended: Anthropic Claude Sonnet.

SmartFix workflow example

This example shows how to set up SmartFix in a .github/workflows/smartfix.yml workflow file. It uses Anthropic Claude Sonnet as the LLM.

name: Contrast AI SmartFix

on:
  pull_request:
    types:
      - closed # For notifying backend when a SmartFix PR is closed without merging
  schedule:
    - cron: '0 0 * * *' # Runs daily at midnight UTC. Adjust as needed.
  workflow_dispatch: # Allows manual triggering

permissions:
  contents: write
  pull-requests: write

jobs:
  generate_fixes:
    name: Generate Fixes
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Required for SmartFix to analyze code history

      - name: Run Contrast AI SmartFix - Generate Fixes
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1 # Use the latest appropriate version
        with:
          # --- Contrast Configuration (Required) ---
          contrast_host: ${{ vars.CONTRAST_HOST }} # e.g., https://app.contrastsecurity.com
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}

          # --- GitHub Configuration (Required) ---
          github_token: ${{ secrets.GITHUB_TOKEN }} # For PR creation
          base_branch: main # Or your project's default branch

          # --- Build Configuration (Required) ---
          build_command: mvn clean verify # IMPORTANT: Replace with your project's build command that includes tests. e.g., gradle clean build test\'

          # --- LLM Configuration (BYOLLM - Choose ONE provider) ---
          # Option 1: Anthropic Claude Sonnet via AWS Bedrock (Recommended)
          agent_model: bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0 # Check LiteLLM docs for latest model strings
          aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws_region_name: us-east-1 # Or your AWS region
          # aws_session_token: ${{ secrets.AWS_SESSION_TOKEN }} # Optional
          # aws_profile_name: ${{ vars.AWS_PROFILE_NAME }} # Optional
          # aws_role_name: ${{ vars.AWS_ROLE_NAME }} # Optional
          # aws_session_name: ${{ vars.AWS_SESSION_NAME }} # Optional
          # aws_web_identity_token: ${{ secrets.AWS_WEB_IDENTITY_TOKEN }} # Optional
          # aws_bedrock_runtime_endpoint: ${{ vars.AWS_BEDROCK_RUNTIME_ENDPOINT }} # Optional, for custom Bedrock endpoints

          # Option 2: Anthropic Claude Sonnet via Direct Anthropic API
          # agent_model: anthropic/claude-3-7-sonnet-20250219
          # anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

          # Option 3: Google Gemini Pro via Google AI Studio (Experimental)
          # agent_model: gemini/gemini-2.5-pro-latest
          # gemini_api_key: ${{ secrets.GEMINI_API_KEY }}

          # Option 4: Azure OpenAI (Experimental)
          # agent_model: azure/<your-deployment-name> # e.g., azure/gpt-4-turbo
          # azure_api_key: ${{ secrets.AZURE_API_KEY }}
          # azure_api_base: ${{ vars.AZURE_API_BASE }} # e.g., https://<your-resource-name>.openai.azure.com
          # azure_api_version: ${{ vars.AZURE_API_VERSION }} # e.g., 2024-02-15-preview

          # --- Optional Configuration ---
          formatting_command: mvn spotless:apply # If your project uses a code formatter
          max_open_prs: 5
          debug_mode: false # Set to true for verbose logs
          # enable_full_telemetry: true # Set to false to disable full telemetry
          # skip_writing_security_test: false
          # max_qa_attempts: 6  # Max number of QA Agent runs SmartFix will attempt to fix the vulnerability and get the build in a passing state before giving up.
          # max_events_per_agent: 120  # Max number of "turns" each agent can take before giving up

  handle_pr_merge:
    name: Handle PR Merge
    runs-on: ubuntu-latest
    if: github.event.pull_request.merged == true && contains(github.event.pull_request.head.ref, 'smartfix/remediation-')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Notify Contrast on PR Merge
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1
        with:
          run_task: merge
          github_token: ${{ secrets.GITHUB_TOKEN }}
          contrast_host: ${{ vars.CONTRAST_HOST }}
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}
        env:
          GITHUB_EVENT_PATH: ${{ github.event_path }}

  handle_pr_closed: # Handles PRs closed WITHOUT merging
    name: Handle PR Close
    runs-on: ubuntu-latest
    if: github.event.pull_request.merged == false && contains(github.event.pull_request.head.ref, 'smartfix/remediation-')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Notify Contrast on PR Closed
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1
        with:
          run_task: closed
          github_token: ${{ secrets.GITHUB_TOKEN }}
          contrast_host: ${{ vars.CONTRAST_HOST }}
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}
        env:
          GITHUB_EVENT_PATH: ${{ github.event_path }}

SmartFix configuration inputs

The action.yml file in the SmartFix GitHub Action repository contains the most up-to-date and complete list of inputs and their defaults.

Input

Description

Required?

Default

agent_model

LLM model to use

No

bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0

base_branch

Default branch for the repository

No

main

build_command

Command to build the application (for example, mvn clean verify or gradle clean build test)

Yes

contrast_api_key

Contrast API key

Yes

CONTRAST_APP_ID

Contrast application ID for the repository

Yes

CONTRAST_HOST

Contrast Security API host (for example: https://app.contrastsecurity.com)

Yes

CONTRAST_ORG_ID

Contrast organization ID

Yes

debug_mode

Enable verbose logging.

No

false

enable_full_telemetry

Control how much telemetry data is sent to Contrast.

When set to true, it sends complete log files and build commands. When set to false, sensitive build commands and full logs are omitted.

No

true

formatting_command

Command to format code

No

max_events_per_agent

Maximum number of events per internal agent processing a vulnerability

No

128

max_open_prs

Maximum number of open PRs SmartFix can create.

No

5

max_qa_attempts

Maximum QA intervention attempts if build fails after implementing a fix

No

6

secrets.CONTRAST_AUTHORIZATION_KEY

Contrast authorization key.

Yes

secrets.GITHUB_TOKEN

GitHub token for PR operations

Yes

skip_qa_review

Skip the QA review step (build verification)

No

false

skip_writing_security_test

Skip attempting to write a security test for the fix

No

false

LLM settings

  • Recommended: Direct Anthropic API settings:

    • Set agent_model to the appropriate model string for Anthropic (for example, anthropic/claude-3-7-sonnet-20250219).

    • Specify your anthropic_api_key.

  • Recommended: AWS Bedrock settings

    • Set agent_model to the appropriate model string (for example: bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0).

    • Specify your AWS credentials: aws_access_key_id, aws_secret_access_key, and aws_region_name.

  • Experimental: Google Gemini Pro settings (for example, Gemini 2.5 Pro)

    • Set agent_model to the appropriate model string (for example: gemini/gemini-1.5-pro-latest).

    • Specify your gemini_api_key.

See also

Troubleshooting

Contrast SmartFix README