Set up Contrast AI SmartFix

Legal Disclaimer

When you use Contrast AI SmartFix, you agree that your code and other data will be submitted to an LLM of your choice. Both the submission of data to the LLM and the output generated by the LLM will be subject to the terms of service of that Contrast AI SmartFixLLM. Use of is entirely at your own risk.

To use Contrast AI SmartFix, add a workflow file to your GitHub repository (for example, .github/workflows/smartfix.yml).

Note

For access to this feature, contact your Contrast representative.

Before you begin

Contrast Assess: Ensure that Contrast Assess is enabled for your applications.
Supported vulnerabilities: Critical and High
GitHub: Verify your project is hosted on GitHub and uses GitHub Actions.
API-only user: Create an API-only service user in Contrast with a role that has the View organization and Edit application actions.
Contrast credentials: You need the host name of your Contrast installation, the Organization ID, application ID, Authorization Key, and API Key.
You can find the Organization ID, Authorization Key, and API key in your user settings in the Contrast web interface. To find the application ID, in the Applications page in the Contrast web interface, select an application. The number after applications/ in the URL is the ID.
Build command: Ensure you have a reliable command to build your application and run tests. For example, you could use commands such as mvn clean verify and gradle clean build test.
This command must be in the SmartFix workflow.
Large Language Model (LLM) account and API key: For example, an AWS account for Bedrock or an Anthropic account for direct Anthropic API.
Recommended LLM: Anthropic Claude Sonnet (for example, Claude 3.7 Sonnet with AWS Bedrock or direct Anthropic API).
LiteLLM documentation contains details for the agent_model strings.
Exclusions: Cross-Site Request Forgery (CSRF) is currently excluded due to the complexity of fixes often requiring API changes. Other specific vulnerability types may be excluded based on ongoing testing by Contrast.

SmartFix best practices

Start with a single application: Start with a single application to familiarize yourself with the SmartFix workflow and to fine-tune your configuration.
Review and test PRs: While the goal of SmartFix is to provide accurate fixes, always review and test the generated PRs before merging them into your codebase.
Fine-tune max_open_prs: Adjust the max_open_prs setting based on your team's capacity to review and merge PRs.
Use a specific LLM version: To ensure consistent results, pin the LLM you are using to a specific version in your configuration.

Steps

Create the workflow file: In your GitHub repository, create a new workflow file.
Use the workflow example as a guide or go to the full example in https://github.com/Contrast-Security-OSS/contrast-ai-smartfix-action/blob/main/contrast-ai-smartfix.yml.template.
Configure your Contrast credentials: In the workflow file, include these Contrast credentials.
- contrast_host: The host name of your Contrast instance, including the protocol. For example: https://yourcompany.contrastsecurity.com.
- contrast_org_id: Contrast organization UUID
- contrast_app_name: The Contrast application UUID for the specific repository
- contrast_authorization_key: Recommended: Create a service user and use the authorization key for that user.
- contrast_api_key: Organization API key
Recommendation: Store all sensitive values, such as API keys and authorization keys, as GitHub Secrets.
Configure GitHub settings: Configure settings for GitHub, including the github_token and the base_branch for the pull requests.
Set the build command: SmartFix requires a build_command to ensure that its changes work correctly with your project. Use a command that is appropriate for your project, such as mvn clean install.
Configure Your LLM: Choose an LLM provider and configure the necessary credentials in the workflow file.
Recommended: Anthropic Claude Sonnet.

SmartFix workflow example

This example shows how to set up SmartFix in a .github/workflows/smartfix.yml workflow file. It uses Anthropic Claude Sonnet as the LLM.

name: Contrast AI SmartFix

on:
  pull_request:
    types:
      - closed # For notifying backend when a SmartFix PR is closed without merging
  schedule:
    - cron: '0 0 * * *' # Runs daily at midnight UTC. Adjust as needed.
  workflow_dispatch: # Allows manual triggering

permissions:
  contents: write
  pull-requests: write

jobs:
  generate_fixes:
    name: Generate Fixes
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # Required for SmartFix to analyze code history

      - name: Run Contrast AI SmartFix - Generate Fixes
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1 # Use the latest appropriate version
        with:
          # --- Contrast Configuration (Required) ---
          contrast_host: ${{ vars.CONTRAST_HOST }} # e.g., https://app.contrastsecurity.com
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}

          # --- GitHub Configuration (Required) ---
          github_token: ${{ secrets.GITHUB_TOKEN }} # For PR creation
          base_branch: main # Or your project's default branch

          # --- Build Configuration (Required) ---
          build_command: mvn clean verify # IMPORTANT: Replace with your project's build command that includes tests. e.g., gradle clean build test\'

          # --- LLM Configuration (BYOLLM - Choose ONE provider) ---
          # Option 1: Anthropic Claude Sonnet via AWS Bedrock (Recommended)
          agent_model: bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0 # Check LiteLLM docs for latest model strings
          aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws_region_name: us-east-1 # Or your AWS region
          # aws_session_token: ${{ secrets.AWS_SESSION_TOKEN }} # Optional
          # aws_profile_name: ${{ vars.AWS_PROFILE_NAME }} # Optional
          # aws_role_name: ${{ vars.AWS_ROLE_NAME }} # Optional
          # aws_session_name: ${{ vars.AWS_SESSION_NAME }} # Optional
          # aws_web_identity_token: ${{ secrets.AWS_WEB_IDENTITY_TOKEN }} # Optional
          # aws_bedrock_runtime_endpoint: ${{ vars.AWS_BEDROCK_RUNTIME_ENDPOINT }} # Optional, for custom Bedrock endpoints

          # Option 2: Anthropic Claude Sonnet via Direct Anthropic API
          # agent_model: anthropic/claude-3-7-sonnet-20250219
          # anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

          # Option 3: Google Gemini Pro via Google AI Studio (Experimental)
          # agent_model: gemini/gemini-2.5-pro-latest
          # gemini_api_key: ${{ secrets.GEMINI_API_KEY }}

          # Option 4: Azure OpenAI (Experimental)
          # agent_model: azure/<your-deployment-name> # e.g., azure/gpt-4-turbo
          # azure_api_key: ${{ secrets.AZURE_API_KEY }}
          # azure_api_base: ${{ vars.AZURE_API_BASE }} # e.g., https://<your-resource-name>.openai.azure.com
          # azure_api_version: ${{ vars.AZURE_API_VERSION }} # e.g., 2024-02-15-preview

          # --- Optional Configuration ---
          formatting_command: mvn spotless:apply # If your project uses a code formatter
          max_open_prs: 5
          debug_mode: false # Set to true for verbose logs
          # enable_full_telemetry: true # Set to false to disable full telemetry
          # skip_writing_security_test: false
          # max_qa_attempts: 6  # Max number of QA Agent runs SmartFix will attempt to fix the vulnerability and get the build in a passing state before giving up.
          # max_events_per_agent: 120  # Max number of "turns" each agent can take before giving up

  handle_pr_merge:
    name: Handle PR Merge
    runs-on: ubuntu-latest
    if: github.event.pull_request.merged == true && contains(github.event.pull_request.head.ref, 'smartfix/remediation-')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Notify Contrast on PR Merge
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1
        with:
          run_task: merge
          github_token: ${{ secrets.GITHUB_TOKEN }}
          contrast_host: ${{ vars.CONTRAST_HOST }}
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}
        env:
          GITHUB_EVENT_PATH: ${{ github.event_path }}

  handle_pr_closed: # Handles PRs closed WITHOUT merging
    name: Handle PR Close
    runs-on: ubuntu-latest
    if: github.event.pull_request.merged == false && contains(github.event.pull_request.head.ref, 'smartfix/remediation-')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Notify Contrast on PR Closed
        uses: Contrast-Security-OSS/contrast-ai-smartfix-action@v1
        with:
          run_task: closed
          github_token: ${{ secrets.GITHUB_TOKEN }}
          contrast_host: ${{ vars.CONTRAST_HOST }}
          contrast_org_id: ${{ vars.CONTRAST_ORG_ID }}
          contrast_app_id: ${{ vars.CONTRAST_APP_ID }}
          contrast_authorization_key: ${{ secrets.CONTRAST_AUTHORIZATION_KEY }}
          contrast_api_key: ${{ secrets.CONTRAST_API_KEY }}
        env:
          GITHUB_EVENT_PATH: ${{ github.event_path }}

SmartFix configuration inputs

The action.yml file in the SmartFix GitHub Action repository contains the most up-to-date and complete list of inputs and their defaults.

Input	Description	Required?	Default
`agent_model`	LLM model to use	No	`bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0`
`base_branch`	Default branch for the repository	No	`main`
`build_command`	Command to build the application (for example, `mvn clean verify` or `gradle clean build test`)	Yes
`contrast_api_key`	Contrast API key	Yes
`CONTRAST_APP_ID`	Contrast application ID for the repository	Yes
`CONTRAST_HOST`	Contrast Security API host (for example: `https://app.contrastsecurity.com`)	Yes
`CONTRAST_ORG_ID`	Contrast organization ID	Yes
`debug_mode`	Enable verbose logging.	No	`false`
`enable_full_telemetry`	Control how much telemetry data is sent to Contrast. When set to `true`, it sends complete log files and build commands. When set to `false`, sensitive build commands and full logs are omitted.	No	`true`
`formatting_command`	Command to format code	No
`max_events_per_agent`	Maximum number of events per internal agent processing a vulnerability	No	`128`
`max_open_prs`	Maximum number of open PRs SmartFix can create.	No	`5`
`max_qa_attempts`	Maximum QA intervention attempts if build fails after implementing a fix	No	`6`
`secrets.CONTRAST_AUTHORIZATION_KEY`	Contrast authorization key.	Yes
`secrets.GITHUB_TOKEN`	GitHub token for PR operations	Yes
`skip_qa_review`	Skip the QA review step (build verification)	No	`false`
`skip_writing_security_test`	Skip attempting to write a security test for the fix	No	`false`

LLM settings

Recommended: Direct Anthropic API settings:
- Set agent_model to the appropriate model string for Anthropic (for example, anthropic/claude-3-7-sonnet-20250219).
- Specify your anthropic_api_key.
Recommended: AWS Bedrock settings
- Set agent_model to the appropriate model string (for example: bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0).
- Specify your AWS credentials: aws_access_key_id, aws_secret_access_key, and aws_region_name.
Experimental: Google Gemini Pro settings (for example, Gemini 2.5 Pro)
- Set agent_model to the appropriate model string (for example: gemini/gemini-1.5-pro-latest).
- Specify your gemini_api_key.