Autofix is different from Rule-defined fix and Semgrep Multimodal’s Suggested fix. These are separate features with different behaviors and use cases.
Prerequisites
To use Autofix, you must meet the following requirements:- Enable Semgrep Multimodal.
- Accept Amazon Bedrock or Anthropic’s Claude models.
- During beta, Semgrep Code does not respect AI model selection.
- Have at least one connected repository with new or existing Semgrep Code findings.
- Grant the SCM roles, scopes, and app permissions Autofix needs for your SCM. See SCM permissions for the Autofix row for your provider and Grant code access to configure your connection. For GitHub API and security review details, see Autofix permissions.
Use Autofix
1
Log in to Semgrep AppSec Platform
2
Click Code to view all SAST findings.
3
Identify the finding you want to Autofix and click the hyperlink on the card to navigate to the finding’s Details page.
4
From the Fix drop-down, select Open Autofix PR.
5
You will see the following message:
Starting to generate Autofix PR. Semgrep is generating an Autofix PR for this finding. A new notification will appear here when the PR is ready.
6
In 2 to 10 minutes, Semgrep generates a proposed fix and opens a draft PR or MR in your SCM.
- This action is recorded in the Activity section at the bottom of the finding’s Details page.
7
Click View Autofix PR in the FIX DETAILS section to review the newly created PR or MR.
PR or MR details
- The pull or merge request is opened as a draft for Semgrep Code findings.
- Semgrep provides an AI-generated description of the changes in the PR or MR.
- On GitHub, the pull request is authored by the Semgrep GitHub App.
- If your SCM account is connected to Semgrep, you are automatically mentioned in the PR or MR.
Findings with open PRs on Semgrep AppSec Platform
You can filter for findings with Autofix PRs directly from the Code page in Semgrep AppSec Platform. Click the To fix drop-down and select To fix to do so. This filter shows findings that have Autofix PRs. It may also include findings that were manually marked as To fix.Disable Autofix
If you use Semgrep Multimodal, Autofix is enabled by default. To adjust settings:1
Sign in to Semgrep AppSec Platform
2
Navigate to Settings > General > Code
3
Set the Autofix toggle to enabled or disabled