Skip to main content
Autofix creates a branch, applies the changes, and opens a draft pull request (PR) or merge request (MR). You remain in full control over reviewing and merging the PR or MR.
Autofix is different from Rule-defined fix and Semgrep Multimodal’s Suggested fix. These are separate features with different behaviors and use cases.

Prerequisites

To use Autofix, you must meet the following requirements:
  • Enable Semgrep Multimodal.
  • Accept Amazon Bedrock or Anthropic’s Claude models.
    • During beta, Semgrep Code does not respect AI model selection.
  • Have at least one connected repository with new or existing Semgrep Code findings.
  • Grant the SCM roles, scopes, and app permissions Autofix needs for your SCM. See SCM permissions for the Autofix row for your provider and Grant code access to configure your connection. For GitHub API and security review details, see Autofix permissions.
Autofix requires read and write access to your repositories on your SCM so Semgrep can push a branch and open a PR or MR.

Use Autofix

2
Click Code to view all SAST findings.
3
Identify the finding you want to Autofix and click the hyperlink on the card to navigate to the finding’s Details page.
4
From the Fix drop-down, select Open Autofix PR.
5
You will see the following message:
Starting to generate Autofix PR. Semgrep is generating an Autofix PR for this finding. A new notification will appear here when the PR is ready.
6
In 2 to 10 minutes, Semgrep generates a proposed fix and opens a draft PR or MR in your SCM.
  • This action is recorded in the Activity section at the bottom of the finding’s Details page.
7
Click View Autofix PR in the FIX DETAILS section to review the newly created PR or MR.

PR or MR details

  • The pull or merge request is opened as a draft for Semgrep Code findings.
  • Semgrep provides an AI-generated description of the changes in the PR or MR.
  • On GitHub, the pull request is authored by the Semgrep GitHub App.
  • If your SCM account is connected to Semgrep, you are automatically mentioned in the PR or MR.

Findings with open PRs on Semgrep AppSec Platform

You can filter for findings with Autofix PRs directly from the Code page in Semgrep AppSec Platform. Click the To fix drop-down and select To fix to do so. This filter shows findings that have Autofix PRs. It may also include findings that were manually marked as To fix.

Disable Autofix

If you use Semgrep Multimodal, Autofix is enabled by default. To adjust settings:
2
Navigate to Settings > General > Code
3
Set the Autofix toggle to enabled or disabled

How Autofix PRs are generated

Autofix generates a proposed change specifically for the PR workflow. This process uses the detected pattern and surrounding code context to produce the fix.

Use of remediation guidance

When Multimodal remediation guidance exists for a finding, the descriptive guidance is used to generate the code changes included in the PR.

How memories affect PR generation

At this time, Semgrep Memories do not directly influence Autofix PR generation. Memories may affect PRs indirectly through remediation guidance. If remediation guidance has been generated and includes information derived from memories, that guidance is passed into the PR generation process. However, memories themselves are not currently sent as direct input when generating the PR.