Fix code vulnerabilities automatically

DeepCode AI Fix has a new name: Snyk Agent Fix.

Fix security issues and quality flaws in the source code through an automated flow. Snyk Agent Fix calculates the most suitable solution for your issues and applies it automatically.

Why use Snyk Agent Fix?

Snyk Agent Fix combines the power of a thorough program analysis engine with the abilities of an in-house deep-learning-based large language model. This combination allows for compiling large amounts of unstructured language information from open-source code.

Key features set Snyk Agent Fix apart. It has a neural network trained on millions of lines of code, allowing for greater versatility and creativity. The Snyk Code engine rigorously checks the suggestions from the neural network, ensuring all automated fixes are small and targeted to each vulnerability or code issue.

What issues can you fix automatically?

You can address various issues detected by the Snyk Code engine in terms of quality, promoting best code practices, and security vulnerabilities. Snyk Agent Fix currently does not support inter-file fixes.

Snyk Agent Fix language support

Supported

Limited support

Java

APEX

JavaScript

Python

TypeScript

C/C++

What is the difference between supported and limited support?

Supported: Snyk Agent Fix consistently generates fixes for the majority of Snyk Code rules.
Limited support: Snyk Agent Fix may not generate fixes as consistently, covering fewer Snyk Code rules.

What data does Snyk Agent Fix collect?

Training data

Snyk trains its Large Language Model (LLM) using permissively-licensed public repositories. Snyk does not use code input by customers to train its LLM.

The data collection process is thorough and includes the following:

Static analysis of permissive public repositories.
Automated assessment of the suggested fix qualities.
Partial in-house labeling by humans.

The training data is regularly checked for quality to optimize the performance of the LLM.

Customer data

Snyk does not use customer code submitted to Snyk Agent Fix for training purposes.

For more information on how Snyk manages data, see How Snyk handles your data.

How Snyk Agent Fix works

A representation of information flow involved in fixing one issue is presented in the following table.

Stage

Subsystem

Details

Code scan and discovery of issues

Static Code Analysis Engine

Corresponds to a normal flow of scanning the code from IDE.

Code preprocessing and minimization with respect to the data flow of the particular issue $\mathcal{I}$

Static Code Analysis Engine

Data flow of $\mathcal{I}$ is analyzed and code is minimized, keeping the relevant context only.

Generating $k$ candidate fixes for the given issue $\mathcal{I}$

Neural Network (Generative LLM)

Here, $k$ is an implementation parameter.

Candidate fixes ranking and self-assessment

Static Code Analysis Engine

Each of the $k$ fixes is assessed by the Code Engine, filtering out those rendering invalid code or failing to fix the issue (the issue persists).

Returning the best candidate fix

The system has finished.

Requirements for Snyk Agent Fix

Snyk Code enabled
Snyk IDE Plugin for VS Code, Visual Studio, Eclipse, or JetBrains IDEs

Enable Snyk Agent Fix

Enable Snyk Agent Fix for your Group or Organization in the Snyk Web UI by navigating to Group/Organization > Settings > DeepCode AI Fix.

DeepCodeAI Fix Suggestions settings in Snyk Preview

Fix code issues automatically

Before you begin

Ensure you have automated fixes enabled in Snyk Preview to work with your Snyk IDE plugin or extension.
Save the files and scan your code to generate a fresh set of results.
You should see a zap icon next to all Snyk Code issues that can be automatically fixed.

Open your codebase.
Find and fix issues through the panel or by clicking Fix this issue in Code Lens.
After a fix has been applied, save and rescan.

Example: Fix a code issue automatically

Snyk Agent Fix highlights all identified vulnerabilities that can be automatically fixed. These are highlighted with a zap icon. For example, in this scenario, we have identified an Information Exposure vulnerability.

Opening the vulnerability gives us details on where the issue is and allows us to generate a fix using Snyk Agent Fix.

After you select Generate Fix using Snyk DeepCode AI, the system will analyze your code and generate up to five potential fixes. After you apply a fix, Snyk Agent Fix automatically retests the fix for quality using Snyk Code's engine.

The result, in this case, is five fixes, which you can navigate through to decide which one is best for you. The first fix is adding Helmet middleware package that disables the X-Powered-By header by default, preventing attackers from knowing that the app is running Express.

When you apply the fix, you will be guided to where the new code has been introduced. After you save and rescan, the vulnerability will disappear.

Limitations

Snyk Agent Fix is at the forefront of AI, but there are still limitations based on the AI engine. Users must always review the Snyk Agent Fix suggestions to ensure that the resulting implementation of the fix does not break their application

Snyk Agent Fix suggestions might generate code that results in the application not working properly
Snyk Agent Fix suggestions might generate code that is not syntactically correct
Snyk Agent Fix verifies that the vulnerability is fixed and no new vulnerabilities are introduced. This means that sometimes, a valid suggestion will not be made because the AI engine has not generated a good enough result.

PreviousBreakdown of Code analysis NextSnyk Code security rules

Last updated 1 month ago

Was this helpful?