Security teams have gotten very good at finding vulnerabilities. Fixing them has always been the hard part. Semgrep Autofix, now in public beta, accelerates fixes by providing contextual remediation guidance, breaking change analysis, and AI assistant-generated fix suggestions in pull requests. Developers and security teams save hours of manual research, making fixes faster, safer, and less disruptive to their organization.
Sifting through noise before remediation can start
A major reason fixing can be onerous is because it’s hard to know which finding even matters. Security alerts are often full of noise. Code scanners lack local code context—for example, organizational sanitizers, user exposure, and framework-specific protections—to determine if something poses a real threat. Dependabot is notorious for opening PRs against unaffected repositories, or because you imported a package, even though your code doesn’t actually use it.
Semgrep Assistant understands the mitigating context around a finding to shift the focus from potential risks to actual threats. Codebase-aware reachability analysis filters out any supply chain findings that are not being used by your code in a vulnerable way. Deprioritizing more than 95% of false positives frees up security teams to tackle the findings that actually need fixing.
Fixing fast minimizes security debt
In a world of sprawling codebases, cross-file linkages, and interwoven dependencies, a single change can have huge system-wide impacts. Researching library impacts, understanding breaking changes, and identifying the safest path to upgrade takes significant cognitive effort. Teams can’t upgrade quickly or regularly, and start accruing security debt.
Reducing patch delta lowers the risk associated with rushing through a refactor, or unrelated fixes.
Upgrade Guidance with Semgrep Autofix
Part of the Autofix suite, Upgrade Guidance facilitates timely dependency updates by performing research necessary to confidently and rapidly address a vulnerability that is actually exploitable. It identifies which upgrades are safe, so you can generate a PR right away, and for complex upgrades, gives developers line-level analysis on breaking changes.
Making AI effective for security
Upgrade guidance relies on two types of static analysis: first-party code analysis that determines how a customer uses a third-party package, including non-vulnerable usages that may contain breaking changes. Additionally, third-party code analysis identifies the differences between current and target upgrade versions. Both analyses are performed using the Semgrep Pro engine, and the resulting data is then sent to a large language model (LLM) to create the final breaking change analysis. This includes details such as how functions and their parameters have changed between versions, and a summary of functions—both changed and unchanged.
Autofix leverages a LLM, but brings the context and deterministic analysis necessary for making AI effective for security. It leverages the Semgrep engine to develop a comprehensive understanding of your software and uses that grounded knowledge to assess fixability, identify the safest upgrade paths, and understand the true impact of a change before any automation is triggered.
Augmenting assistant recommendations
Semgrep was one of the first AppSec solutions to use AI for assistant recommendations. Starting with GPT-3, we have since moved on to newer frontier models, yet we consistently see a +95% agreement rate in helping teams automate triage. Autofix goes a step further by taking these recommendations and generating human-readable PRs with the necessary changes that fix a vulnerability in your first-party code.
"Semgrep Autofix has materially improved our remediation lifecycle. By shifting developer effort from writing fixes to reviewing AI-generated patches, we've reduced friction, improved adoption rates, and accelerated vulnerability resolution across our codebase."
— Utkarsh Tiwari, Head of Product Security Engineering & Compliance at Meesho'
Automating AppSec
The advent of LLMs for codegen has further shifted the burden of security engineering from the detection of vulnerabilities to remediation. Autofix combines the world’s most popular static analysis engine with frontier-model LLMs to provide contextual upgrade guidance, line-level breaking change analysis, and high-confidence fix suggestions (for first-party code). Layered atop our industry-leading noise reduction, Autofix helps you accelerate fixes and automate your AppSec program. Check out our docs page on how to get started!
