How We Built an AI-Powered Vulnerability Fixer

1. The Problem

Our team works with more than 30 repos (web applications, APIs, automation scripts, whatever), and each repo contains a lot of dependencies.

There’s an excellent solution for vulnerability scanning that detects issues and opens GitHub Issues with severity levels and SLA deadlines. But the problem lies in the remediation process finding the right manifest file, bumping the dependency version, running tests, and creating the PR.

At any time, you could see more than 100 open vulnerabilities across all repos, many of which are already overdue in terms of SLAs. It was a huge time sink that distracted engineers from the real work.

We wanted a tool that could take us from “vulnerability detected” to “PR ready for review” without any human involvement.

2. Enter “vuln-fixer”

Here it is a Python command-line tool that can fully automate the remediation pipeline. Just run it, give it the access to your repos, and voila.

1. It fetches the list of all open vulnerabilities.
2. It prioritizes the findings (SLA missed -> near, then critical severity -> moderate -> low).
3. It fixes the vulnerable packages.
4. It opens Pull Requests with detailed explanations of the changes.

3. The AI-Powered Fix Engine

The most innovative aspect of this tool lies in the fix engine.

Initially, we tried to use regex-based fixers, that would find a version in your manifest file (package.json, requirements.txt, etc.) and bump it to the specified version. This method works fine for simple stuff like bumping package X from 1.2.3 to 1.2.4.

Unfortunately, the real life is too complicated. Sometimes, fixing a vulnerability requires updating the base image in Dockerfile. Sometimes the vulnerable package can be used in some weird custom scripts. Sometimes, you’d need to bump several versions in a single manifest file. And regex fixer couldn’t handle these tasks.

To improve it, we used AI specifically, a language model provided by GitHub Models (based on GPT-4.1) in order to make the process faster and more flexible.

What’s important is that our tool doesn’t ask anything like “can you provide a fix for this vulnerability?” Instead, it strictly defines the format. This is what we did to not let AI hallucinate in our repo:

1. It parses your manifest files and Dockerfiles.
2. It asks the model to analyze those files together with structurized data about the vulnerability (package name, current version, target version, CVE).
3. The key trick: The tool requests a specific JSON response containing a list of {file_path, search, replace} pairs.
4. The fix engine replaces the specified search with the replace string and then runs the installation command to update locks files (npm install, go mod tidy, and so on).

Since the tool forces the model to make “search” a strict substring of the content, the answer becomes completely deterministic and predictable. There’s no ambiguity or guesswork about where to perform changes. In addition, the tool batches findings to save tokens and intentionally removes lockfiles from the prompt to focus on the required data.

NOTE: We keep the regex fixers as secondary option via --no-ai flag.

4. Smart Prioritization

Vulnerabilities aren’t always created equal. So the tool sorts the queue based on the following criteria:

• Missed SLA repo -> near SLA repo -> all others.
• Critical and High severity findings are sorted even higher.

In case the tool was interrupted or you have time only for reviewing several PRs, it guarantees you’ve made the most meaningful work first. Also, the tool highlights findings requiring code changes (from code-scanning alerts, for example).

5. Automated Mode

Now we run the tool as a scheduled cronjob. In comparison with the CLI version, it uses environment variables instead of the command line arguments but applies the exact same logic to remediate the vulnerabilities while you sleep.

As the result, it keeps the vulnerability count stable across the repos.

6. Conclusion

This tool saved us many engineering hours per week by moving regular dependency bumps to a fully automatic script.

The combination of structurized vulnerability data and constrained AI model (which understands only a limited range of concepts) is powerful and can be easily adapted to different projects.

If your team is struggling with Dependabot alerts, try to apply the similar solution.