Skip to main content
Autofix creates a GitHub branch, applies the changes, and opens a draft pull request (PR). You remain in full control over reviewing and merging the PR.
INFOAutofix is different from Rule-defined fix and Semgrep Multimodal’s Suggested fix. These are separate features with different behaviors and use cases.

Prerequisites

NOTEAutofix is available only for GitHub Cloud repositories.
To use Autofix, you must meet the following requirements:
  • Enable Semgrep Multimodal.
  • Accept Amazon Bedrock or Anthropic’s Claude models.
    • During beta, Semgrep Code does not respect AI model selection.
  • Have at least one GitHub Cloud repository with new or existing Semgrep Code findings.
  • Ensure the Semgrep private GitHub App is installed.
  • Ensure that your GitHub App has Contents: Read and write permissions configured.
    • Note that the Contents: Read and write repository permission is separate from the permissions shown on the GitHub App overview page. You must explicitly set permissions > Contents under Developer Settings > GitHub Apps. This setting is not enabled automatically by the other read/write permissions listed for the app.
If you are an existing Semgrep user and you need to change your Semgrep app’s permissions:
1
In GitHub, navigate to Settings > Developer Settings. You should see your Semgrep App listed in the GitHub Apps tab.
2
Click Edit on the Semgrep app.
3
Navigate to the Permissions & events section.
4
Expand Repository permissions and go to Contents.
5
Click the drop-down menu and select Read and write.
6
Save these settings.
7
Next, navigate back to the main GitHub Settings page. One way to do so is by clicking Settings in GitHub’s website breadcrumbs.
8
In the Applications tab, locate the Semgrep app under the Installed GitHub Apps tab.
9
Click Review request next to the Permission updates requested message, then choose Accept new permissions.

Use Autofix

1
Log in to Semgrep AppSec Platform
2
Click Code to view all SAST findings.
3
Identify the finding you want to Autofix and click the hyperlink on the card to navigate to the finding’s Details page.
4
From the Fix drop-down, select Open Autofix PR.
5
You will see the following message:
Starting to generate Autofix PR. Semgrep is generating an Autofix PR for this finding. A new notification will appear here when the PR is ready.
6
In 2 to 10 minutes, Semgrep generates a proposed fix and opens a draft PR in GitHub.
  • This action is recorded in the Activity section at the bottom of the finding’s Details page.
7
Click View Autofix PR in the FIX DETAILS section to review the newly created PR in GitHub.

PR details

  • The pull request is opened as a draft.
  • Semgrep provides an AI-generated description of the changes in the pull request.
  • The pull request is authored by the Semgrep GitHub App.
  • If your GitHub account is connected to Semgrep, you are automatically mentioned in the pull request.

Findings with open PRs on Semgrep AppSec Platform

You can filter for findings with Autofix PRs directly from the Code page in Semgrep AppSec Platform. Click the To fix drop-down and select To fix to do so. This filter shows findings that have Autofix PRs. It may also include findings that were manually marked as To fix.

Disable Autofix

If you use Semgrep Multimodal, Autofix is enabled by default. To adjust settings:
1
Sign in to Semgrep AppSec Platform
2
Navigate to Settings > General > Code
3
Set the Autofix toggle to enabled or disabled

How Autofix PRs are generated

Autofix generates a proposed change specifically for the PR workflow. This process uses the detected pattern and surrounding code context to produce the fix.

Use of remediation guidance

Autofix PRs are generated independently of Semgrep Multimodal’s Suggested fixes. When Multimodal remediation guidance exists for a finding, the descriptive guidance is used to generate the code changes included in the PR. Because the code changes displayed on findings and PRs are generated separately, the exact changes in an Autofix PR may differ from Multimodal’s suggested fix displayed on the finding.

How memories affect PR generation

At this time, Semgrep Memories do not directly influence Autofix PR generation. Memories may affect PRs indirectly through remediation guidance. If general remediation guidance has been generated and includes information derived from memories, that guidance is passed into the PR generation process. However, memories themselves are not currently sent as direct input when generating the PR.

GitHub permissions and API usage for Autofix

Autofix uses your private Semgrep GitHub App with the permissions below. Use this section for security reviews (for example, which GitHub operations require Contents: Read and write).

Repository permissions

GitHub App permissionWhy Autofix needs it
Contents: ReadClone the repository over HTTPS (shallow, single-branch) so Semgrep can analyze the code and generate a fix. This uses GitHub’s Smart HTTP Git protocol (git-upload-pack).
Contents: WritePush the Autofix branch back to the repository. This uses GitHub’s Smart HTTP Git protocol (git-receive-pack).
Metadata: ReadRead repository metadata, including the default branch, using GET /repos/{owner}/{repo}.
Pull requests: WriteOpen a draft pull request using POST /repos/{owner}/{repo}/pulls.

How repository contents are accessed

Semgrep does not read or write file contents through the REST Contents API (GET or PUT /repos/{owner}/{repo}/contents/{path}). Autofix reads and writes code only through the Git transport layer (clone and push), which still requires the GitHub Contents permissions above.