We describe a patchflow for creating a customizable AutoFix tool that can automatically detect and fix software vulnerabilities using large language models (LLMs).
In this blog post we will look at creating our own AutoFix tool that can automatically detect and fix software vulnerabilities. In the past year, we have seen existing application security vendors, development tool providers, and new startups release tools that can help to fix the vulnerabilities in code using LLMs. However, all of these tools are not flexible and do not allow users complete control over their configuration and prompts. Moreover, these tools do not usually allow you to use your own local LLMs or self-host the solution. Recently, we partnered with OpenAI and shared how we have built the state of the art (SOTA) fine-tuned model for vulnerability remediation. We have also fine-tuned open weight models like Llama-3.1. Building on top of our fine-tuning work , we will show how you can build your own AutoFix like tool using our open-source framework patchwork.
The first step is to get a copy of the code you are looking to analyze, you can clone the code repository and then run a scan to detect the vulnerabilities. Note that there are static analyzers that work on binary or byte code to detect vulnerabilities. But unlike just static analysis where we are looking to find issues we need access to source code as it will be needed for patch generation when fixing the vulnerabilities.