Auto-Remediation

Overview

Auto-remediation is Pensar’s most powerful feature - the ability to automatically fix identified security vulnerabilities in your codebase. When source code access is provided, Pensar can map vulnerabilities to specific code locations, generate fixes, verify those fixes work, and optionally create pull requests automatically.

Auto-remediation is available for projects with source code access via VCS integration (GitHub, GitLab, Bitbucket) or uploaded zip files.

How Auto-Remediation Works

The auto-remediation process follows a systematic approach to ensure fixes are correct and effective:

Vulnerability Discovery

During whitebox testing, Pensar identifies a security vulnerability with precise code location (file, function, line number).

Map to Source Code

The vulnerability is mapped to the exact location in your source code, including:

Affected files and line numbers
Surrounding code context
Data flow analysis
Root cause identification

Plan a Fix

AI analyzes the vulnerability and plans an appropriate remediation:

Identifies the vulnerability type and pattern
Considers your code style and conventions
Selects the most appropriate fix strategy
Plans minimal code changes to resolve the issue

Apply the Fix

The planned fix is applied to your source code:

Code is modified using best practices
Additional security controls are added if needed
Comments are added explaining the security fix

Verify with POC

The previously generated proof-of-concept (POC) is re-run against the fixed code to verify:

The vulnerability is actually resolved
The fix doesn’t break functionality
No new vulnerabilities were introduced

Loop Until Complete

If verification fails, the process repeats:

Analyze why the fix didn’t work
Generate an improved fix
Re-verify until successful

This iterative approach ensures fixes are correct before being committed.

Create Pull Request

If auto-PR creation is enabled in project settings, Pensar:

Creates a new branch with the security fix
Commits all changes with detailed commit messages
Opens a pull request in your VCS (GitHub, GitLab, or Bitbucket)
Includes PR title and description with vulnerability details
Links back to the Pensar Console for full context

Pull request creation can be enabled/disabled in your project settings under “Patching” → “Auto Open PRs”.

Supported Vulnerability Types

Auto-remediation works for a wide range of security vulnerabilities:

Injection Vulnerabilities

Automatically fix injection attacks including:

SQL Injection: Implement parameterized queries or prepared statements
XSS (Cross-Site Scripting): Add proper output encoding and sanitization
Command Injection: Sanitize inputs and use safe APIs
LDAP Injection: Implement proper escaping
XML Injection: Add XML parsing safeguards

Authentication & Authorization

Fix authentication and access control issues:

Broken Authentication: Strengthen authentication mechanisms
Insecure Password Storage: Implement secure hashing (bcrypt, Argon2)
Missing Authorization Checks: Add proper authorization validation
Privilege Escalation: Implement principle of least privilege
Insecure Session Management: Fix session handling and expiration

Data Exposure

Prevent sensitive data leaks:

Sensitive Data in Logs: Remove or redact sensitive information
Information Disclosure: Remove debug information from production
Insufficient Encryption: Implement proper encryption
Insecure Data Storage: Add encryption at rest
Excessive Data Exposure: Limit API response data

Security Misconfigurations

Correct configuration issues:

Default Credentials: Remove hardcoded credentials
Insecure Defaults: Apply security hardening
Verbose Error Messages: Implement generic error responses
Missing Security Headers: Add security headers
CORS Misconfigurations: Restrict origins appropriately

Cryptographic Issues

Fix cryptography vulnerabilities:

Weak Cryptographic Algorithms: Upgrade to strong algorithms
Hardcoded Secrets: Move secrets to secure storage
Insecure Random Number Generation: Use cryptographically secure RNG
Insufficient Entropy: Improve randomness sources

Business Logic Flaws

Address application logic vulnerabilities:

Race Conditions: Add proper locking mechanisms
TOCTOU Issues: Implement atomic operations
Price Manipulation: Add server-side validation
Workflow Bypass: Strengthen state validation
Mass Assignment: Implement allowlists for parameters

Automatic Pull Request Creation

When configured, Pensar can automatically create pull requests with security fixes:

PR Configuration Options

GitHub

GitLab

Bitbucket

Configure automatic PR creation for GitHub repositories:

Auto-create PRs: Enable/disable automatic PR creation
Target Branch: Specify branch to create PRs against (usually main or develop)
PR Labels: Apply labels like security, automated-fix, pensar
Severity Filter: Only create PRs for vulnerabilities above a certain severity
Require Review: Optionally require manual review before merging

PRs include:

Detailed vulnerability description and severity
Code changes with before/after comparison
Proof-of-concept that was used for verification
Explanation of the fix and why it works
Link to the Pensar Console for more details

Example Pull Request

A typical auto-remediation PR includes:

1 ## 🔒 Security Fix: SQL Injection in User Login
2 
3 **Severity**: High
4 **CWE**: CWE-89 (SQL Injection)
5 **Pensar Scan**: [View Details](https://console.pensar.dev/scans/abc123)
6 
7 ### Vulnerability Description
8 
9 An SQL injection vulnerability was discovered in the user login endpoint.
10 User input is concatenated directly into SQL queries without parameterization,
11 allowing attackers to inject malicious SQL code.
12 
13 ### Affected Code
14 
15 File: `src/auth/login.ts`
16 Lines: 45-47
17 
18 ### Fix Applied
19 
20 Replaced string concatenation with parameterized queries using prepared statements.
21 This prevents user input from being interpreted as SQL code.
22 
23 ### Verification
24 
25 The security fix was verified by re-running the proof-of-concept exploit.
26 The vulnerability is now resolved and the application properly rejects malicious input.
27 
28 ---
29 
30 🤖 This PR was automatically generated by Pensar

Remediation Workflow

Manual Review Workflow

For teams that prefer manual oversight:

Receive Notification

Get notified when a vulnerability is found and a fix is available.

Review in Console

Examine the vulnerability details, fix, and verification results in Pensar Console.

Approve Auto-Fix

If the fix looks correct, approve it to create a pull request.

Code Review

Review the pull request like any other code change.

Merge

Merge the PR to deploy the security fix.

Automated Workflow

For teams that want maximum automation:

Continuous Scanning

Pensar continuously scans your code for vulnerabilities.

Automatic Fixing

When vulnerabilities are found, fixes are generated and verified automatically.

Auto-PR Creation

Pull requests are created automatically for approved severity levels.

Optional Auto-Merge

For low-severity fixes, optionally enable auto-merge after CI passes.

We recommend manual review for High and Critical severity vulnerabilities, even with automated workflows enabled.

Configuration Options

Customize auto-remediation behavior in your project settings:

Severity Filters

Control which vulnerabilities trigger auto-remediation:

Critical: Always auto-remediate
High: Auto-remediate after manual approval
Medium: Generate fix but don’t create PR
Low: Report only, no auto-remediation

PR Settings

Configure pull request behavior:

Auto-create: Automatically create PRs for fixes
Require approval: Require manual approval before PR creation
Auto-assign reviewers: Assign specific team members to review
Apply labels: Tag PRs with custom labels
Branch strategy: Target branch for PRs

Notification Settings

Stay informed about remediation activities:

Email notifications for new vulnerabilities
Slack/Teams integration for PR creation
Webhook notifications for custom integrations

Limitations and Considerations

Complex Business Logic

Some complex business logic vulnerabilities may require manual review:

Fixes that impact multiple interconnected systems
Changes requiring business rule validation
Modifications to critical authentication logic

In these cases, Pensar provides detailed remediation guidance but may not auto-fix.

Breaking Changes

Auto-remediation aims for non-breaking fixes, but some security fixes may require:

API contract changes
Database schema modifications
Updated client code

These are flagged for manual review with migration guidance.

Test Coverage

While Pensar verifies fixes using generated POCs, we recommend:

Running your existing test suite
Validating fixes in staging environments
Monitoring production after deployment

False Positives

In rare cases, Pensar may generate unnecessary fixes:

Review automated PRs before merging
Report false positives to improve accuracy
Configure severity filters to reduce noise

Best Practices

Start with Manual Approval

When first enabling auto-remediation:

Require manual approval for all fixes
Review several PRs to build confidence
Gradually increase automation level
Enable full automation for low-severity issues first

Use Staging Environments

Deploy fixes to staging before production:

Test auto-remediation fixes thoroughly
Validate functionality isn’t broken
Monitor for unexpected behavior
Only then merge to production

Maintain Test Coverage

Ensure good test coverage:

Automated tests catch regressions
Tests verify fixes don’t break functionality
CI/CD pipelines validate PRs automatically

Monitor and Iterate

Continuously improve your remediation process:

Review PR quality and accuracy
Adjust severity thresholds as needed
Provide feedback on fixes
Refine automation settings over time

Next Steps

Whitebox Testing

Learn about whitebox testing that enables auto-remediation.

Getting Started

Set up your workspace and connect source code to enable auto-remediation.

Authentication

Configure authentication for comprehensive vulnerability testing.

Adding Domains

Add and verify domains for testing against live environments.