How Pensar uses AI to generate security patches

A “scan” in Pensar does not just mean finding and reporting vulnerabilities. Pensar does everything from detection, to triaging, to generating patches (remediation).

When a vulnerability is detected in your codebase, Pensar will go through the following steps:

1

Triage/verification

Pensar’s AI agent will review each vulnerability found to verify if the vulnerability is a false positive or not. This is how we filter our security alerts to be as high signal as possible and focus only on the issues that matter to your specific codebase/application.

We call this our “triage” workflow and it works by taking advantage of the context we collected when you added your repository to the Pensar Console (use case, description, libraries and/or dependencies used, etc.) to determine what detected vulnerabilities have a high likelihood of exploitability or if they are just false alarms.

Pensar’s agent conducts a multi-step process including analyzing dataflow (identifying the source, sink and taint of data passed to a vulnerable function/method), generating example exploit chains, and simulating malicious behavior.

The outcome of this workflow is a false positive rating that includes a confidence score and plain-english explanation of the agent’s thought process.

If the agent is highly confident that the detected vulnerability is a false positive, Pensar will not alert the user of its presence and will not generate a patch.

All false positives can be seen in the False positive tab in the issue view of a project.

2

Patch generation

After all false positives have been filtered out, Pensar will then launch our auto-remediation or patch generation agent that will generate a security patch (in the form of code changes) that can be applied to your codebase to fix the vulnerability.

This agent uses the context gathered during project creation, the analysis done during the triage/verification workflow, and any external information it can collect on the vulnerability itself from databases like MITRE CWE.

The agent will also gather context about any third-party libraries being used and/or existing coding patterns, utility functions, etc. used throughout your codebase to generate a patch that follows your coding style, reuses relevant functions you’ve already written, and prevent from introducting new third-party dependencies and business logic breaking changes - all so the generated security patch can be seamlessly integrated into your codebase with minimal extra effort from developers.

You can apply patches manually through the Pensar Console by navigating to a specific issue and clicking Apply patch.

If you have auto-PRs enabled, Pensar will automatically submit patches through pull requests.

Now all you have to do is follow your usual code review process to merge and apply the patch.

Our system tracks the lifecycle of a patch so that if you merge a pull request containing a patch, the issue will reflect as closed in the Pensar Console.