> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Auto-Fix & Patches

> Automatically generate fix patches and pull requests for detected vulnerabilities

## How It Works

ZeroPath can automatically generate code fixes for detected vulnerabilities and open pull requests with the remediation. The system analyzes the vulnerability context, writes a targeted fix, and presents it for your review before any changes reach your codebase.

* **AI-generated patches** — fixes are generated by an AI agent that understands the vulnerability, the surrounding code, and the appropriate remediation pattern.
* **Human-in-the-loop** — by default, patches require explicit approval before a PR is created. You review the diff, approve it, and ZeroPath opens the PR.
* **Both SAST and SCA** — code-level vulnerabilities get code fixes; dependency vulnerabilities get version bumps with proper lockfile updates.

## Requesting a Patch

<Tabs>
  <Tab title="On-Demand (Dashboard)">
    <Steps>
      <Step title="Navigate to a Finding">
        Open any finding in the ZeroPath dashboard.
      </Step>

      <Step title="Generate Patch">
        Click **"Generate Patch"** on the issue detail view. ZeroPath generates a git diff targeting the vulnerability.
      </Step>

      <Step title="Review Changes">
        Review the proposed changes in the dashboard.
      </Step>

      <Step title="Approve or Regenerate">
        Click **"Approve Patch"** to create a PR, or **"Regenerate"** to try again.
      </Step>
    </Steps>
  </Tab>

  <Tab title="Automatic (during Scans)">
    When enabled in scanner settings, patches are generated automatically for qualifying findings:

    * **Full scan auto-patching** — after a full scan completes, patches are queued for findings above the configured score threshold.
    * **PR scan auto-patching** — during PR scanning, fix suggestions are generated and posted as inline code suggestions directly in your pull request. Apply them with one click in your VCS review UI.
  </Tab>
</Tabs>

## Automatic Pull Requests

When you approve a patch (or when auto-PR generation is enabled), ZeroPath:

1. Creates a new branch from your repository's default branch.
2. Applies the fix as a commit with a descriptive message.
3. Opens a pull request with:
   * A clear title describing the fix (e.g., *"Fix SQL injection in user authentication handler"*)
   * A description covering the vulnerability, the fix, the root cause, and the implementation approach.
4. Links the PR back to the finding in ZeroPath for tracking.

**Supported VCS platforms for auto-PR:**

| Platform                        | Auto-PR Support |
| ------------------------------- | --------------- |
| GitHub (Cloud & Enterprise)     | Yes             |
| GitLab (Cloud & Self-hosted)    | Yes             |
| Bitbucket (Cloud & Data Center) | Yes             |

### PR Lifecycle Tracking

ZeroPath tracks the status of generated PRs:

* **Open** — PR has been created and is awaiting review.
* **Accepted** — PR was merged. The associated finding is automatically moved to **Resolved**.
* **Rejected** — PR was closed without merging.

## What Can Be Auto-Fixed

### Code Vulnerabilities (SAST)

The AI agent can generate fixes for most code-level security issues, including:

* SQL injection
* XSS
* Path traversal
* Command injection
* SSRF
* Insecure cryptography
* Missing authentication/authorization checks
* and more...

<Warning>
  Some vulnerability types are **not auto-fixable** and will be marked as such:

  * Hardcoded secrets (require manual rotation and migration to a secrets manager)
  * Complex business logic issues (race conditions, multi-system authorization)
  * Architectural issues where the root cause is outside the affected file

  When a finding cannot be auto-fixed, ZeroPath now provides **remediation instructions** explaining why the fix could not be generated and what manual steps you should take to resolve the issue.
</Warning>

### Dependency Vulnerabilities (SCA)

For vulnerable dependencies, ZeroPath:

* Queries package registries for the latest non-vulnerable version.
* For **direct dependencies**: updates the version in your manifest file and regenerates the lockfile using the appropriate package manager.
* For **transitive dependencies**: updates the direct parent dependency that pulls in the vulnerable package.

Supported ecosystems for dependency patching:

* npm / Node.js
* Go modules
* Rust / Cargo
* Ruby / Bundler
* Python / Poetry
* Python / pip
* Maven / Gradle
* and more...

## Configuration

Patch generation settings follow org/tag/repo-level inheritance:

| Setting                        | Default | What It Controls                                        |
| ------------------------------ | ------- | ------------------------------------------------------- |
| **PR scan auto-patching**      | On      | Generate fix suggestions for PR scan findings           |
| **Full scan auto-patching**    | Off     | Auto-generate patches for qualifying full scan findings |
| **Full scan auto-PR creation** | Off     | Automatically open PRs without human approval           |
| **Full scan patch threshold**  | 80      | Minimum priority score (0–100) for auto-patching        |
| **Full scan PR threshold**     | 80      | Minimum priority score for auto-PR creation             |
| **PR title template**          | —       | Custom template for generated PR titles                 |
| **PR description template**    | —       | Custom template for generated PR descriptions           |
| **Branch name format**         | —       | Custom template for fix branch names                    |
| **Commit message format**      | —       | Custom template for fix commit messages                 |

### SCA-Specific Settings

| Setting                                   | Default | What It Controls                                  |
| ----------------------------------------- | ------- | ------------------------------------------------- |
| **Auto-create direct dependency PRs**     | Off     | Auto-open PRs for direct dependency CVE fixes     |
| **Direct dependency patch threshold**     | 0       | Score threshold for direct dep auto-PR            |
| **Auto-create transitive dependency PRs** | Off     | Auto-open PRs for transitive dependency CVE fixes |
| **Transitive dependency patch threshold** | 0       | Score threshold for transitive dep auto-PR        |

## Adoption Guide

1. **Start with on-demand patching** — click "Generate Patch" on individual findings to see the quality of generated fixes for your codebase.
2. **Enable PR scan suggestions** — turn on `prScanAutoPatching` to get fix suggestions as inline comments on your pull requests.
3. **Tune thresholds** — adjust the patch and PR thresholds to focus auto-patching on high-severity findings first.
4. **Enable full scan auto-patching** — once comfortable with patch quality, enable automatic patch generation for full scans.
5. **Consider auto-PR creation** — for teams with fast review cycles, enable auto-PR to get fix branches created automatically.