> ## Documentation Index
> Fetch the complete documentation index at: https://zeropath.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Auto-Fix & Patches

> Automatically generate fix patches and pull requests for detected vulnerabilities

## How It Works

ZeroPath can automatically generate code fixes for detected vulnerabilities and open pull requests with the remediation. The system analyzes the vulnerability context, writes a targeted fix, and presents it for your review before any changes reach your codebase.

* **AI-generated patches** — fixes are generated by an AI agent that understands the vulnerability, the surrounding code, and the appropriate remediation pattern.
* **Human-in-the-loop** — by default, patches require explicit approval before a PR is created. You review the diff, approve it, and ZeroPath opens the PR.
* **Both SAST and SCA** — code-level vulnerabilities get code fixes; dependency vulnerabilities get version bumps with proper lockfile updates. Auto-fix PRs are supported for both SAST and SCA findings, so dependency vulnerability patches follow the same review-and-merge workflow as code fixes.

## Requesting a Patch

<Tabs>
  <Tab title="On-Demand (Dashboard)">
    <Steps>
      <Step title="Navigate to a Finding">
        Open any finding in the ZeroPath dashboard.
      </Step>

      <Step title="Generate Patch">
        Click **"Generate Patch"** on the issue detail view. ZeroPath generates a git diff targeting the vulnerability.
      </Step>

      <Step title="Review Changes">
        Review the proposed changes in the dashboard.
      </Step>

      <Step title="Approve or Regenerate">
        Click **"Approve Patch"** to create a PR, or **"Regenerate"** to try again.
      </Step>
    </Steps>
  </Tab>

  <Tab title="Automatic (during Scans)">
    When enabled in scanner settings, patches are generated automatically for qualifying findings:

    * **Full scan auto-patching** — after a full scan completes, patches are queued for findings above the configured score threshold.
    * **PR scan auto-patching** — during PR scanning, fix suggestions are generated and posted as inline code suggestions directly in your pull request. Apply them with one click in your VCS review UI.
  </Tab>
</Tabs>

## Automatic Pull Requests

When you approve a patch (or when auto-PR generation is enabled), ZeroPath:

1. Creates a new branch from your repository's default branch.
2. Applies the fix as a commit with a descriptive message.
3. Opens a pull request with:
   * A clear title describing the fix (e.g., *"Fix SQL injection in user authentication handler"*)
   * A description covering the vulnerability, the fix, the root cause, and the implementation approach.
4. Links the PR back to the finding in ZeroPath for tracking.

### Requesting Follow-Up Changes on GitHub

After ZeroPath opens a GitHub patch PR, reviewers can request changes by
commenting on the PR with `@ZeroPath` or `@zeropath-ai` and a concrete
description of the edit. If ZeroPath can verify that the current PR branch is
the patch branch it created, it commits the requested change to that same branch
and replies with a summary and commit reference.

```text PR comment theme={null}
@zeropath-ai Please add a regression test for empty usernames
```

If the branch cannot be verified, the branch moved while the request was being
prepared, or the request is unsafe, ambiguous, impossible, or unrelated to the
patch, ZeroPath replies without pushing a commit. See [Bot
Commands](/scanning/bot-commands#github-patch-pr-changes) for details.

**Supported VCS platforms for auto-PR:**

| Platform                        | Auto-PR Support |
| ------------------------------- | --------------- |
| GitHub (Cloud & Enterprise)     | Yes             |
| GitLab (Cloud & Self-hosted)    | Yes             |
| Bitbucket (Cloud & Data Center) | Yes             |

### PR Lifecycle Tracking

ZeroPath tracks the status of generated PRs:

* **Open** — PR has been created and is awaiting review.
* **Accepted** — PR was merged. The associated finding is automatically moved to **Resolved**.
* **Rejected** — PR was closed without merging.

## What Can Be Auto-Fixed

### Code Vulnerabilities (SAST)

The AI agent can generate fixes for most code-level security issues, including:

* SQL injection
* XSS
* Path traversal
* Command injection
* SSRF
* Insecure cryptography
* Missing authentication/authorization checks
* and more...

<Warning>
  Some vulnerability types are **not auto-fixable** and will be marked as such:

  * Hardcoded secrets (require manual rotation and migration to a secrets manager)
  * Complex business logic issues (race conditions, multi-system authorization)
  * Architectural issues where the root cause is outside the affected file

  When a finding cannot be auto-fixed, ZeroPath now provides **remediation instructions** explaining why the fix could not be generated and what manual steps you should take to resolve the issue.
</Warning>

### Dependency Vulnerabilities (SCA)

For vulnerable dependencies, ZeroPath:

* Queries package registries for the latest non-vulnerable version.
* For **direct dependencies**: updates the version in your manifest file and regenerates the lockfile using the appropriate package manager.
* For **transitive dependencies**: updates the direct parent dependency that pulls in the vulnerable package.

Supported ecosystems for dependency patching:

* npm / Node.js
* Go modules
* Rust / Cargo
* Ruby / Bundler
* Python / Poetry
* Python / pip
* Maven / Gradle
* and more...

## Configuration

Patch generation settings follow org/tag/repo-level inheritance:

| Setting                        | Default | What It Controls                                        |
| ------------------------------ | ------- | ------------------------------------------------------- |
| **PR scan auto-patching**      | On      | Generate fix suggestions for PR scan findings           |
| **Full scan auto-patching**    | Off     | Auto-generate patches for qualifying full scan findings |
| **Full scan auto-PR creation** | Off     | Automatically open PRs without human approval           |
| **Full scan patch threshold**  | 80      | Minimum priority score (0–100) for auto-patching        |
| **Full scan PR threshold**     | 80      | Minimum priority score for auto-PR creation             |
| **PR title template**          | —       | Custom template for generated PR titles                 |
| **PR description template**    | —       | Custom template for generated PR descriptions           |
| **Branch name format**         | —       | Custom template for fix branch names                    |
| **Commit message format**      | —       | Custom template for fix commit messages                 |

### SCA-Specific Settings

| Setting                                   | Default | What It Controls                                  |
| ----------------------------------------- | ------- | ------------------------------------------------- |
| **Auto-create direct dependency PRs**     | Off     | Auto-open PRs for direct dependency CVE fixes     |
| **Direct dependency patch threshold**     | 0       | Score threshold for direct dep auto-PR            |
| **Auto-create transitive dependency PRs** | Off     | Auto-open PRs for transitive dependency CVE fixes |
| **Transitive dependency patch threshold** | 0       | Score threshold for transitive dep auto-PR        |

## Troubleshooting

### GitHub Actions Workflow Permission Error

If a patch modifies a GitHub Actions workflow file (under `.github/workflows/`), PR creation may fail with a permissions error. GitHub requires the **workflows** permission to create or update workflow files via API.

To resolve this:

* **Manually apply the patch** — copy the suggested changes and commit them yourself.
* **Have a repository administrator create the PR** — admins with sufficient permissions can push the workflow change.
* **Grant the workflows permission** — if your organization policy allows it, add the `workflows` permission to the ZeroPath GitHub App installation.

### Repository Rule Violations

If your repository has branch protection rules that enforce commit message formats or branch naming patterns, PR creation may fail. Update your repository rules or adjust ZeroPath's PR branch name and commit message formats in [scanner settings](/platform/scanner-settings), then retry.

## Adoption Guide

1. **Start with on-demand patching** — click "Generate Patch" on individual findings to see the quality of generated fixes for your codebase.
2. **Enable PR scan suggestions** — turn on `prScanAutoPatching` to get fix suggestions as inline comments on your pull requests.
3. **Tune thresholds** — adjust the patch and PR thresholds to focus auto-patching on high-severity findings first.
4. **Enable full scan auto-patching** — once comfortable with patch quality, enable automatic patch generation for full scans.
5. **Consider auto-PR creation** — for teams with fast review cycles, enable auto-PR to get fix branches created automatically.
