This GitHub Action uses patchwork-cli to automatically fix code vulnerabilities in your repository using LLMs.
- Automatically detects vulnerabilities using Semgrep
- Generates fixes using LLMs (OpenAI, local models, or custom endpoints)
- Creates pull requests with the fixes
- Configurable severity and compatibility thresholds
- Supports custom branch naming and PR behavior
name: Security AutoFix
on:
schedule:
- cron: "0 0 1 * *" # Run once a month
workflow_dispatch: # Allow manual triggers
jobs:
autofix:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: patched-codes/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
openai_api_key: ${{ secrets.OPENAI_API_KEY }}One of the following is required:
patched_api_key: Patched API key for using Patched services (Get an API key)openai_api_key: OpenAI API key for the LLM (Get an API key)
github_token: GitHub token for creating pull requests (default: Automatically set by GitHub)model: LLM model to use (default: gpt-3.5-turbo)client_base_url: Base URL for the LLM API (default: https://api.openai.com/v1)vulnerability_limit: Maximum number of vulnerabilities to fix (default: 10, -1 for no limit)severity: Minimum severity level (unknown/note/info/warning/low/medium/error/high/critical)compatibility: Minimum compatibility threshold (unknown/low/medium/high)branch_prefix: Prefix for the created branchdisable_branch: Disable creating new branchesdisable_pr: Disable creating pull requestsforce_pr_creation: Force push commits to existing PR
- uses: patched-codes/[email protected]
with:
patched_api_key: ${{ secrets.PATCHED_API_KEY }}- uses: patched-codes/[email protected]
with:
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
model: "gpt-4"
client_base_url: "https://api.openai.com/v1"- uses: patched-codes/[email protected]
with:
patched_api_key: ${{ secrets.PATCHED_API_KEY }}
severity: "high"
vulnerability_limit: 5MIT
Contributions are welcome! Please feel free to submit a Pull Request.