Secbez Docs

Fix Guidance

How Secbez generates explanations, agent prompts, and verifier-checked patches for every confirmed finding.

Every confirmed finding ships with remediation guidance grounded in the deterministic evidence — not speculation. There are three layers, in order of strictness.

1. Grounded explanation

A plain-language description of the vulnerability, written for the developer who will fix it. The explanation cites the code lines and graph evidence that triggered the finding, and describes what the correct fix looks like. It is generated from the verdict bundle, so it stays consistent with the agent's reasoning.

If the LLM enrichment step fails (timeout, rate limit, outage), Secbez emits a deterministic templated explanation instead. The finding is never blocked on enrichment.

2. Agent prompt

Every finding emits an agent_prompt — a structured, copy-pasteable instruction you can hand to a coding agent (Claude Code, Cursor, your in-house agent). It contains the file, line range, the exploit summary, the constraint that the fix must satisfy, and acceptance criteria.

This is the most reliable surface to consume programmatically. Even when no patch is produced, the agent_prompt is always present.

3. Verifier-checked patch

When a patch can be produced and survives a deterministic verifier, the patch itself is attached to the finding. The verifier checks:

  • The patch parses and type-checks (where applicable).
  • It targets only the lines the finding identified — no unrelated edits.
  • It removes the vulnerability pattern (or introduces a recognized barrier) without breaking adjacent code.
  • It does not introduce new findings of its own.

If verification fails, the patch is dropped and only the explanation + agent_prompt are surfaced. We refuse to ship a patch we cannot defend.

Applying fixes

  1. Read the explanation to understand the root cause and the agent's verdict.
  2. Review the suggested patch (if one is attached) and apply or hand-write the fix.
  3. Open a PR. Secbez re-scans the diff and re-evaluates the finding.
  4. If the vulnerable code is gone or replaced by a verified barrier, the finding transitions to fixed.
  5. If the fix only renames the symptom — leaving the underlying construct intact — the finding stays open.

When fixes need human judgment

Patches are intentionally conservative. They will not be produced when:

  • The fix requires choosing a project-specific authorization model (e.g., role lookup vs. ownership check).
  • The fix touches business logic where Secbez can't infer intent.
  • The remediation requires multi-file changes the verifier cannot bound.

In those cases the explanation describes the options and the agent_prompt carries the constraints, but the choice is yours.

On this page

1. Grounded explanation2. Agent prompt3. Verifier-checked patchApplying fixesWhen fixes need human judgment