Skip to main content

Fixing Issues and Remediation

Transform your AI Scanner findings into secure, high-quality code using intelligent fix recommendations, automated patches, and proven remediation strategies.

One-Click AI-Powered Fixes

The most powerful feature of AI Scanner is the ability to automatically fix many detected issues with a single click. One-Click Fix Button

How One-Click Fixes Work

When viewing an issue’s details, you’ll see the “Fix with Gammacode Issue Hunter” button for issues that support automated remediation:
  1. Analysis - AI examines the vulnerable code and surrounding context
  2. Solution Generation - Creates a secure, tested fix that preserves functionality
  3. Code Replacement - Applies the fix directly to your repository
  4. Verification - Ensures the fix doesn’t break existing functionality

Supported Fix Types

Injection Vulnerabilities

  • SQL Injection - Converts to parameterized queries
  • NoSQL Injection - Implements proper input validation
  • Command Injection - Sanitizes system commands
  • XSS Prevention - Adds output encoding and validation

Authentication & Authorization

  • Weak Authentication - Strengthens authentication mechanisms
  • Session Management - Implements secure session handling
  • Access Control - Adds proper authorization checks
  • Password Security - Improves password handling

Data Security

  • Encryption Issues - Implements proper encryption
  • Data Validation - Adds input sanitization
  • Output Encoding - Prevents data leakage
  • Secure Headers - Adds security headers

Manual Remediation Strategies

For issues that require manual intervention, AI Scanner provides comprehensive guidance.

Understanding the Vulnerability

Before fixing any issue, ensure you understand:

Root Cause Analysis

  • What makes this code vulnerable?
  • How could an attacker exploit this?
  • What data or functionality is at risk?
  • What are the business implications?

Impact Assessment

  • Confidentiality Impact - Could sensitive data be exposed?
  • Integrity Impact - Could data be modified or corrupted?
  • Availability Impact - Could the system be disrupted?
  • Compliance Impact - Does this affect regulatory requirements?

Common Remediation Patterns

Input Validation and Sanitization

Problem: Unvalidated user input leads to injection attacks Solution Pattern: 
// Before (Vulnerable)
const query = `SELECT * FROM users WHERE id = ${userId}`;

// After (Secure)
const query = 'SELECT * FROM users WHERE id = ?';
const result = await db.query(query, [userId]);
Key Principles:
  • Validate all input at application boundaries
  • Use whitelist validation when possible
  • Sanitize data before processing
  • Use parameterized queries for database operations

Output Encoding

Problem: Unencoded output enables XSS attacks Solution Pattern: 
// Before (Vulnerable)
document.innerHTML = userContent;

// After (Secure)
document.textContent = userContent;
// or
document.innerHTML = escapeHTML(userContent);
Key Principles:
  • Encode output based on context (HTML, JavaScript, CSS, URL)
  • Use framework-provided encoding functions
  • Never trust user-provided content
  • Implement Content Security Policy (CSP)

Authentication Strengthening

Problem: Weak authentication mechanisms Solution Pattern: 
// Before (Weak)
if (password === storedPassword) {
    // login success
}

// After (Strong)
const isValid = await bcrypt.compare(password, hashedPassword);
if (isValid && !accountLocked && !sessionExpired) {
    // implement additional security checks
}
Key Principles:
  • Use strong hashing algorithms (bcrypt, Argon2)
  • Implement account lockout mechanisms
  • Add multi-factor authentication
  • Use secure session management

Authorization Implementation

Problem: Missing or inadequate access controls Solution Pattern: 
// Before (Missing Authorization)
app.get('/admin/users', (req, res) => {
    res.json(getAllUsers());
});

// After (Proper Authorization)
app.get('/admin/users', requireAuth, requireRole('admin'), (req, res) => {
    res.json(getAllUsers());
});
Key Principles:
  • Implement role-based access control (RBAC)
  • Verify permissions for every request
  • Use principle of least privilege
  • Implement defense in depth

Secure Coding Best Practices

Security by Design

Threat Modeling

  1. Identify Assets - What needs protection?
  2. Identify Threats - What could go wrong?
  3. Assess Risk - What’s the likelihood and impact?
  4. Design Controls - How to mitigate risks?

Secure Development Lifecycle

  1. Requirements - Include security requirements
  2. Design - Design security controls
  3. Implementation - Follow secure coding practices
  4. Testing - Include security testing
  5. Deployment - Secure configuration
  6. Maintenance - Regular security updates

Framework-Specific Guidance

Node.js / Express Security

// Security headers middleware
app.use(helmet());

// Rate limiting
const rateLimit = require('express-rate-limit');
app.use(rateLimit({
    windowMs: 15 * 60 * 1000, // 15 minutes
    max: 100 // limit each IP to 100 requests per windowMs
}));

// Input validation
const { body, validationResult } = require('express-validator');
app.post('/user', [
    body('email').isEmail(),
    body('password').isLength({ min: 8 })
], (req, res) => {
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
        return res.status(400).json({ errors: errors.array() });
    }
    // Process validated input
});

React Security

// Prevent XSS in React
function UserProfile({ user }) {
    return (
        <div>
            {/* Safe - React automatically escapes */}
            <h1>{user.name}</h1>
            
            {/* Dangerous - avoid dangerouslySetInnerHTML */}
            <div dangerouslySetInnerHTML={{__html: user.bio}} />
            
            {/* Safe alternative - use a sanitization library */}
            <div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(user.bio)}} />
        </div>
    );
}

Python Flask Security

from flask import Flask, request
from werkzeug.security import generate_password_hash, check_password_hash
import bleach

app = Flask(__name__)

@app.route('/user', methods=['POST'])
def create_user():
    # Input validation
    email = request.form.get('email')
    if not email or '@' not in email:
        return 'Invalid email', 400
    
    # Sanitize input
    name = bleach.clean(request.form.get('name'))
    
    # Secure password handling
    password = request.form.get('password')
    password_hash = generate_password_hash(password)
    
    # Safe database operation
    cursor.execute(
        'INSERT INTO users (email, name, password_hash) VALUES (?, ?, ?)',
        (email, name, password_hash)
    )

Secret Remediation

Immediate Response to Exposed Secrets

Step 1: Assess the Exposure

  • What type of secret was exposed?
  • How long was it accessible?
  • What systems does it provide access to?
  • Who might have had access to the repository?

Step 2: Revoke Compromised Credentials

  1. Immediately revoke the exposed credentials
  2. Generate new credentials with appropriate permissions
  3. Update applications to use new credentials
  4. Monitor for unauthorized access using the old credentials

Step 3: Remove from Version History

# Remove secrets from Git history
git filter-branch --force --index-filter \
'git rm --cached --ignore-unmatch path/to/file/with/secret' \
--prune-empty --tag-name-filter cat -- --all

# Force push to remote (use with caution)
git push origin --force --all

Step 4: Implement Secret Management

  • Use environment variables for configuration
  • Implement secret management tools (HashiCorp Vault, AWS Secrets Manager)
  • Use CI/CD secret injection for deployment credentials
  • Implement secret scanning in your development workflow

Preventing Future Secret Exposure

Development Practices

# Use environment variables
export DATABASE_URL="postgresql://user:pass@localhost/db"

# Use .env files (excluded from git)
echo "*.env" >> .gitignore

// In your application
const dbUrl = process.env.DATABASE_URL;
if (!dbUrl) {
    throw new Error('DATABASE_URL environment variable is required');
}

Pre-commit Hooks

# .pre-commit-config.yaml
repos:
-   repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
    -   id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

Testing Your Fixes

Verification Strategies

Functional Testing

  • Unit Tests - Ensure fixes don’t break functionality
  • Integration Tests - Verify system components work together
  • End-to-End Tests - Test complete user workflows
  • Regression Tests - Ensure old issues don’t reappear

Security Testing

  • Re-scan with AI Scanner - Verify issues are resolved
  • Penetration Testing - Manual testing of security controls
  • Code Review - Peer review of security fixes
  • Static Analysis - Additional automated security scanning

Performance Testing

  • Load Testing - Ensure security fixes don’t impact performance
  • Stress Testing - Verify system stability under load
  • Resource Monitoring - Check memory and CPU usage
  • Response Time Analysis - Monitor application responsiveness

Building a Security Culture

Team Education

Security Training

  • Regular Security Workshops - Keep team updated on threats
  • Code Review Training - Teach secure code review practices
  • Incident Response Training - Prepare for security incidents
  • Tool Training - Ensure team knows how to use security tools

Knowledge Sharing

  • Security Champions - Designate security advocates on each team
  • Brown Bag Sessions - Regular informal security discussions
  • Documentation - Maintain security guidelines and standards
  • Lessons Learned - Share insights from security incidents

Process Integration

Development Workflow

  1. Security Requirements - Include in project planning
  2. Secure Design - Review designs for security implications
  3. Secure Implementation - Follow secure coding practices
  4. Security Testing - Include in testing procedures
  5. Security Review - Review before deployment
  6. Monitoring - Continuous security monitoring

Continuous Improvement

  • Regular Security Assessments - Periodic security reviews
  • Metrics Tracking - Monitor security improvement trends
  • Tool Evaluation - Regularly assess security tooling
  • Process Refinement - Continuously improve security processes
Effective remediation goes beyond fixing individual vulnerabilities—it’s about building secure development practices that prevent future issues and create a culture of security awareness.

Next Steps

Understanding Results

Learn how to interpret and prioritize scan findings

Start Scanning

Access AI Scanner and begin securing your code
I