Agent Mag
SUBSCRIBE
Tools/PR Security Auto-Fix
All Tools
Featured tool

PR Security Auto-Fix

Live
Agent Mag · Developer Tools
MIT LicenseOpen SourceDeveloper Tools

PR Security Auto-Fix is a GitHub Action that runs on pull requests, scans changed files for concrete security vulnerabilities, filters noisy best-practice findings, generates safe search-and-replace patches, and commits validated fixes directly to trusted PR branches. It covers injection, auth bypass, data exposure, XSS, SSRF, unsafe config, and AI-agent tool risks.

TL;DR

PR Security Auto-Fix is a GitHub Action that reviews pull requests for concrete security vulnerabilities, generates safe patches, and commits validated fixes directly to trusted PR branches.

GitHub ActionSecurityAuto-FixGPT-5.4MIT
npx agentmag add tool pr-security-auto-fix
View on GitHub

What is PR Security Auto-Fix?

PR Security Auto-Fix is an AI-powered GitHub Action that audits pull requests for high-confidence security issues with real exploit paths.

It focuses on vulnerabilities developers actually need to fix before merge: injection, auth bypass, tenant isolation failures, data exposure, unsafe rendering, SSRF, and AI-agent tool abuse paths.

For the CLI workflow, install the tool with the command above and let the generated workflow run automatically on each pull request.

Features

Scans PR diffs for high-confidence security vulnerabilities
Auto-fixes safe HIGH and MEDIUM findings with exact search-and-replace patches
Skips forked PRs by default with trusted-only guardrails
Posts branded PR comment with verdict, exploit scenario, and fix summary
GPT-5.4 primary, Claude Opus 4.6 fallback — dual model support
Optional validation command before committing fixes
False-positive filtering for DoS, rate limits, docs, tests, and generic hardening
MIT licensed — fork and tune the security rulebook

Use Cases

  • Teams that want security review on every pull request before merge
  • Repositories with API routes, auth flows, database queries, or agent tool execution
  • Open-source projects that want high-signal security comments without noisy SAST output
  • AI agent apps that need guardrails around privileged tools, secrets, and shell/network access

How It Works

1PR opened or updated on your repo
2Skips untrusted forked PRs by default
3Fetches changed files + diffs via GitHub API
4GPT-5.4 scans for concrete exploit paths (Claude Opus 4.6 fallback)
5Safe patches are validated with exact unique search strings
6Fixes are committed to the PR branch and summarized in a branded comment

PR Security Auto-Fix vs. manual review

PR Security Auto-Fix

Runs automatically on trusted pull requests, flags high-confidence vulnerabilities, commits safe local fixes, and leaves remaining exploit details in a branded review comment.

Manual security review

Depends on reviewer availability, often happens late, and can miss simple patchable issues like unsafe query construction, missing server-side checks, and sensitive logging.

Add PR Security Auto-Fix to your project

One command to install. Works with GitHub pull request workflows.

Building an agent tool? Submit your AI agent tool to the free tools directory or get featured placement.

Explore Further