Skip to content
Book demo
Back to Guides

Vulnerability Remediation: From Scan to Merge in AI Pipelines

Jul 3, 2026
Molisha Shah
Molisha Shah
Vulnerability Remediation: From Scan to Merge in AI Pipelines

A scan-to-merge remediation workflow detects, triages, prioritizes, fixes, and gates each finding before production. Friction concentrates at two handoffs: false positives bury real findings during scan-to-triage, and AI-generated patches must prove correctness during fix-to-PR before reviewers can accept them.

TL;DR

SAST findings move through triage, risk-based prioritization, fix generation, and PR gating before merge. Conventional workflows create a handoff gap when dashboard-only findings stay outside the developer review path. Unfiltered false positives also dilute attention. This guide maps each stage, shows where agentic autofix fits, and explains why human verification remains the merge boundary for AI patches.

Developers feel the remediation bottleneck when a dashboard shows a backlog of findings, the PR has only one changed line, and CI passes an automated fix that still fails review. Pipelines can assign Dependabot alerts to AI agents, run Copilot Autofix against CodeQL findings, and gate merges on severity thresholds. Reviewers still need to confirm that the patch removes the vulnerable code path, passes regression tests, and does not introduce new security issues.

NIST SP 800-218 recommends that teams record discovered issues and recommended remediations in the development team's workflow or issue tracking system, then triage them. Teams apply this practice during secure code review or analysis before release. Repository-scale context matters for complex multi-file remediation, and Augment Cosmos, the unified cloud agents platform for running agents across the software development lifecycle, uses semantic dependency graph analysis across 400,000+ files to show cross-file dependencies and call flow before the tool proposes a patch. This guide walks through the remediation lifecycle, agentic autofix tools, fix reliability evidence, and verification gates that separate a merged fix from a reintroduced vulnerability.

The Five-Stage Remediation Lifecycle

The remediation lifecycle moves from scan to triage, prioritization, fix, and merge. Each stage handles a different part of remediation, from detection through gate enforcement. The table below summarizes the primary activity at each stage and the friction that most often derails it.

StagePrimary ActivityCommon Friction
ScanDetection via SAST, SCA, secret scanningFull-repo scan cost, diff-aware incremental runs
TriageClassify severity, filter false positivesFalse positives dilute developer attention
PrioritizeRisk-based ordering with EPSS, CVSS, KEVCVSS base scores alone misprioritize
FixDeveloper remediation and handoffDashboard-only findings stay outside the PR review path
MergePR review, gate enforcement, rescanBlocking every finding creates merge gridlock

Scanning runs in IDE and pre-commit hooks for real-time feedback, in pull requests via diff-aware incremental scans, in CI/CD build steps on commit, and in periodic baseline scans across the full repository. Each scan point trades coverage against speed. Generated files and binary files can add scan noise at the PR level, so Smart File Filtering excludes them from analysis.

Triage: Filtering Signal From Noise

Triage classifies each finding by severity, exploitability, attack surface exposure, and code reachability. It also filters false positives before findings reach developers. For security teams, unfiltered SAST noise can move real vulnerabilities outside developer attention when alerts do not route into the team workflow.

Core triage activities apply CWE tagging, reachability metadata, environment context, and component criticality to each finding. Keeping triage routed into the review path matters because security-lead review loses force when findings stay dashboard-only, a pattern that becomes obvious when comparing how security integrations keep AI code compliant at enterprise scale. GitHub lets teams close alerts for reasons like test-only code or effort exceeding benefit, and teams route dismissal requests through the Security and quality tab for security-lead review.

NIST SSDF task PW.7.2 in v1.1 requires code review and/or code analysis based on secure coding standards. It also requires teams to document and triage all discovered issues in the team's workflow. A draft SSDF v1.2 released for public comment in December 2025 expands the review, analysis, and testing tasks and adds continuous-improvement practices, though v1.1 remains the current published guidance. AI-assisted triage contributes by returning "true positive" or "false positive" verdicts with reasoning, but LLM triage remains bounded by repository context. When authorization logic spans multiple files, human review remains essential because the verdict depends on cross-file control flow.

Thorough Reviews routes security findings into pull requests for teams that prioritize bug recall. In internal testing, Thorough catches 50% more bugs than the Precise review style while keeping the same low false positive rate.

Prioritize: Ordering by Risk Beyond Severity

Prioritization orders findings by risk using CVSS severity, EPSS exploit probability, CISA KEV membership, and reachability analysis. Scanner output should be treated as one input to remediation priority, with other risk signals shaping the final decision, an approach that shows up in the benchmarks used to evaluate AI security tools in enterprise environments. NIST warns against using CVSS Base scores alone to determine remediation priority. The table below outlines what each common signal measures and where it falls short as a standalone input.

SignalWhat It MeasuresWhat It Misses
CVSS BaseIntrinsic severityThreat activity, environment, impact
CVSS Threat/EnvironmentalExploit availability, environmental controlsReal-time exploitation data
EPSS30-day global exploit probabilityAsset-specific context, business impact
CISA KEVConfirmed active exploitation in wildFuture exploitation, asset criticality
SSVCOrg-specific decision treeAutomated scoring
ReachabilityWhether vulnerable code is callableRuntime usage details

EPSS estimates the probability of observing exploitation attempts against a vulnerability in the next 30 days. It produces a probability score and a percentile. Use EPSS when no other evidence of active exploitation exists. Direct exploitation intelligence should supersede EPSS when available. The CISA KEV catalog takes precedence because it contains confirmed actively exploited vulnerabilities.

Reachability analysis filters non-callable code by confirming whether the application calls vulnerable code paths. Reachability operates at dependency level, which checks whether a vulnerable package is present, and function level, which checks whether known vulnerable functions run. Neither level can assess how the function runs at runtime, so high reachability does not equal exploitability.

A risk-based ordering starts with KEV membership for immediate action. It then combines CVSS Threat score with EPSS percentile, applies reachability to filter non-callable code, and adds business context like asset criticality and internet exposure.

Fix: Where Agentic Autofix Drafts Pull Requests

The fix stage generates a remediation and hands it to a developer. Agentic tooling analyzes the vulnerability, drafts a patch, and opens a pull request. The PR handoff mechanism sets the boundary between generated fixes and developer acceptance, a distinction that comes through clearly when reviewing the enterprise-ready AI coding assistants beyond GitHub Copilot. Findings placed as inline comments on the specific changed line reach the same review interface where remediation decisions happen. Dashboard-only findings require a separate workflow handoff before developers act.

The Auggie CLI handles ticket-to-PR remediation for complex multi-file fixes. Auggie can plan multi-step tasks, run approved terminal commands, and create and submit pull requests. The table below compares how the leading agentic autofix tools generate patches and verify them.

ToolHow It Generates FixesVerification Model
GitHub Copilot AutofixBuilds an LLM prompt from CodeQL analysis and code snippets around the flow pathDeveloper opens and reviews a generated PR
Snyk Agent FixUses program analysis to reduce code to the defect and necessary contextRe-scans fixed code and filters hallucinations
GitHub Dependabot alertsAssigns alerts to Copilot, Claude, or Codex agentsOpens draft PRs and attempts to resolve test failures
Google DeepMind CodeMenderUses Gemini models with debugger, static analysis, dynamic analysis, fuzzing, and SMT solversContributed verified fixes to open-source projects over a bounded review period with human approval before upstream integration
Sonatype automated PRBumps components to non-violating versionsTakes no other remediation action

GitHub Copilot Autofix operates on PRs and historical alerts via a "Generate fix" button. Developers press "Create PR with fix" to open a pull request. Snyk Agent Fix re-scans the fixed code to confirm the issue is resolved and no new vulnerabilities are introduced. Teams can assign Dependabot alerts to multiple agents, and each agent opens a draft PR for comparison.

The Plausible-vs-Correct Gap: What the Data Actually Shows

AI remediation patches can fail full test suites or adversarial tests even when they appear correct. Security-specific fix accuracy also runs below general repair benchmarks, which shapes how much autonomous trust a pipeline can safely grant.

Current SWE-bench Verified leaderboard leaders exceed 90% on the % Resolved metric, and Augment reports 70.6% on the same benchmark. Higher benchmark scores do not translate directly to production-ready code. Scale AI's standardized SWE-bench Pro leaderboard, a variant designed to better reflect real-world engineering conditions, shows top scores around 59% even for frontier models, though other trackers using different scaffolding report higher numbers. Patches that appear to pass benchmark grading can still be functionally incorrect when developers subject them to all tests. Real project maintainers reviewing AI-generated patches that passed SWE-bench grading identified merge-readiness failures, including patches that "would not be merged into main." The table below collects the benchmarks that document this plausible-vs-correct gap.

BenchmarkScopeResult
SWE-bench VerifiedCode generation qualityTop leaderboard scores now exceed 90%; Augment reports 70.6%
SWE-bench Pro (Scale AI standardized set)Standardized real-world variantTop scores around 59% even for frontier models
Maintainer reviewAI-generated patches that passed SWE-bench gradingMerge-readiness failures remained
Vul4JJava vulnerability patchesStudies document incorrect repair strategies
PatchEvalReal CVEs across CWE categoriesEven the strongest agent leaves vulnerabilities unrepaired
Vul4J functionalitySame vulnerability-patch settingFunctionality can be preserved while vulnerability removal fails

The Vul4J data shows the risk. LLMs can keep code working while failing to remove the vulnerability, so working code can still contain the original flaw. Fix rates vary by CWE category, so high AI fix-rate claims need vulnerability-class scope.

New vulnerability introduction compounds the risk. LLM-generated code can introduce new vulnerabilities, and static analysis on SWE-bench patches found generated-code issues during patch review.

Why Context Quality Determines Fix Correctness

Reviewers need repository-level context to inspect cross-file dependencies, project conventions, and historical repair patterns before they accept a patch. Security patching also requires reasoning about exploitability, adversarial inputs, and subtle control- and data-flow properties.

Context inputs that improve remediation also create verification obligations. Reviewers should curate context before generation rather than passing more repository facts by default. The table below maps each context dimension to the remediation benefit it delivers and the verification step it demands.

Context DimensionMechanismRemediation BenefitFailure ModeVerification Need
Cross-file dependenciesTraces relationships across filesCleaner patch integrationContext-blind patching misses dependenciesReview architectural fit
Inter-procedural slicingFollows control and data flowStronger exploitability reasoningSubtle flow properties are missedRe-scan and review logic
Historical vulnerability fixesReuses prior repair patternsAligns fixes with project conventionsPatterns may not match the current vulnerabilityHuman acceptance review
Commit messagesLinks intent to code semanticsClarifies why prior changes were madeExtra facts can degrade performanceCurate context before generation
Localization qualityNarrows file-level and function-level scopeImproves repair targetingLLM repair struggles with precise localizationConfirm vulnerable code path removal

The "Bug Fixing with Broader Context" study measured repair outcomes across repository-layer knowledge for program anomaly bugs and configuration bugs. KGCompass used a repository-aware knowledge graph, and it also showed that file-level and function-level localization affect repair quality.

Several context types explain these repair gains. Cross-file dependency analysis, inter-procedural slicing, historical vulnerability fixes, and commit messages link natural-language intent to code semantics. A user study with students and developers evaluated patches generated following patterns learned from existing developer patches through human acceptance.

Context limitations remain documented. LLM-based repair struggles with precise bug localization, and adding more facts can degrade performance rather than improve it. A large-scale experiment across bug-fix tasks found that neither more nor less context reliably improves patch generation, so curation matters more than volume.

Cosmos runs on top of the Context Engine, which processes entire codebases across 400,000+ files through semantic dependency graph analysis. Cosmos indexes cross-file dependencies and call flow so reviewers can inspect those relationships before remediation is proposed, and internal measurements report 5-10x gains in review efficiency for teams applying PR automation on complex multi-file codebases.

Merge: Gate Enforcement and Verification Before Production

The merge stage uses PR-level gates and post-merge verification, which is why teams treat CI/CD pipeline integrations as the enforcement point every AI coding tool needs to support. It blocks merges on critical or high-severity findings and rescans after merge to catch regressions. GitHub's default PR check fails on any error, critical, or high finding and blocks merge. Lower severities appear as warnings, and teams can configure the threshold.

Gate design determines whether severity thresholds block only critical/high findings or every finding. Starting with critical-only gating avoids the merge gridlock that blocking every finding from day one creates. Teams can expand the threshold as they mature, so developers can remediate the highest-risk issues before lower-severity warnings become mandatory. The table below shows which gate layer catches which failure class before merge.

Gate LayerWhat It CatchesFailure Action
Linting and formattingStyle violations, syntax errorsBlock merge, auto-fix where possible
Static analysis and securityVulnerabilities, insecure patterns, secretsBlock merge, require remediation
Test execution and coverageFunctional regressions, untested pathsBlock merge, require additional tests
Branch protectionPolicy violations, missing approvalsBlock merge until all checks pass
Post-merge verificationRegressions and previously undetected vulnerabilitiesRe-scan and regression-test before release

The merge path needs one verification sequence before production exposure:

  1. Run PR-level CI/CD checks and branch protection before merge.
  2. Re-scan the fixed code to confirm the vulnerability is gone.
  3. Regression-test the fix in staging and add tests for previously reported vulnerabilities.
  4. Require mandatory manual review for high-risk code touching auth, payments, or databases.

This sequence focuses gate enforcement on vulnerability removal and regression prevention.

NIST SP 800-218 does not specifically require post-merge verification. The SSDF provides recommended high-level practices, such as testing code and verifying release integrity, without mandating a particular post-merge verification step for security fixes. NIST SP 800-218 task RV.1.2 requires teams to review, analyze, and/or test the software's code, and teams use that work to identify or confirm the presence of previously undetected vulnerabilities. The pending SSDF v1.2 draft expands this task language further, though v1.1 remains the published version.

Review data sharpens the point. AI-generated fixes can pass automated tests while still introducing new failures under adversarial conditions. Adversarial tests catch failures that ordinary automated tests can miss, especially when teams use the same AI tool to generate both implementation and tests.

Human review requirements should scale with risk. High-risk code touching auth, payments, or databases requires automated security scanning plus mandatory manual review. Medium-risk business logic needs automated testing with code review focused on edge cases. Low-risk UI components can pass with linting and full test validation.

Code Review on Cosmos scored 59% F-score in internal benchmarking using a public dataset of "golden comments." In the merge path, its GitHub-integrated analysis can show reviewers cross-file dependencies, call flow, logic errors, and architectural fit before branch protection approvals.

Auto-Merge Conditions and Implementation Gotchas

Auto-merge is safe only for narrowly scoped, low-risk changes. A frequently overlooked GitHub configuration detail can break auto-merge pipelines until teams address it. GitHub can auto-merge once all branch protection conditions are satisfied, but the safe pattern restricts it to trivial dependency bumps.

Open source
augmentcode/augment-swebench-agent873
Star on GitHub

Auto-merge pipelines need narrow change scope and correct GitHub permissions before a dependency update can move without manual intervention. The table below outlines the safe conditions and permission requirements at each layer.

Auto-Merge DimensionSafe ConditionPermission RequirementFailure ModeRequired Mitigation
Change scopeLow-risk fixes onlyBranch protection must passBroad remediation ships unreviewed failuresRestrict auto-merge to trivial dependency bumps
Dependabot update typeversion-update:semver-patchDependabot workflow configurationMajor-version jumps create compatibility riskMatch dependency name and update type
Automated PR behaviorComponent bump to non-violating versionCI checks must passNo other remediation action occursKeep security review for non-bump fixes
Workflow tokenDependabot-triggered workflowGITHUB_TOKEN is read-only by defaultAuto-merge pipeline cannot writeConfigure Dependabot secrets separately
Merge queueQueue-based merge after checksPersonal access token or GitHub App tokenBuilt-in GITHUB_TOKEN cannot add PRs to the queueUse a token with merge permission

The documented OpenHands remediation pipeline auto-merges low-risk fixes only after tests pass. Teams can configure GitHub Actions to auto-merge Dependabot PRs only under two conditions: the dependency name must match a specific target, and the update type must be version-update:semver-patch. Sonatype's automated PR functionality only bumps components to non-violating versions and takes no other remediation action.

Dependabot-triggered workflows create an implementation problem. GITHUB_TOKEN has read-only permissions by default, and GitHub Actions secrets are not available. Only Dependabot secrets are available. Merge queues require a personal access token or GitHub App token with merge permission, because the built-in GITHUB_TOKEN cannot add PRs to the queue.

Service Accounts give non-human API access for approval-gated automation workflows on Cosmos. Tool permissions constrain CI automation for enterprise teams applying remediation.

Dependency remediation remains difficult at repository scale. Pipelines must detect behavioral breaking changes, account for semantic versioning unreliability, and propagate transitive dependency updates through tests. A passing dependency-bot build does not imply compatibility, because bots rely on test suites that fail to exercise most direct and transitive dependency calls.

The Trust Gap in Agentic Remediation Adoption

Trust in autonomous AI security tooling is constrained by false negatives, review pickup friction, and dependency-selection errors, even when developers use AI coding assistance elsewhere. Developers may use AI coding assistance while still requiring review before generated changes affect security-critical paths.

Teams address these constraints with detection controls, review pickup, dependency checks, and merge restrictions. These gates keep automation inside PR review and branch protection. The table below maps each trust constraint to the gate that contains it.

Trust ConstraintWhere It AppearsOperational RiskRequired GateAutomation Boundary
False negativesAI vulnerability scanningVulnerabilities remain undetectedDetection and triage controlsDo not treat autofix as detection replacement
Review pickup frictionGenerated PR reviewReviewers distrust generated changesExplicit review pickupKeep generated changes reviewable
Dependency-selection errorsAgent dependency updatesVulnerable versions or major-version jumpsDependency review and testsRestrict auto-merge to narrow updates
Critical-vulnerability orderingDependency remediationCritical fixes are not prioritizedRisk-based prioritizationPrioritize before fix generation
Autonomous mergingProduction gateFailures bypass human verificationBranch protection and manual reviewPlace automation before verification gates

False negatives challenge trust in automated AI vulnerability scanning, and automatic fixes do not remove the need for detection and triage controls. Teams evaluating how to integrate an AI code checker with GitHub Actions still need explicit review pickup because reviewers may distrust generated changes more than human-authored changes.

AI agents also make dependency selection errors that humans avoid. Empirical research found dependency-selection errors: package versions already known to be vulnerable at PR time, major-version jumps, and critical-vulnerability fixes not prioritized.

Precise Mode reduces comment volume for teams tuning review pickup around false-positive tolerance, and it is configurable for teams that need minimal review noise.

Tools that open reviewable PRs, run CI, rescan fixes, and require approval before merge keep automation inside the review process. Keep autonomous merging from bypassing those gates.

Gate Every Automated Fix Before It Reaches Production

Agentic remediation trades speed against correctness. Autofix tools draft patches in minutes, but security fixes can pass functionality checks while missing vulnerability removal. Apply the merge gates above to generated security fixes, and keep auto-merge limited to semver-patch updates.

For complex multi-file remediation pipelines, Cosmos runs approval-gated automation on top of Context Engine indexing to surface dependency and call-flow effects before the PR enters manual QA. Internal measurements show 5-10x speed-up on complex multi-file workflows, so reviewers can focus their attention on the highest-risk changes.

[ Coming up next ]

The New Code Review Workflow for AI-Native Engineering Teams

See how leading teams keep code review fast and rigorous as AI writes more of the code.

Save your seat
Thu, Jul 9 // 9:45 AM PDT

Frequently Asked Questions

Written by

Molisha Shah

Molisha Shah

Molisha is an early GTM and Customer Champion at Augment Code, where she focuses on helping developers understand and adopt modern AI coding practices. She writes about clean code principles, agentic development environments, and how teams are restructuring their workflows around AI agents. She holds a degree in Business and Cognitive Science from UC Berkeley.


Get Started

Give your codebase the agents it deserves

Install Augment to get started. Works with codebases of any size, from side projects to enterprise monorepos.