KOREA
ENGLISH
AI based open source vulnerability detection, fixing and automated pull request solution.
About us
We provide an automated solution that quickly detects vulnerabilities in open-source repositories on GitHub and uses LLM-based AI to automatically fix the vulnerabilities and submit pull requests.
- Automated code vulnerability detection (Semgrep, CodeQL, SnykCode)
- AI-based automated code fixing and guidance generation using LLM
- Automated GitHub PR generation and CI/CD integration
AutoFiC is a fully automated security management system. Without any human intervention, SAST tools quickly detect vulnerabilities in the code, and an LLM model accurately fixes them, automatically generating a GitHub pull request.
This allows developers to focus solely on core tasks instead of spending time on security issues.
Work Process
Below is a summary of the entire development process of the AutoFiC security service, from planning to implementation and deployment.
You can get an overview of the core technologies, automation workflow, and development strategy at a glance.
Repository Analysis
Automatically scans source code on GitHub and accurately analyzes hidden security vulnerabilities in the code using SAST tools.
AI-based Code Planning
Vulnerabilities detected through SAST tools are addressed by generating optimal fix code using an LLM model and providing security guidance.
Automated Deployment
Code fixes are automatically submitted as pull requests, supporting easy service operation without any manual intervention.
AutoFiC
by Numbers.
AutoFiC's history
Average number of vulnerabilities detected
AutoFiC detected an average of 10 vulnerabilities per open-source repository.
Repositories analyzed
Through AutoFiC, a total of 170 open-source repositories were analyzed, detecting 1,250 vulnerabilities. The LLM directly modified the code, automatically generating 530 pull requests, of which 530 were under review.
How to use AutoFiC?
Even first-time users of AutoFiC can use it easily with the provided documentation.
Follow the steps and select the toggle according to your user environment's operating system to view an easy-to-understand guide.
-
AutoFiC basic setup
Windows ▾Complete the basic setup of AutoFiC, including environment variable configuration and practice environment setup.
-
SAST tool install
Windows ▾Describes the local installation process for Semgrep, CodeQL, and SnykCode, as well as how to obtain and assign API keys. -
How to use AutoFiC?
Windows ▾With AutoFiC, the entire process of vulnerability detection, fixing, and pull request submission for open-source repositories is automated.
AutoFiC Team
🪪 Project Manager
- AutoFiC General Project Manager
- Designed automation for Semgrep/CodeQL/SnykCode
- Implemented preprocessing for Semgrep/CodeQL/SnykCode
- Team lead and midterm presenter
- Final presentation and report submission
- Provided leadership and feedback across all AutoFiC activities
👩🏻💻 Development Team
- Implemented automatic execution of Semgrep
- Designed prompt engineering and templates
- Implemented automatic prompt generation
- Implemented diff generation and patch logic
- Refactored the entire AutoFiC project
👩🏻💻 Development Team
- Implemented GitHub API integration
- Implemented LLM API integration and automatic invocation
- Improved UI/UX
- Refactored the entire AutoFiC project
🔬 Research Team
- Authored a research paper comparing SAST/LLM vulnerability detection performance
- Implemented CD automation pipeline
- Reviewed code for autofic.github.io
- Reviewed log collection and data preprocessing code
- Designed and implemented the dashboard back-end
👩🏻💻 Development Team
- Implemented source code download
- Implemented LLM response parsing
- Implemented diff generation and patch logic
- Prompt Engineering and UI/UX Enhancement
- Refactored the entire AutoFiC project
🔬 Research Team
- Authored a research paper comparing SAST/LLM vulnerability detection performance
- Implemented automation for fork, clone, commit, and pull request
- Implemented CI workflow and Slack/Discord notifications
- Automated collection of vulnerable repositories using SnykCode and CodeQL
- Designed and developed autofic.github.io
🔬 Research Team
- Authored a research paper comparing SAST/LLM vulnerability detection performance
- Implemented log collection and data preprocessing
- Reviewed code for autofic.github.io
- Designed and implemented the dashboard back-end
- Automated collection of vulnerable repositories using Semgrep
🔬 Research Team
- Authored a research paper comparing SAST/LLM vulnerability detection performance
- Reviewed log collection and data preprocessing code
- Reviewed code for autofic.github.io
- Designed and implemented the dashboard front-end
👨🏻🏫 Mentor
- Mentoring
- Reviewed overall project codebase
- Guided future development direction
- Supported patent application process
- Served as central coordinator across all project areas
👨🏻🏫 Project Leader
- Reviewed overall project codebase
- Guided future development direction
- Supported patent application process
- Served as central coordinator across all project areas
Frequently Asked Questions
We’ve compiled a list of frequently asked questions about AutoFiC.
If you have any other questions, feel free to contact us anytime!
What kind of project is AutoFiC?
AutoFiC is a fully automated security solution that automatically detects security vulnerabilities in open-source repositories and uses AI to fix them and generate pull requests.
What security analysis tools are used?
You can choose from various SAST tools such as Semgrep, CodeQL, and SnykCode.
What role does the LLM play?
It generates automated fix code along with explanations of the vulnerabilities received from the SAST tools, and also provides recommended remediation approaches when needed.
Do the generated PRs need to be reviewed manually?
Manual review is recommended. AutoFiC generates pull requests automatically, but developers should perform a final code review before merging.
Isn't using the CLI difficult?
The entire process runs with a single command, and all options can be easily checked using `--help`.