Safeguard.sh
← Concepts & Glossary
Policy, Gates & Enforcement

Fix PR

An auto-generated pull request that remediates a specific vulnerability.

What is a Fix PR?

A Fix PR is a pull request that a security platform drafts on the engineering team's behalf to close a specific vulnerability — typically by bumping a dependency, swapping a function call, or applying a patch. Unlike a generic advisory or a Jira ticket, a Fix PR is an artefact engineers already know how to handle: a code diff, a branch, a review flow, a merge button.

At Safeguard, a Fix PR is never just a bump. It carries the taint path, an exploit hypothesis, a proof-or-disproof of exploitability in your codebase, and a reviewer gate — everything a human needs to approve the change in under two minutes.

How it works

A Fix PR goes through four stages before it lands in your repository:

  1. Taint path extraction. The engine identifies the reachable call chain from an untrusted source to the vulnerable function, so the PR can say exactly which code path is at risk — not just "CVE-2024-X is present in lodash."
  2. Exploit hypothesis. Griffin AI synthesises a minimal hypothesis for how the vulnerability could be triggered in your context — payload shape, entry point, preconditions. This becomes the PR's "why this matters" paragraph.
  3. Disproof or fix draft. If the hypothesis fails (input validation, type coercion, or a framework guardrail blocks it), the PR is marked not exploitable with evidence. Otherwise the engine drafts the minimum diff that removes the reachable path — a version bump, an import swap, or a call-site change.
  4. Reviewer gate. The PR opens with a structured body, CODEOWNERS assigned, CI attached, and policy checks wired in. A human still clicks merge — but they click it after reading two paragraphs instead of hunting across four tools.

Why it matters

Most vulnerability programs die in the handoff. A scanner files a ticket; the ticket sits in a backlog; a quarter later a platform engineer is asked to justify why 412 CVEs are still open. Fix PRs collapse that handoff — the artefact is the remediation, and it arrives already written.

When a Fix PR also carries reachability evidence and an exploit hypothesis, the reviewer can make a confident decision without becoming a part-time security researcher. That is what moves mean-time-to-remediate from weeks to hours.

What value it adds

  • Remediation time measured in hours, not sprints

    The median Fix PR on Safeguard is merged in under a working day — because the reviewer isn't doing the research anymore.

  • No more "why are we merging this?" reviewer friction

    Taint path plus exploit hypothesis plus disproof artefact gives the reviewer enough context to approve without a Slack thread.

  • Fewer regressions from blind bumps

    Because the PR targets the reachable call path, bumps are minimal and scoped — the blast radius of "upgrade lodash to fix 40 CVEs" shrinks to "change this one import."

  • Audit evidence is born with the fix

    The PR body preserves the evidence trail — what was reachable, what the hypothesis was, what the proof or disproof looked like — so compliance doesn't have to be reconstructed later.

  • Engineering velocity goes up, not down

    Fix PRs are lightweight, targeted, and batched by owner — they feel like a background task, not a security emergency.

How Safeguard uses it

Fix PRs are the default delivery mechanism for every actionable finding Safeguard produces. Griffin AI drafts them, reachability analysis scopes them, and policy gates decide whether they can merge without additional review.

Auto-Fix Vulnerabilities →AI Remediation →Griffin AI →

See a Fix PR for your code.

Connect a repo. Let Safeguard draft the first three Fix PRs. Decide whether to keep going.

Book a walkthroughBrowse all concepts