Safeguard.sh
Product

How Safeguard Auto-Fix Actually Works Under the Hood

A technical breakdown of Safeguard's automated vulnerability remediation engine, from dependency resolution to pull request generation and compatibility verification.

Shadab Khan
Security Engineer
7 min read

Automated vulnerability remediation sounds straightforward: find a vulnerability, update the dependency, open a pull request. In practice, it is one of the hardest problems in software supply chain security. The dependency you need to update might break three other packages. The fix might exist only in a major version that changes the API. The vulnerability might be in a transitive dependency four levels deep, and the direct dependency you control has not released a patched version yet.

Safeguard's auto-fix engine handles all of these cases. Here is how it works.

The Fix Resolution Pipeline

When Safeguard identifies a vulnerability in your dependency tree, the auto-fix engine runs through a five-stage pipeline before generating a pull request.

Stage 1: Vulnerability Analysis

The engine starts by fully characterizing the vulnerability. This goes beyond just reading the CVE description. It determines:

  • Which specific versions of the package are affected
  • Which versions contain the fix
  • Whether the fix is a patch release (1.2.3 to 1.2.4), a minor release (1.2.3 to 1.3.0), or a major release (1.2.3 to 2.0.0)
  • Whether the vulnerable code path is actually reachable from your application

Reachability analysis is critical for prioritization. If your code never calls the vulnerable function, the auto-fix engine flags this as a lower priority. The fix is still recommended, but it does not jump the queue ahead of exploitable vulnerabilities.

Stage 2: Dependency Graph Resolution

This is where the complexity lives. The engine resolves the complete dependency graph for your project, including all transitive dependencies, to determine the minimal set of changes needed to eliminate the vulnerability.

For direct dependencies, the resolution is usually simple: update the version constraint in your manifest file. For transitive dependencies, it gets complicated. The engine evaluates several strategies:

Strategy A: Direct update. If the vulnerable package is a direct dependency, update it to the patched version. This is the simplest path and is preferred when available.

Strategy B: Parent update. If the vulnerable package is transitive, update the direct dependency that pulls it in. The engine checks whether a newer version of the parent package uses the patched version of the vulnerable dependency.

Strategy C: Override/Resolution. If the parent dependency has not updated yet, use the package manager's resolution mechanism (npm overrides, yarn resolutions, pip constraints) to force the transitive dependency to the patched version. This is a targeted intervention that does not require waiting for the parent maintainer.

Strategy D: Lockfile update. In some cases, the version constraint already allows the patched version, but the lockfile has pinned an older version. A simple lockfile refresh resolves the issue without any manifest changes.

The engine evaluates all applicable strategies and selects the one with the smallest blast radius, meaning the fewest changed packages and the lowest risk of breaking changes.

Stage 3: Compatibility Verification

Before generating a pull request, the engine verifies that the proposed changes are compatible with your project. This involves:

Semantic version analysis. If the fix requires a major version bump, the engine checks the changelog and migration guide for breaking changes. It cross-references breaking changes against your code to determine whether they affect your usage of the package.

Peer dependency checking. The engine verifies that the updated version satisfies all peer dependency requirements in your dependency tree. Peer dependency conflicts are a common source of auto-fix failures in the npm ecosystem, and the engine handles them explicitly.

Cross-dependency compatibility. When multiple packages in your tree depend on different versions of the same library, the engine ensures that the proposed fix does not create version conflicts.

Stage 4: Test Simulation

For projects with CI/CD integration, the auto-fix engine can trigger your existing test suite against the proposed changes before opening the pull request. This catches runtime compatibility issues that static analysis cannot detect.

The engine creates a temporary branch, applies the changes, and triggers your CI pipeline. If tests pass, the pull request is opened with a "tests passing" status. If tests fail, the engine analyzes the failures and either adjusts the fix strategy or flags the fix for manual review with a detailed explanation of what broke and why.

Stage 5: Pull Request Generation

The final stage generates a pull request with comprehensive documentation:

  • Summary of the vulnerability, including CVE ID, severity, and exploitability
  • Changes made with an explanation of which strategy was used and why
  • Risk assessment of the changes, including any potential breaking changes
  • Dependency diff showing exactly which packages changed and to which versions
  • Reachability analysis results showing whether the vulnerable code path is exercised

The pull request description is designed to give the reviewer everything they need to make a merge decision without additional research.

Handling Edge Cases

The auto-fix engine encounters edge cases constantly. Here are the most common ones and how they are handled.

No Fix Available

When a vulnerability has been published but no patched version exists, the engine cannot auto-fix. Instead, it creates an advisory ticket with:

  • A workaround if one exists (e.g., disabling the vulnerable feature via configuration)
  • A watch notification that will trigger when a patched version is released
  • An assessment of alternative packages that provide similar functionality without the vulnerability

Conflicting Fixes

Sometimes fixing one vulnerability introduces a version that has a different vulnerability. The engine detects these circular conflicts and reports them as requiring manual intervention, along with a summary of the trade-offs.

Monorepo Dependencies

In monorepos, updating a shared dependency in one package must be coordinated across all packages that use it. The engine generates a single pull request that updates the dependency consistently across the entire monorepo, with changes grouped by package for easy review.

Private Registry Packages

For packages hosted on private registries, the engine respects your registry configuration and authentication. It queries your private registry for available versions just as it does for public registries.

Fix Grouping and Batching

Opening a separate pull request for every vulnerability creates review fatigue. The engine groups fixes intelligently:

  • Same-package fixes are batched into a single PR when multiple CVEs affect the same dependency
  • Related fixes where updating one package resolves vulnerabilities in multiple transitive dependencies are grouped together
  • Risk-level batching keeps critical fixes separate from low-severity fixes so critical PRs are not delayed by review of minor changes

You can configure the batching strategy in the portal settings. Some teams prefer one PR per vulnerability for auditability. Others prefer aggressive batching to minimize review overhead.

Monitoring Fix Effectiveness

After a fix is merged, the engine continues monitoring. On the next SBOM generation, it verifies that the vulnerability is actually resolved. This catches cases where a fix was merged but the lockfile was not regenerated, or where a parallel PR reintroduced the vulnerable version.

The fix tracking dashboard shows:

  • Open fixes awaiting review
  • Merged fixes pending verification
  • Verified fixes confirmed as resolved
  • Failed fixes that need manual intervention

How Safeguard.sh Helps

Safeguard's auto-fix engine does not just bump version numbers. It resolves the complete dependency graph, evaluates multiple fix strategies, verifies compatibility, and generates pull requests with enough context for informed review. The five-stage pipeline handles the edge cases that make naive auto-fixers unreliable: transitive dependencies, peer conflicts, monorepos, and unavailable fixes. For teams drowning in vulnerability backlogs, auto-fix turns remediation from a manual chore into a review-and-merge workflow.

auto-fixautomationvulnerability remediationSafeguard
Back to all articles

More on #auto-fix

View all →
AI Security

Breaking Change Awareness: Griffin AI vs Mythos

6 min read
Product

Safeguard Auto-Fix: Automated Vulnerability Remediation That Respects Your Codebase

6 min read

Related articles in Product

Product

Safeguard Q1 2026 Release Recap

A quarterly recap of Q1 2026 at Safeguard.sh: the signed chain from source to runtime, self-healing GA, taint tracking, and the air-gap installer.

March 31, 2026Read
Product

Introducing the Safeguard Marketplace: Extend Your Supply Chain Security

The Safeguard Marketplace brings community-built integrations, policy templates, and compliance packs to the platform.

March 25, 2026Read
Product

Introducing Safeguard TPRM: Evidence-Based Third-Party Risk Management

Safeguard's new TPRM module replaces vendor questionnaires with SBOM-driven, continuous third-party risk assessment.

March 22, 2026Read

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.