Remediate your custom code findings (SAST) with Mend for Azure DevOps Repos

Overview

Mend’s AI-based Code (SAST) remediation utilizes an advanced AI model powered by ChatGPT to enhance code security by providing actionable code-fix suggestions for detected security findings and automating remediation. This solution integrates seamlessly into your security workflow, allowing for effective risk reduction through automated code remediation.

Once activated, the system evaluates detected issues using the Mend SAST detection engine Gen 2 and suggests high-confidence code fixes, which can be reviewed in both Mend Repository Integrations and the Mend Platform. Feedback on these suggestions helps refine future recommendations, while dashboards within the Mend Application offer insights into remediation trends and volumes at various organizational levels.

What data Mend AI-Based Code Remediation Collect

Customer Data

Mend AI-Based Code Remediation Fix neither gathers customer data for training nor shares it with third parties.

• The remediation process is based solely on source code snippets related to your Code findings.

• No additional data is collected, and the AI model operates on a private instance, ensuring that no data is shared with the third-party LLM Provider(s).

• Optional feedback may be provided to help Mend monitor adoption and enhance the solution.

For more information on the terms and conditions of the Mend AI-Based Code Remediation, please visit our Mend AI-Powered Code Features Supplemental Terms of Service.

Getting it done

Prerequisites

Note: This feature is a controlled release. Your feedback during this phase will be invaluable, as it will help us perfect it and deliver an exceptional, game-changing product.

• Mend account with SAST entitlement on the Mend Platform

• Azure DevOps Repos installed and configured on the Mend Developer Platform with the Mend license key (the Classic Azure Repos integration is not supported)

• Code Findings Remediation feature enabled for your Mend organization

• Enable the Code Findings Remediation Opt-In toggle under the General Administration menu:

  

  • If enabled, snippets of your source code will be shared with Mend.io’s AI model to provide remediation suggestions.

    • To get remediation suggestions, the snippet size must be set to at least 10 lines of code, which is the default.

    • You can disable this option to prevent any code sharing with the model and turn off Mend Code AI-based remediation entirely.

  • After enabling the Code Findings Remediation Opt-In toggle, your projects must be rescanned to make Code Remediation work. Then, you have to log out and log in again to update the UI and view the code remediations.

Mend AI-Based Code Remediation Supported Languages

Mend AI-based Code remediation supports the following languages and CWEs (Common Weakness Enumeration):

View the suggested Code remediations

You can view and apply the suggested Code remediations in two ways:

Mend Code Security Report

1. Navigate to the Mend Code Security Report in the Azure DevOps Repos Work Items section.

2. Click on Remediation Suggestion to view the available code fix for the given finding.

   

3. You can view the suggested remediation and use the following method to understand the results:

   • Red lines indicate removed original code lines.

   • Green lines represent added code for completed remediation.

   

4. You can provide feedback on the remediation provided (Positive / Negative). This feedback is tracked but not used to improve the suggestions, as Mend is not sharing any customer code with the model.

   1. To submit positive feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback positive 01f2db64-1a3f-4c50-8864-a364356cdafc "Your Optional Comment"

   2. To submit negative feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback negative 01f2db64-1a3f-4c50-8864-a364356cdafc "Your Optional Comment"

Mend Code Security Check

1. Once a Pull Request is created on a feature branch, navigate to the comments section.

2. Click on Remediation Suggestion to view the available code fix for the given finding.

   

3. You can view the suggested remediation and use the following method to understand the results:

   • Red lines indicate removed original code lines.

   • Green lines represent added code for completed remediation.

   

4. You can provide feedback on the remediation provided (Positive / Negative). This feedback is tracked but not used to improve the suggestions, as Mend is not sharing any customer code with the model.

   1. To submit positive feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback positive 01f2db64-1a3f-4c50-8864-a364356cdafc "Your Optional Comment"

   2. To submit negative feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback negative 01f2db64-1a3f-4c50-8864-a364356cdafc "Your Optional Comment"

Mend Platform

Within the Mend Platform, Code remediation is just computed on demand and can be viewed in your Application/Project Code findings view:

1. Select a project and navigate to the Code Findings section.

   

2. Within the Code Findings table, make sure the Remediation column is added to the view to see which findings have an available remediation.

   

3. Select a Code Finding with an available remediation to see its remediation details.

4. You can review the Remediation Description as suggested by Mend.

5. You can provide feedback on the provided remediation (Like / Unlike). This feedback is tracked but not used to improve the suggestions, as Mend is not sharing any customer code with the model.

6. In case you would like to provide detailed feedback, click on Provide detailed feedback.

   

7. A pop-up screen will appear with various options for you to select from, or you can describe your feedback in your own words. When you are ready to send it, click Submit Feedback.

How to fix Code findings

Once a Mend Code Security Check (SAST) has been completed in the repository, you can review the suggested remediations and create a Pull Request to implement the code fix.

Mend Code Security Report

1. Navigate to the Mend Code Security Report in the Azure DevOps Repos Work Items section.

2. Click on Remediation Suggestion to view the available code fix for the given finding.

   

3. In case you would like to apply the suggested remediation, you should open a pull request with this remediation by commenting on the work item issue with the provided syntax.
   In this example: /mend code remediate pull-request 01f2db64-1a3f-4c50-8864-a364356cdafc Your Optional Comment

   

4. A pull request will be created. Then, navigate to the Pull Requests section of the repository.

5. Open the newly created Pull Request after applying the Mend remediate suggestion.

   

6. You can review the PR Explanation and your comment (if added) in the description.

   

7. Click Complete to push the Mend code remediation to your branch. Mend recommends waiting for a completed Mend Code Security Check before pushing this PR into your relevant branch.

Mend Code Security Check

1. Once a Pull Request is created on a feature branch, navigate to the comments section.

2. Click on Remediation Suggestion to view the available code fix for the given finding.

   

In case you would like to apply the suggested remediation, you can select between two ways:

3. Update the feature branch through a commit by commenting on the Pull Request with the provided syntax. In this example: /mend code remediate commit f24cef12-b4fd-4f93-ab20-6405d68ad234 "Your Optional Comment"

4. You can create a pull request by commenting on the Pull Request with the provided syntax. In this example: /mend code remediate pull-request f24cef12-b4fd-4f93-ab20-6405d68ad234 Your Optional Comment

   

5. In case a pull request was created, navigate to the Pull Request from the comment.

   

6. You can review the PR Explanation in the conversation comment.

7. Click Complete to push the Mend code remediation to your branch. Mend recommends waiting for a completed Mend Code Security Check before pushing this PR into your relevant branch.