Remediate your custom code findings (SAST) with Mend for Azure DevOps Repos

Overview

Mend’s AI-based Code (SAST) remediation utilizes an advanced AI model powered by ChatGPT to enhance code security by providing actionable code-fix suggestions for detected security findings and automating remediation. This solution integrates seamlessly into your security workflow, allowing for effective risk reduction through automated code remediation.

Once activated, the system evaluates detected issues using the Mend SAST detection engine Gen 2 and suggests high-confidence code fixes, which can be reviewed in both Mend Repository Integrations and the Mend Platform. Feedback on these suggestions helps refine future recommendations, while dashboards within the Mend Application offer insights into remediation trends and volumes at various organizational levels.

What data Mend AI-Based Code Remediation Collect

Customer Data

Mend AI-Based Code Remediation Fix neither gathers customer data for training nor shares it with third parties.

• The remediation process is based solely on source code snippets related to your Code findings.

• No additional data is collected, and the AI model operates on a private instance, ensuring that no data is shared with the third-party LLM Provider(s).

• Optional feedback may be provided to help Mend monitor adoption and enhance the solution.

For more information on the terms and conditions of the Mend AI-Based Code Remediation, please visit our Mend AI-Powered Code Features Supplemental Terms of Service.

Getting it done

Prerequisites

Note: This feature is a controlled release. Your feedback during this phase will be invaluable, as it will help us perfect it and deliver an exceptional, game-changing product.

• Mend account with SAST entitlement on the Mend Platform

• Azure DevOps Repos installed and configured on the Mend Developer Platform with the Mend license key (the Classic Azure Repos integration is not supported)

• Code Findings Remediation feature enabled for your Mend organization

• Enable the Code Findings Remediation Opt-In toggle under the General Administration menu:

  

  • If enabled, snippets of your source code will be shared with Mend.io’s AI model to provide remediation suggestions.

    • To get remediation suggestions, the snippet size must be set to at least 10 lines of code, which is the default.

    • You can disable this option to prevent any code sharing with the model and turn off Mend Code AI-based remediation entirely.

  • After enabling the Code Findings Remediation Opt-In toggle, your projects must be rescanned to make Code Remediation work. Then, you have to log out and log in again to update the UI and view the code remediations.

Mend AI-Based Code Remediation Supported Languages

Mend AI-based Code remediation supports the following languages and CWEs (Common Weakness Enumeration):

View the suggested Code remediations

You can view and apply the suggested Code remediations in two ways:

Mend Code Security Report

1. Navigate to the Mend Code Security Report in the Azure DevOps Repos Work Items section.

2. Click on Remediation Suggestion to view the available code fix for the given finding.

   

3. You can view the suggested remediation and use the following method to understand the results:

   • Red lines indicate removed original code lines.

   • Green lines represent added code for completed remediation.

   

4. You can provide feedback on the remediation provided (Positive / Negative). This feedback is tracked but not used to improve the suggestions, as Mend is not sharing any customer code with the model.

   1. To submit positive feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback positive 01f2db64-1a3f-4c50-8864-a364356cdafc "Your Optional Comment"

   2. To submit negative feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback negative 01f2db64-1a3f-4c50-8864-a364356cdafc "Your Optional Comment"

Mend Code Security Check

1. Once a Pull Request is created on a feature branch, navigate to the comments section.

2. Click on Remediation Suggestion to view the available code fix for the given finding.

   

3. You can view the suggested remediation and use the following method to understand the results:

   • Red lines indicate removed original code lines.

   • Green lines represent added code for completed remediation.

   

4. You can provide feedback on the remediation provided (Positive / Negative). This feedback is tracked but not used to improve the suggestions, as Mend is not sharing any customer code with the model.

   1. To submit positive feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback positive 01f2db64-1a3f-4c50-8864-a364356cdafc "Your Optional Comment"

   2. To submit negative feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback negative 01f2db64-1a3f-4c50-8864-a364356cdafc "Your Optional Comment"

How to fix Code findings

Once a Mend Code Security Check (SAST) has been completed in the repository, you can review the suggested remediations and create a Pull Request to implement the code fix.

Mend Code Security Report

1. Navigate to the Mend Code Security Report in the Azure DevOps Repos Work Items section.

2. Click on Remediation Suggestion to view the available code fix for the given finding.

   

3. In case you would like to apply the suggested remediation, you should open a pull request with this remediation by commenting on the work item issue with the provided syntax.
   In this example: /mend code remediate pull-request 01f2db64-1a3f-4c50-8864-a364356cdafc Your Optional Comment

   

4. A pull request will be created. Then, navigate to the Pull Requests section of the repository.

5. Open the newly created Pull Request after applying the Mend remediate suggestion.

   

6. You can review the PR Explanation and your comment (if added) in the description.

   

7. Click Complete to push the Mend code remediation to your branch. Mend recommends waiting for a completed Mend Code Security Check before pushing this PR into your relevant branch.

Mend Code Security Check

1. Once a Pull Request is created on a feature branch, navigate to the comments section.

2. Click on Remediation Suggestion to view the available code fix for the given finding.

   

In case you would like to apply the suggested remediation, you can select between two ways:

3. Update the feature branch through a commit by commenting on the Pull Request with the provided syntax. In this example: /mend code remediate commit f24cef12-b4fd-4f93-ab20-6405d68ad234 "Your Optional Comment"

4. You can create a pull request by commenting on the Pull Request with the provided syntax. In this example: /mend code remediate pull-request f24cef12-b4fd-4f93-ab20-6405d68ad234 Your Optional Comment

   

5. In case a pull request was created, navigate to the Pull Request from the comment.

   

6. You can review the PR Explanation in the conversation comment.

7. Click Complete to push the Mend code remediation to your branch. Mend recommends waiting for a completed Mend Code Security Check before pushing this PR into your relevant branch.

   

FAQ

What is Mend AI-Based Code Remediation?

Mend AI-Based Code Remediation uses an AI model to provide automated code-fix suggestions for security vulnerabilities detected by Mend SAST, helping developers remediate issues directly within Azure DevOps Repos.

Which programming languages are supported?

Mend AI-Based Code Remediation supports the following languages:

• C#

• Java

• JavaScript

• TypeScript

• Python

How do I enable code remediation suggestions?

1. Go to the General Administration menu in the Mend Platform.

2. Enable the Code Findings Remediation Opt-In toggle.

3. Rescan your projects.

4. Log out and log back in to view remediation suggestions.

Where can I view remediation suggestions?

You can view remediation suggestions in:

• Mend Code Security Report within the Azure DevOps Repos Work Items section.

• Pull Request Comments where Mend Code Security Check is applied.

• Mend AppSec Platform UI

How do I apply a remediation suggestion?

To apply a remediation suggestion, comment on the work item or pull request with this syntax:

/mend code remediate pull-request <finding ID> "Your Optional Comment"

A pull request will automatically be created with the suggested fix.

How can I provide feedback on the remediation suggestions?

Use the following comment formats to provide feedback:

• Positive feedback:

  CODE

  /mend code remediate feedback positive <finding ID> "Your Optional Comment"

• Negative feedback:

  CODE

  /mend code remediate feedback negative <finding ID> "Your Optional Comment"

Is my code shared with third parties?

No. Mend AI-Based Code Remediation operates on a private instance, and only the necessary code snippets are processed to generate remediation suggestions without sharing any customer data.

What happens if I disable the Code Findings Remediation Opt-In toggle?

Disabling the toggle stops sharing code snippets with the AI model and disables the remediation feature entirely.