Remediate your custom code findings (SAST) with Mend for Bitbucket Cloud

Overview

Mend’s AI-based Code (SAST) remediation utilizes an advanced AI model powered by ChatGPT to enhance code security by providing actionable code-fix suggestions for detected security findings and automating remediation. This solution integrates seamlessly into your security workflow, allowing for effective risk reduction through automated code remediation.

Once activated, the system evaluates detected issues using the Mend SAST detection engine Gen 2 and suggests high-confidence code fixes, which can be reviewed in both Mend Repository Integrations and the Mend Platform. Feedback on these suggestions helps refine future recommendations, while dashboards within the Mend Application offer insights into remediation trends and volumes at various organizational levels.

What data Mend AI-Based Code Remediation Collect

Customer Data

Mend AI-Based Code Remediation Fix neither gathers customer data for training nor shares it with third parties.

• The remediation process is based solely on source code snippets related to your Code findings.

• No additional data is collected, and the AI model operates on a private instance, ensuring that no data is shared with the third-party LLM Provider(s).

• Optional feedback may be provided to help Mend monitor adoption and enhance the solution.

For more information on the terms and conditions of the Mend AI-Based Code Remediation, please visit our Mend AI-Powered Code Features Supplemental Terms of Service.

Getting it done

Prerequisites

Note: This feature is a controlled release. Your feedback during this phase will be invaluable, as it will help us perfect it and deliver an exceptional, game-changing product.

• Mend account with SAST entitlement on the Mend Platform

• Bitbucket Cloud installed and configured on the Mend Developer Platform with the Mend license key (the Classic Bitbucket Cloud integration is not supported)

• Enable the Code Findings Remediation Opt-In toggle under the General Administration menu:

  

  • If enabled, snippets of your source code will be shared with Mend.io’s AI model to provide remediation suggestions.

    • To get remediation suggestions, the snippet size must be set to at least 10 lines of code, which is the default.

    • You can disable this option to prevent any code sharing with the model and turn off Mend Code AI-based remediation entirely.

  • After enabling the Code Findings Remediation Opt-In toggle, your projects must be rescanned to make Code Remediation work. Then, you have to log out and log in again to update the UI and view the code remediations.

Mend AI-Based Code Remediation Supported Languages

Mend AI-based Code remediation supports the following languages and CWEs (Common Weakness Enumeration):

View the suggested Code remediations

You can view and apply the suggested Code remediations in two ways:

Mend Code Security Report

1. Navigate to the Mend Code Security Report in the Bitbucket Cloud Issues section.

2. For each finding for which remediation is available, click on the Data Flow to navigate to the specific finding within the commit comment where the Mend Code Security Check was running.

   

3. Navigate to the Remediation Suggestion section within the commit comment to view the available code fix for the given finding.

   

4. You can view the suggested remediation and use the following method to understand the results:

   • Red lines indicate removed original code lines.

   • Green lines represent added code for completed remediation.

   

5. You can provide feedback on the remediation provided (Positive / Negative). This feedback is tracked but not used to improve the suggestions, as Mend is not sharing any customer code with the model.

   1. To submit positive feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback positive 03d415e1-ee02-4df6-bf48-a44430b460b9 "Your Optional Comment"

   2. To submit negative feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback negative 03d415e1-ee02-4df6-bf48-a44430b460b9 "Your Optional Comment"

Mend Code Security Check

1. Once a Pull Request is created on a feature branch, navigate to the comments section.

2. Navigate to the Remediation Suggestion section to view the available code fix for the given finding.

   

3. You can view the suggested remediation and use the following method to understand the results:

   • Red lines indicate removed original code lines.

   • Green lines represent added code for completed remediation.

   

4. You can provide feedback on the remediation provided (Positive / Negative). This feedback is tracked but not used to improve the suggestions, as Mend is not sharing any customer code with the model.

   1. To submit positive feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback positive b01e5ba0-11c7-40db-a8d6-3c934ee85f4f "Your Optional Comment"

   2. To submit negative feedback, comment on the work item issue with the provided syntax. You can also add an additional comment that will be saved as a “User comment” on the feedback comment.
      In this example: /mend code remediate feedback negative b01e5ba0-11c7-40db-a8d6-3c934ee85f4f "Your Optional Comment"

How to fix Code findings

Once a Mend Code Security Check (SAST) has been completed in the repository, you can review the suggested remediations and create a Pull Request to implement the code fix.

Mend Code Security Report

1. Navigate to the Mend Code Security Report in the Bitbucket Cloud Issues section.

2. For each finding for which remediation is available, click on the Data Flow to navigate to the specific finding within the commit comment where the Mend Code Security Check was running.

   

3. Navigate to the Remediation Suggestion section within the commit comment to view the available code fix for the given finding.

   

4. In case you would like to apply the suggested remediation, you should open a pull request with this remediation by commenting on the commit with the provided syntax.
   In this example: /mend code remediate pull-request 03d415e1-ee02-4df6-bf48-a44430b460b9 Your Optional Comment

   

5. A pull request will be created. Then, navigate to the Pull Requests section of the repository.

   

6. Open the newly created Pull Request after applying the Mend remediate suggestion.

   

7. You can review the PR Explanation and your comment (if added) in the description.

   

8. Click Approve to push the Mend code remediation to your branch. Mend recommends waiting for a completed Mend Code Security Check before pushing this PR into your relevant branch.

Mend Code Security Check

1. Once a Pull Request is created on a feature branch, navigate to the commit comments section.

2. Navigate to the Remediation Suggestion section to view the available code fix for the given finding.

   

In case you would like to apply the suggested remediation, you can select between two ways:

3. Update the feature branch through a commit by commenting on the Pull Request with the provided syntax. In this example: /mend code remediate commit b01e5ba0-11c7-40db-a8d6-3c934ee85f4f "Your Optional Comment"

4. You can create a pull request by commenting on the Pull Request with the provided syntax. In this example: /mend code remediate pull-request b01e5ba0-11c7-40db-a8d6-3c934ee85f4f "Your Optional Comment"

   

5. In case a pull request was created, navigate to the Pull Request from the comment.

   

6. You can review the PR Explanation in the conversation comment.

7. Click Approve to push the Mend code remediation to your branch. Mend recommends waiting for a completed Mend Code Security Check before pushing this PR into your relevant branch.

   

FAQ

What is Mend AI-Based Code Remediation?

Mend AI-Based Code Remediation uses an advanced AI model to provide code-fix suggestions for security findings detected by Mend SAST. It helps developers automatically remediate vulnerabilities in their custom code.

Which programming languages are supported?

Mend AI-Based Code Remediation currently supports:

• C#

• Java

• JavaScript

• TypeScript

• Python

How do I enable code remediation suggestions?

1. Go to the General Administration menu in the Mend Platform.

2. Enable the Code Findings Remediation Opt-In toggle.

3. Rescan your projects.

4. Log out and log back in to view remediation suggestions.

Where can I view remediation suggestions?

You can view suggestions in:

• Mend Code Security Report within the Bitbucket Cloud Issues section.

• Commit Comments under the Mend Code Security Check.

• Mend AppSec Platform UI

How can I apply a suggested remediation?

To apply a remediation, comment on the commit or pull request with the following syntax:

/mend code remediate pull-request <finding ID> "Your Optional Comment"

A pull request will automatically be created with the suggested fix.

Can I provide feedback on the remediation suggestions?

Yes. Use the following comment formats:

• Positive feedback:

  CODE

  /mend code remediate feedback positive <finding ID> "Your Optional Comment"

• Negative feedback:

  CODE

  /mend code remediate feedback negative <finding ID> "Your Optional Comment"

Will my code be shared with third parties?

No. Mend AI-Based Code Remediation operates on a private instance. Only the necessary code snippets are used to generate suggestions, and no customer data is shared with third parties.

What happens if I disable the Code Findings Remediation Opt-In toggle?

If you disable the toggle, no code snippets will be shared, and the AI-based remediation feature will be turned off.