Autofix Bot

AI coding assistants ship fast and break things. Mostly security things. Autofix Bot catches what they miss. 81% accuracy on real CVEs. $10 free credit to try it. autofix.bot

Ran Claude code's built-in /security-review and Autofix Bot review (/autofix-bot:review via MCP) on the same changeset. Results 👇

@theo @aidenybai Autofix Bot can be used in your terminal without any GitHub (or other SCM) integration in headless mode. Just install the CLI, and run "autofix" in the repo. #installation" target="_blank" rel="nofollow noopener">autofix.bot/manual/#instal…

@aidenybai Most of these won’t work on a personal repo btw, recommend throwing it on an org for optimal testing

i'm ready. time to test on React Grab's open source repo - bugbot - greptile - coderabbit - sentry - vercel agent - claude code review - codex code review - gemini code assist - tembo - pullfrog - cubic - mesa - augment code - copilot review - detail - indent

Your teammate opens a PR. You want to actually review it, not just skim and approve. git checkout <pr-branch> autofix Analyze all commits since branching. Find the bugs before they find production.

🤖@autofixbot from @deepsource is the AI agent purpose-built for deep code review. Its novel static analysis + agent harness finds more issues with fewer false positives than LLM-only review tools, making it the top scorer on the OpenSSF CVE Benchmark. autofix.bot

You can use Autofix Bot interactively on any repository using our TUI, as a plugin in Claude Code, or with our MCP on any compatible AI client (like OpenAI Codex). We’re specifically building for AI coding agent-first workflows, so you can ask your agent to run Autofix Bot on every checkpoint autonomously. Try out today: autofix.bot

Here’s how the hybrid architecture works: - Static pass: 5,000+ deterministic checkers (code quality, security, performance) establish a high-precision baseline. A sub-agent suppresses context-specific false positives. - AI review: The agent reviews code with static findings as anchors. Has access to AST, data-flow graphs, control-flow, import graphs as tools, not just grep and usual shell commands. - Remediation: Sub-agents generate fixes. Static harness validates all edits before emitting a clean git patch. Static solves key LLM problems: non-determinism across runs, low recall on security issues (LLMs get distracted by style), and cost (static narrowing reduces prompt size and tool calls).

Meet Autofix Bot: The AI agent purpose built for deep code review.

@AutofixBot catches and fixes these exact types of issues. Pre-merge.

@mattwelter i gotchu fam 🫂 x.com/autofixbot/sta…

I don’t even fucking care anymore man

Accidentally committed secrets to the code? Autofix Bot catches and validates. 😇 (audio on 🔊)

Our new REST API lets you: 1️⃣ Scan for vulnerabilities & hardcoded secrets, and get ready-to-apply git patches for remediation for Python, JavaScript/TypeScript, Go, Java, Ruby, Rust, C#, and others. 2️⃣ Map projects or repositories 1:1 with first-class storage and syncing primitives, so you can analyze commits, ranges, even raw and uncommitted patches 3️⃣ Build your custom workflow with webhooks and integrate into any application The API is pay-per-use, priced at $8 per 100k source lines of code (SLOC) analyzed (input), and $4 per 10K SLOC fixed (output). We're excited for you to try this out!

New: REST API for Agentic Code Security 🤖🔒 Bring production-grade AI code security into your app, agent, or CI in minutes. Read the full announcement: autofix.bot/news/autofix-b…

@OpenAI 👀

Now in private beta: Aardvark, an agent that finds and fixes security bugs using GPT-5. openai.com/index/introduc…

The next iteration of this model will be available as part of Autofix Bot. If you haven't joined the waitlist yet, you can do so here: autofix.bot/benchmarks

Traditional regex-based secrets scanners (Gitleaks, TruffleHog, detect-secrets) face a fundamental tradeoff: crank up sensitivity and drown in false positives flagging things like "YOUR_API_KEY_HERE", or tune it down and miss real credentials. We kept hearing from security teams that they couldn't trust their scanning tools because of the noise – developers would ignore the alerts. Regex is great at fast pattern matching, but terrible at understanding context. So instead of trying to make regex smarter, we built a hybrid system: regex does the initial high-recall sweep, then a fine-tuned 3B model filters out false positives by actually understanding the code context.

Meet Narada. A fine-tuned Llama3.2-3B-Instruct model that dramatically reduces false positives in secrets detection tools. The model achieves 97% precision with 96% recall on our evaluation set. It's fast enough for CI/CD, works with any regex-based tool, and is MIT-licensed.

We're currently in early access and slowly rolling out to trusted partners. Over the next few weeks, Autofix Bot will be available to individual developers, teams, and AI-assisted application builders. Please follow us to stay updated!

Benchmarks: autofix.bot/benchmarks

Hello, world! 🤖 We're excited to announce Autofix Bot today — an AI agent purpose-built for code security. On OWASP Benchmarks, Autofix Bot performs on par or better than tools like OpenAI Codex and Claude Code, and is at least 60% cheaper. Read the full benchmark results ⬇️