Overview The Patching API provides intelligent vulnerability remediation capabilities. It analyzes security findings, generates appropriate code fixes, verifies the patches through testing, and prepares pull request metadata.
Key Features:
Automated patch generation for security vulnerabilities
Code analysis and dataflow understanding
Lint, type-check, and test verification
Sandbox support for isolated patching
Pull request metadata generation
Multiple file change support
runPatchingAgent Run the patching agent to fix a security vulnerability in a codebase.
Patching Workflow:
Analyze : Read and understand the vulnerability detailsLocate : Find the vulnerable code in the codebaseResearch : Understand the context and dataflowPatch : Generate and apply appropriate fixesVerify : Run lints, type-checks, and testsDocument : Prepare PR metadata with changes
import { runPatchingAgent } from '@pensar/apex/api/patching' ; const result = await runPatchingAgent ({ cwd: '/path/to/project' , vulnerability: { name: 'SQL Injection in User Search' , severity: 'HIGH' , description: 'User input is directly concatenated into SQL query' , location: 'src/controllers/userController.ts' , startLineNumber: 42 , endLineNumber: 45 , }, model: 'claude-sonnet-4-20250514' , session: sessionInfo , }); console . log ( `Patched ${ result . filesChanged . length } files` ); console . log ( `PR Title: ${ result . prTitle } ` );
Parameters input
RunPatchingAgentInput
required
Configuration for the patching agent Show RunPatchingAgentInput properties
Root path of the repository/codebase to patch
vulnerability
VulnerabilityDetails
required
Details about the vulnerability to fix Show VulnerabilityDetails properties
Severity level (e.g., "CRITICAL", "HIGH", "MEDIUM", "LOW")
Detailed description of the vulnerability
File path where the vulnerability exists
Starting line number of vulnerable code
Ending line number of vulnerable code
CWE identifiers for the vulnerability (e.g., ["CWE-89"])
Optional dataflow analysis data
Proof-of-concept exploit information AI model identifier (e.g., "claude-sonnet-4-20250514")
Session object providing paths for logs, etc.
Optional pre-configured sandbox for isolated code execution. When provided, all file operations and command executions route through the sandbox instead of the local filesystem.
Optional per-provider API key overrides
AbortSignal to cancel patching mid-run
Optional callbacks for stream consumption. Falls back to console logging if not provided. Show ConsumeCallbacks properties
Called for each text chunk streamed from the AI
Called when the agent invokes a tool
Called when a tool execution completes
Called when an error occurs
onStepFinish
StreamTextOnStepFinishCallback
Callback fired after each agent step completes
Response List of all files that were modified during patching Show FileChange properties
Path to the file that was changed (relative to cwd)
Detailed description of the changes made to the file
Suggested title for the pull request
Detailed description for the pull request, including:
Summary of the vulnerability
Changes made
Testing performed
Remediation approach
Usage Examples Basic Patching
With Progress Monitoring
With Sandbox Isolation
Batch Patching Multiple Vulnerabilities
With PoC Exploit Context
import { runPatchingAgent } from '@pensar/apex/api/patching' ; import { createSession } from '@pensar/apex/session' ; const session = await createSession ({ name: 'Patch SQLi' , targets: [], }); const result = await runPatchingAgent ({ cwd: '/home/user/projects/my-app' , vulnerability: { name: 'SQL Injection in User Search' , severity: 'HIGH' , description: 'User input from search parameter is directly ' + 'concatenated into SQL query without sanitization' , location: 'src/controllers/userController.ts' , startLineNumber: 42 , endLineNumber: 45 , cweMapping: [ 'CWE-89' ], }, model: 'claude-sonnet-4-20250514' , session , }); console . log ( `Patched ${ result . filesChanged . length } files:` ); result . filesChanged . forEach (( file ) => { console . log ( ` ${ file . filePath } : ${ file . changesDescription } ` ); }); console . log ( ` \n PR Title: ${ result . prTitle } ` ); console . log ( ` \n PR Description: \n ${ result . prDescription } ` );
Patching Capabilities Code Analysis The patching agent can:
Read and understand complex codebases
Trace dataflow through functions and modules
Identify input validation gaps
Understand framework-specific patterns
Analyze dependencies and imports
Patch Generation Supported remediation patterns:
Input validation : Add sanitization and validationParameterized queries : Convert to prepared statementsOutput encoding : Add HTML/URL/SQL escapingAccess control : Add authorization checksCryptographic fixes : Upgrade weak algorithmsConfiguration hardening : Fix insecure defaults
Verification After patching, the agent:
Runs linters to ensure code quality
Executes type checkers (TypeScript, mypy, etc.)
Runs existing test suites
Verifies the vulnerability is resolved
Ensures no regressions introduced
Best Practices Provide Detailed Context More context leads to better patches:
Include precise line numbers
Provide CWE mappings
Include PoC scripts when available
Add dataflow analysis if available
Review Generated Patches Always review patches before merging:
Verify the fix addresses the root cause
Check for edge cases
Ensure coding standards are met
Validate test coverage
Use Sandboxes for Safety For untrusted codebases:
Always use sandbox isolation
Never patch production code directly
Test patches in staging first
Blackbox Pentest Discover vulnerabilities to patch
Targeted Pentest Find specific vulnerabilities
