FIX · DETERMINISTIC SAST AUTO-FIX

AI writes the vulnerability. Heeler ships the deterministic fix.

Finding the SQL injection is the easy part. Heeler writes the fix, proves it in your build, and opens a merge-ready pull request — a deterministic code change, not an LLM's best guess. The bug your agent wrote, closed before it ships.

A finding is not a fix.

Every SAST tool is good at pointing. Then a human still has to write the fix — while AI generates new vulnerabilities faster than the backlog can drain. Detection was never the bottleneck. Remediation is.

01

Scanners point, then stop

Traditional SAST hands you a severity, a line number, and a link. The vulnerability is still there — now it's a ticket, not a fix.

02

Someone still hand-writes the patch

Fixing a taint bug means tracing the flow from source to sink and rewriting it safely. That expertise is scarce — and it doesn't scale to thousands of findings.

03

AI writes bugs faster than you fix them

Coding agents produce vulnerable patterns — string-built SQL, unescaped output, unsafe file paths — at machine speed. Hand-remediation was already behind. Now it's lapped.

HOW IT WORKS

From taint path to merged PR.

Heeler already knows the vulnerability cold — the exact source-to-sink path, the fix strategy, and a before/after, all computed at scan time. Auto-fix turns that into a validated pull request.

01 · Locate
The engine hands the agent the exact sink, the taint path, and a concrete before/after — no rediscovery, no guessing where the bug is.
02 · Transform
The agent applies the deterministic code change — parameterize, escape, allow-list, or normalize — adapted to your current HEAD.
03 · Validate
Build, tests, and CI run on the fix; a security re-scan proves the finding is gone. On red, the agent repairs or hands it to a human — then opens a merge-ready PR.
DETERMINISTIC, NOT GUESSED

The fix is computed, not hallucinated.

Heeler doesn't ask a model to invent a patch. Its analysis matches a proven remediation strategy to the exact dataflow and carries a confidence score, so the agent applies a known-good transform — reproducibly, the same fix every time. That's the difference from AI fixers that guess: high-confidence classes are fixed automatically; complex or architectural findings get precise guidance instead of a risky PR.

Strategy-matched
Parameterize, escape, allow-list, or normalize — the transform is chosen from the vulnerability class, not improvised.
Confidence-scored
Every candidate fix carries a confidence score. Only high-confidence transforms auto-open a pull request.
Anchored to the taint path
The fix lands at the exact sink Heeler proved was reachable — tied to the source-to-sink flow, not a loose pattern match.
Human review, no auto-merge
Heeler opens the PR; your team merges it. Low-confidence or architectural cases become guidance, not a gamble.
WHAT IT FIXES

A proven transform for the flaws AI writes most.

Every fixable finding maps to a specific, deterministic code transform — chosen from the vulnerability class and anchored to the exact source-to-sink path. The same bug always gets the same safe fix.

SQLi → Parameterize
Rebuild the query with bound parameters — a tainted value can't change its structure, only its data.
XSS & output → Escape
Encode untrusted data for its exact output context, so it renders as text and never as executable markup.
Path traversal → Normalize
Resolve and confine the path so user input can't climb out of the intended directory.
Unsafe input → Allow-list
Constrain the value to a known-safe set before it ever reaches the sink.

High-confidence classes are fixed automatically. Findings that need an architectural change — an auth redesign, unsafe deserialization — get precise guidance instead of a risky PR. You're never handed a fix Heeler isn't sure of.

PRIORITIZED FIRST

Fix what's exploitable, first.

Auto-fix runs where it matters most. Heeler traces each finding's reachability — cross-file, cross-function, from source to sink — then weighs runtime exposure, business tier, and active-exploit intelligence. What's genuinely exploitable gets fixed first; the rest is tracked, not ignored. Every SAST finding lands on one level: Urgent, Plan, or Defer.

See how Heeler Risk scores SAST findings →
ONE ENGINE, BOTH HALVES · SCA AUTO-FIX

Heeler fixes the code you import, too.

You've just seen how Heeler fixes the code your team and your agents write. Its other half — SCA Auto-fix — fixes the code you import: it computes, from your dependency graph and live CVE data, the lowest-impact version upgrade that clears the CVEs and adds none, then validates it and opens the same merge-ready PR. One context engine, one prioritization model, one workflow — across both halves of your codebase.

Explore SCA Auto-fix →

See Heeler fix your code.

Connect a repo and watch Heeler turn its own SAST findings into validated, merge-ready pull requests — on your code, in your first session.