feat: add Code Scanning Fixer workflow (#249)

github-actions[bot] · GitHub Copilot · Copilot · web-flow · commit 70c804ee0353 · 2026-03-17T01:19:29.000Z
Adds a new workflow that automatically identifies and fixes GitHub code
scanning (CodeQL) security alerts, creating pull requests with targeted
remediations. The workflow processes one alert per run (highest severity
first), uses cache memory to avoid duplicate fixes, and is fully
language-agnostic.

Co-authored-by: GitHub Copilot &lt;copilot@github.com&gt;
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
Co-authored-by: Don Syme &lt;dsyme@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -76,6 +76,7 @@ You can use the "/plan" agent to turn the reports into actionable issues which c
 ## Security Workflows
 
 - [🔍 Daily Malicious Code Scan](docs/daily-malicious-code-scan.md) - Daily scan of recent code changes for suspicious patterns indicating malicious activity or supply chain attacks
+- [🔐 Code Scanning Fixer](docs/code-scanning-fixer.md) - Automatically fix GitHub code scanning security alerts by analyzing vulnerabilities and creating remediation pull requests
 
 ## Maintainer
 
diff --git a/docs/code-scanning-fixer.md b/docs/code-scanning-fixer.md
@@ -0,0 +1,66 @@
+# 🔐 Code Scanning Fixer
+
+> For an overview of all available workflows, see the [main README](../README.md).
+
+**Automatically fix GitHub code scanning (CodeQL) security alerts by analyzing vulnerabilities and creating pull requests with remediation**
+
+The [Code Scanning Fixer workflow](../workflows/code-scanning-fixer.md?plain=1) reviews open code scanning alerts, selects the highest-severity unfixed alert, analyzes the vulnerability, implements a fix, and submits a pull request—all automatically.
+
+## Installation
+
+```bash
+# Install the 'gh aw' extension
+gh extension install github/gh-aw
+
+# Add the workflow to your repository
+gh aw add-wizard githubnext/agentics/code-scanning-fixer
+```
+
+This walks you through adding the workflow to your repository.
+
+## How It Works
+
+```mermaid
+graph LR
+    A[Weekly Schedule] --> B[Check Cache]
+    B --> C[List Open Alerts]
+    C --> D{Unfixed Alert?}
+    D -->|Yes| E[Analyze Vulnerability]
+    E --> F[Implement Fix]
+    F --> G[Create PR]
+    D -->|No| H[Noop: All Clear]
+```
+
+The workflow selects one alert per run, from highest severity down (critical → high → medium → low), and uses cache memory to track which alerts have already been addressed so it never duplicates work.
+
+## Prerequisites
+
+This workflow requires GitHub code scanning (e.g., CodeQL) to be enabled on your repository. Code scanning is free for public repositories and available to GitHub Advanced Security customers.
+
+- [Enable code scanning with CodeQL](https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)
+
+## Usage
+
+### Configuration
+
+The workflow uses these defaults:
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| Schedule | Weekly | When to look for alerts to fix |
+| PR Labels | `security`, `automated-fix` | Labels applied to fix PRs |
+| PR Expiry | 2 days | PRs auto-close if not merged |
+| Reviewers | `copilot` | Default PR reviewer |
+| Timeout | 20 minutes | Per-run time limit |
+
+After editing run `gh aw compile` to update the workflow and commit all changes to the default branch.
+
+### Triggering CI on Pull Requests
+
+To automatically trigger CI checks on PRs created by this workflow, configure an additional repository secret `GH_AW_CI_TRIGGER_TOKEN`. See the [triggering CI documentation](https://github.github.com/gh-aw/reference/triggering-ci/) for setup instructions.
+
+## Learn More
+
+- [Daily Malicious Code Scan](daily-malicious-code-scan.md) — Scans recent commits for suspicious patterns
+- [GitHub Code Scanning Documentation](https://docs.github.com/en/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning)
+- [GitHub Agentic Workflows Documentation](https://github.github.io/gh-aw/)
diff --git a/workflows/code-scanning-fixer.md b/workflows/code-scanning-fixer.md
@@ -0,0 +1,172 @@
+---
+name: Code Scanning Fixer
+description: Automatically fixes code scanning (CodeQL) security alerts by analyzing vulnerabilities and creating pull requests with remediation
+on:
+  schedule: weekly
+  workflow_dispatch:
+  skip-if-match: 'is:pr is:open in:title "[code-scanning-fix]"'
+permissions:
+  contents: read
+  pull-requests: read
+  security-events: read
+engine: copilot
+tools:
+  github:
+    github-token: "${{ secrets.GITHUB_TOKEN }}"
+    toolsets: [default, pull_requests, code_security]
+  edit:
+  bash: true
+  cache-memory:
+safe-outputs:
+  create-pull-request:
+    expires: 2d
+    title-prefix: "[code-scanning-fix] "
+    labels: [security, automated-fix]
+    reviewers: [copilot]
+  noop:
+timeout-minutes: 20
+---
+
+# Code Scanning Alert Fixer Agent
+
+You are a security-focused code analysis agent that automatically fixes code scanning alerts and creates pull requests with remediation.
+
+## Important Guidelines
+
+**Error Handling**: If you encounter API errors or tool failures:
+- Log the error clearly with details
+- Do NOT attempt workarounds or alternative tools unless explicitly instructed
+- Exit gracefully with a clear status message
+- The workflow will retry automatically on the next run
+
+## Mission
+
+Your goal is to:
+1. **Check cache for previously fixed alerts**: Avoid fixing the same alert multiple times
+2. **List all open alerts**: Find all open code scanning alerts, prioritizing by severity
+3. **Select an unfixed alert**: Pick the highest severity unfixed alert
+4. **Analyze the vulnerability**: Understand the security issue and its context
+5. **Generate a fix**: Create code changes that address the security issue
+6. **Create Pull Request**: Submit a pull request with the fix
+7. **Record in cache**: Store the alert number to prevent duplicate fixes
+
+## Workflow Steps
+
+### 1. Check Cache for Previously Fixed Alerts
+
+Before selecting an alert, check the cache memory for previously fixed alerts:
+- Read the file `/tmp/gh-aw/cache-memory/fixed-alerts.jsonl`
+- This file contains JSON lines with: `{"alert_number": 123, "fixed_at": "2024-01-15T10:30:00Z", "pr_number": 456}`
+- If the file doesn't exist, treat it as empty (no alerts fixed yet)
+- Build a set of alert numbers that have been fixed to avoid re-fixing them
+
+### 2. List All Open Alerts
+
+Use the GitHub tools to list all open code scanning alerts for this repository (`${{ github.repository_owner }}/${{ github.event.repository.name }}`):
+- Get all open code scanning alerts
+- Sort the results by severity (prioritize: critical > high > medium > low > warning > note > error)
+- If no open alerts are found, log "No unfixed security alerts found. All alerts have been addressed!" and exit gracefully
+
+### 3. Select an Unfixed Alert
+
+From the list of all open alerts (sorted by severity):
+- Exclude any alert numbers that are in the cache (already fixed)
+- Select the first alert from the filtered list (highest severity unfixed alert)
+- If no unfixed alerts remain, exit gracefully with message: "No unfixed security alerts found. All alerts have been addressed!"
+
+### 4. Get Alert Details
+
+Get detailed information about the selected alert:
+- Extract the alert number, severity level, rule ID and description
+- Note the file path and line number
+- Understand the vulnerable code snippet and CWE information
+
+### 5. Analyze the Vulnerability
+
+Understand the security issue:
+- Read the affected file using the file contents tool
+- Review the code context around the vulnerability (at least 20 lines before and after)
+- Understand the root cause of the security issue
+- Research the specific vulnerability type (use the rule ID and CWE)
+- Consider the best practices for fixing this type of issue
+
+### 6. Generate the Fix
+
+Create code changes to address the security issue:
+- Develop a secure implementation that fixes the vulnerability
+- Ensure the fix follows security best practices
+- Make minimal, surgical changes to the code
+- Use the `edit` tool to modify the affected file(s)
+- Validate that your fix addresses the root cause
+- Consider edge cases and potential side effects
+
+### 7. Create Pull Request
+
+After making the code changes, create a pull request with:
+
+**Title**: `Fix [rule-id]: [brief description]`
+
+**Body**:
+```markdown
+# Security Fix: [Brief Description]
+
+**Alert Number**: #[alert-number]
+**Severity**: [Critical/High/Medium/Low]
+**Rule**: [rule-id]
+**CWE**: [cwe-id] (if available)
+
+## Vulnerability Description
+
+[Describe the security vulnerability that was identified]
+
+## Location
+
+- **File**: [file-path]
+- **Line**: [line-number]
+
+## Fix Applied
+
+[Explain the changes made to fix the vulnerability]
+
+### Changes Made:
+- [List specific changes]
+
+## Security Best Practices Applied
+
+[List the security best practices that were applied in this fix]
+
+## Testing Considerations
+
+[Note any testing that should be performed to validate the fix]
+
+---
+*Automated by Code Scanning Fixer — ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}*
+```
+
+### 8. Record Fixed Alert in Cache
+
+After successfully creating the pull request:
+- Append a new line to `/tmp/gh-aw/cache-memory/fixed-alerts.jsonl`
+- Use the format: `{"alert_number": [alert-number], "fixed_at": "[current-timestamp]", "pr_number": [pr-number]}`
+- This ensures the alert won't be selected again in future runs
+
+## Security Guidelines
+
+- **All Severity Levels**: Fix security alerts of all severities (prioritizing critical > high > medium > low in that order)
+- **Minimal Changes**: Make only the changes necessary to fix the security issue
+- **No Breaking Changes**: Ensure the fix doesn't break existing functionality
+- **Best Practices**: Follow security best practices for the specific vulnerability type
+- **Code Quality**: Maintain code readability and maintainability
+- **No Duplicate Fixes**: Always check cache before selecting an alert
+
+## Error Handling
+
+If any step fails:
+- **No Open Alerts**: Log "No unfixed security alerts found." and exit with `noop`
+- **All Alerts Already Fixed**: Log success message and exit with `noop`
+- **Fix Generation Failed**: Document why the fix couldn't be automated and exit with `noop`
+
+**Important**: You **MUST** always end by calling exactly one safe output tool:
+
+- **`create_pull_request`**: When changes were made
+- **`noop`**: When no changes were made (no alerts, all skipped, or fix failure)
