A VS Code extension that automatically detects and fixes security vulnerabilities in your code using advanced machine learning. It analyzes CodeQL SARIF files and applies intelligent fixes with cross-file change detection.
Key Features
One-Click Security Fixes - Fix vulnerabilities automatically with ML-powered analysis
Smart Cross-File Detection - Identifies and fixes related changes across multiple files
Confidence Scoring - Shows how reliable each fix is with clear metrics
Comprehensive Reporting - Get detailed summaries of fixed and manual review issues
Bulk Fix Operations - Fix multiple issues at once with consistent behavior
Quick Start
Install the extension from VS Code marketplace
Import a SARIF file using ADO Bug ID or repository name
Analyze vulnerabilities with a single click
Apply automatic fixes for high-confidence issues
Review suggested changes for lower-confidence issues
Prerequisites
VS Code 1.85.0+
Python 3.x (for ADO integration)
Active workspace folder
Usage
Get a SARIF File
@cql-agent
Then choose:
Enter ADO Bug ID - For Azure DevOps bugs
Enter Repository Name - For CodeQL Portal downloads
Fix Security Issues
After importing a SARIF file, click Analyze & Fix Issues
For individual issues, click Fix This Issue
For all issues, click Fix All Issues
Review results and apply any suggested cross-file changes
Key Commands
@cql-agent - Show main menu
@cql-agent /get-sarif <id> - Download SARIF by ID
@cql-agent /cql-fix - Analyze and fix issues
@cql-agent /fix-all-issues - Fix all analyzable issues
@cql-agent /ml-stats - View ML performance stats
How It Works
Confidence-Based Fix System
The extension uses ML to determine how reliably it can fix each issue:
High Confidence (≥65%): Automatically applied
Medium Confidence (40-65%): Manual review suggested
Low Confidence (<40%): Marked for developer review
Cross-File Change Detection
When a fix affects multiple files:
The primary fix is applied first
Related file changes are detected and listed
A button appears to apply all related changes
One click updates all affected files
Supported Vulnerability Types
Automatically Fixed
Requires Manual Review
Input validation
Complex architectural issues
Buffer overflows
Business logic vulnerabilities
Null pointers
Domain-specific issues
Unsafe function calls
Multi-approach cases
Memory leaks
Low-confidence fixes
Troubleshooting
SARIF file not found: Ensure file is in Downloads and monitoring is enabled
Fix failed: Some complex issues need manual review - check confidence scores
No issues found: Verify SARIF file contains valid analysis results
Cross-file changes not applying: Check file paths and permissions
Performance Metrics
The ML system continuously improves by learning from:
Successful and failed fix attempts
Pattern recognition across vulnerabilities
Context-aware fix strategy selection
View detailed stats with @cql-agent /ml-stats
Release Notes
1.2.0 (Current)
NEW: Cross-file change detection and application
NEW: One-click related file updates
IMPROVED: Dependency tracking and resolution
FIXED: Consistent behavior between individual and bulk fixes
