Skip to main content

View Example Plugin

Check out the complete vulnerability remediation plugin with ready-to-use code and configuration.
Security vulnerabilities are a constant challenge for software teams. Every day, new security issues are discovered—from vulnerabilities in dependencies to code security flaws detected by static analysis tools. The National Vulnerability Database (NVD) reports thousands of new vulnerabilities annually, and organizations struggle to keep up with this constant influx.

The Challenge

The traditional approach to vulnerability remediation is manual and time-consuming:
  1. Scan repositories for vulnerabilities
  2. Review each vulnerability and its impact
  3. Research the fix (usually a version upgrade)
  4. Update dependency files
  5. Test the changes
  6. Create pull requests
  7. Get reviews and merge
This process can take hours per vulnerability, and with hundreds or thousands of vulnerabilities across multiple repositories, it becomes an overwhelming task. Security debt accumulates faster than teams can address it. What if we could automate this entire process using AI agents?

Automated Vulnerability Remediation with OpenHands

The OpenHands Software Agents SDK provides powerful capabilities for building autonomous AI agents capable of interacting with codebases. These agents can tackle one of the most tedious tasks in software maintenance: security vulnerability remediation. OpenHands assists with vulnerability remediation by:
  • Identifying vulnerabilities: Analyzing code for common security issues
  • Understanding impact: Explaining the risk and exploitation potential
  • Implementing fixes: Generating secure code to address vulnerabilities
  • Validating remediation: Verifying fixes are effective and complete

Two Approaches to Vulnerability Fixing

1. Point to a GitHub Repository

Build a workflow where users can point to a GitHub repository, scan it for vulnerabilities, and have OpenHands AI agents automatically create pull requests with fixes—all with minimal human intervention.

2. Upload Security Scanner Reports

Enable users to upload reports from security scanners such as Snyk (as well as other third-party security scanners) where OpenHands agents automatically detect the report format, identify the issues, and apply fixes. This solution goes beyond automation—it focuses on making security remediation accessible, fast, and scalable.

Architecture Overview

A vulnerability remediation agent can be built as a web application that orchestrates agents using the OpenHands Software Agents SDK and OpenHands Cloud to perform security scans and automate remediation fixes. The key architectural components include:
  • Frontend: Communicates directly with the OpenHands Agent Server through the TypeScript Client
  • WebSocket interface: Enables real-time status updates on agent actions and operations
  • LLM flexibility: OpenHands supports multiple LLMs, minimizing dependency on any single provider
  • Scalable execution: The Agent Server can be hosted locally, with self-hosted models, or integrated with OpenHands Cloud
This architecture allows the frontend to remain lightweight while heavy lifting happens in the agent’s execution environment.

Example: Vulnerability Fixer Application

An example implementation is available at github.com/OpenHands/vulnerability-fixer. This React web application demonstrates the full workflow:
  1. User points to a repository or uploads a security scan report
  2. Agent analyzes the vulnerabilities
  3. Agent creates fixes and pull requests automatically
  4. User reviews and merges the changes

Security Scanning Integration

Use OpenHands to analyze security scanner output:

Common Vulnerability Patterns

OpenHands can detect these common vulnerability patterns:
VulnerabilityPatternExample
SQL InjectionString concatenation in queriesquery = "SELECT * FROM users WHERE id=" + user_id
XSSUnescaped user input in HTML<div>${user_comment}</div>
Path TraversalUnvalidated file pathsopen(user_supplied_path)
Command InjectionShell commands with user inputos.system("ping " + hostname)
Hardcoded SecretsCredentials in source codepassword = "admin123"

Automated Remediation

Applying Security Patches

Fix identified vulnerabilities:
Fixed code:

Code-Level Vulnerability Fixes

Fix application-level security issues:
Fixed code:

Security Testing

Test your fixes thoroughly:

Automated Remediation Pipeline

Create an end-to-end automated pipeline:

Building Your Own Vulnerability Fixer

The example application demonstrates that AI agents can effectively automate security maintenance at scale. Tasks that required hours of manual effort per vulnerability can now be completed in minutes with minimal human intervention. To build your own vulnerability remediation agent:
  1. Use the OpenHands Software Agent SDK to create your agent
  2. Integrate with your security scanning tools (Snyk, Dependabot, CodeQL, etc.)
  3. Configure the agent to create pull requests automatically
  4. Set up human review workflows for critical fixes
As agent capabilities continue to evolve, an increasing number of repetitive and time-consuming security tasks can be automated, enabling developers to focus on higher-level design, innovation, and problem-solving rather than routine maintenance.

Automate This

You can run vulnerability scans on a schedule using OpenHands Automations. Copy this prompt into a new conversation to set one up:
You can also use the vulnerability-remediation plugin for automated fix PRs alongside the scan.