Ever wished your Java project could fix its own security vulnerabilities? Now it can. With CrewAI, Snyk, and a little bit of agentic magic, I’ve built a system that can scan your repo, fix vulnerabilities, and open a PR – all on its own.

🔧 The Problem

Java projects (especially large, legacy Maven ones) often use outdated dependencies with known security issues.

Keeping up with CVEs manually?

  • 😩 Time-consuming

  • 😓 Error-prone

  • 😴 Repetitive

🤖 The Solution: Sec-Fix Agents

Enter Sec-Fix Agents — a fully autonomous crew built using CrewAI.

This tool uses LLM-powered agents to:

  1. Scan the codebase using Snyk CLI

  2. Fix vulnerable Maven dependencies automatically

  3. Commit + Open a Pull Request using GitHub CLI

⚙️ How It Works

Three modular agents do the heavy lifting:

🔍 1. Security Scanner

Detects vulnerable dependencies via Snyk's open-source scanning.

🛠️ 2. Dependency Fixer

Parses the Snyk report, fetches the latest safe versions, and prepares a fix list.

🔃 3. PR Creator

Clones the repo, patches pom.xml, creates a new branch, commits, pushes, and opens a PR.

It’s like DevSecOps on autopilot 🚀

🎥 Demo

Watch the full end-to-end demo here: 📺

🚀 How to Run It

1️⃣ Setup

git clone https://github.com/tpushkarsingh/sec-fix-agents.git cd sec-fix-agents python -m venv venv && source venv/bin/activate pip install -r requirements.txt

2️⃣ Add Your .env

Create a .env file:

OPENAI_API_KEY=your-openai-key GITHUB_TOKEN=your-github-token REPO_TO_SCAN=https://github.com/your-user/your-repo CREWAI_MODEL=gpt-3.5-turbo-0125 CREWAI_TEMPERATURE=0.2

Important:

  • Your GitHub token must have repo and pull_requests scopes

  • Snyk CLI must be installed and authenticated

3️⃣ Run the Bot

bash: python run_bot.py

Expected output:

  • ✅ Repo cloned

  • ✅ Vulnerabilities found

  • ✅ Upgrades chosen

  • ✅ Branch created

  • ✅ PR opened

🔮 What’s Next?

Using MCP servers with Playwright to automate testing after PR creation.

Imagine — not only detecting and fixing vulnerabilities, but also automatically running browser tests post-PR 🎯

📚 More from the Author