Confirmed findings come back as verified patches: internally tested against the original scanner, ready for your developers to review and apply.
From finding to verified patch, autonomously. Click a finding in Keygraph. An agent reads the evidence, writes the fix, and runs it past the original scanner to prove the vulnerability is gone. The verified patch is yours to review and apply through your normal workflow.
Code Remediation operates on the scan types where an automated patch is honest and high-confidence, and lands in the source control your team already uses.
Point issues, data-flow vulnerabilities, and confirmed business-logic findings.
Misconfigurations and policy violations across Terraform, Kubernetes manifests, Dockerfiles, and CI workflows.
Confirmed exploits from the agentic pentester come back as patches with the exploit record attached as evidence.
SCA, Secrets, and Container remediation are on the roadmap.
Source control coveragePatches deliver into your existing GitHub Cloud or GitHub Enterprise Cloud workflow. Self-hosted GHES support is on the roadmap.
All GitLab hosting modes are supported, including GitLab Self-Managed (CE and EE) at modern versions. Patches deliver directly into your GitLab project.
Before a patch is ever delivered to your developers, it has to prove it closed the original vulnerability. If it doesn't, no patch. No noise in your queue.
Keygraph re-runs the same scanner that produced the finding against the patched code, scoped to the affected files. The vulnerability has to actually disappear.
If the first attempt doesn't land, the agent gets a bounded number of retries with the verifier's feedback. If it still can't fix it cleanly, no patch is delivered and the failure is surfaced for a human.
Every patch ships with the proof: scanner output before, scanner output after, and the diff that closed the gap. When a patch attempt fails verification, you get a structured failure reason instead of a silent skip.
Patching removes authoring cost, not the human approval. No patch is ever applied without your developers' explicit review. No merged patch is ever auto-reverted. Your developers stay in the driver's seat.
Every patch is attributed to a clearly labeled Keygraph bot. Easy to spot in your history, easy to attribute.
No second review surface. Patches land in your existing GitHub or GitLab workflow alongside every other change.
Patching never spawns automatically. Someone clicks the finding in Keygraph. That's the trigger.
A patch is delivered only when every instance of the vulnerability inside its default scope is fixed and verified. All-or-nothing.
Schedule a demo and watch Code Remediation turn a real vulnerability in your codebase into a verified patch.