ScopeFix is an open-source framework designed to resolve security vulnerabilities in software codebases. By utilizing a novel Strategist-First Architecture powered exclusively by open-weights Large Language Models (LLMs), it unburdens human developers from the overwhelming volume of routine security patches.
In the modern DevSecOps landscape, thousands of vulnerabilities are detected daily. Human developers simply cannot keep up, leading to a massive backlog of "Low" and "Medium" complexity issues that remain unpatched for months. ScopeFix aims to clear this "Security Debt" by autonomously resolving these vulnerabilities, allowing human engineers to focus on high-severity, architectural security challenges.
Automated vulnerability scanning tools like Bandit, Semgrep are able to pinpont thousands of security issues in a jiffy. It takes a lot of human effort to analyze and fix these vulnerabilities leading to Security Debt. Most projects don't have enough resources to fix every detected vulnerability. Studies show that even after 6 months only 56% of detected vulnerabilities are fixed.
Scopefix introduces a strategist agent to the repair loop. Instead of blindly asking an LLM to "fix this code," our pipeline mimics a human engineering workflow: Plan first, then Code.
Before any code is written, the strategist analyzes vulnerability report, source code and common methods to fix the vulnerability (obtained to web scraping) to generate a repair plan.
It defines the root cause of the vulnerability and provides guidance to the fixer.
Impact: This guidance allows the smaller Level 1 model to achieve significantly higher fix rates than if it were working alone.
Qwen3-32B is used as it is capable despite being a lightweight model and high availability of inference providers for it. Function: It takes the Strategist's plan and executes a surgical patch. Efficiency: Because it follows a strict plan, it effectively resolves the majority of routine vulnerabilities (e.g., input validation, secure defaults) with minimal compute overhead.
DeepSeek-R1 was choosen for high availability of inference providers and relatively larger context window and coding capabilities. Other opensource models like glm-4.7, qwen3-max and kimi-k2-thinking are better suited but were not chosen due to lack of serverless inference providers.
Function: Leverages a massive context window and advanced reasoning capabilities to handle complex, logic-heavy vulnerabilities.
Open your terminal and clone the repository to your local machine:
git clone [https://github.com/abhiram-29/scopefix.git](https://github.com/abhiram-29/scopefix.git)
cd scopefixpython3 -m venv venv
source venv/bin/activatepip install -r requirements.txtrefer to the .env.example file to configure your environment variables
To fix a vulnerability in a specific file, you need to pass the file path to the fix_vuln function inside fix_loop.py
python fix_loop.py