Fix Command

The vaultguard fix command reads saved scan results and generates a remediation report with provider-aware, ecosystem-specific instructions for each finding.

Basic Usage

After running a scan, get remediation steps:

vaultguard scan
vaultguard fix

By default, fix reads the auto-saved results at .vaultguard/results/latest.json. This file is created automatically every time you run vaultguard scan in human output mode (the default).

Two commands, one workflow

Run vaultguard scan to find issues, then vaultguard fix to get step-by-step remediation. The fix command reads the auto-saved results, so there is no need to pipe output between them.

Options

Read a specific results file instead of the default:

vaultguard fix --file path/to/results.json

Output the remediation report as JSON for CI or scripting:

vaultguard fix --json

How Results Are Saved

Every scan in human format (no --json, --sarif, or --output flags) automatically saves the full findings to .vaultguard/results/latest.json. This happens only when there are findings to save.

The results file is created with chmod 600 (owner-only read/write) since it may contain sensitive information like file paths and finding details.

Add .vaultguard/ to .gitignore

VaultGuard warns if .vaultguard/ is not in your .gitignore. Scan results should not be committed to version control -- they may contain sensitive file paths and finding details.

Report Structure

The fix report groups findings by type and sorts by severity within each group. For each finding, it shows:

Severity level and finding message
File path and line number
Provider name (for secrets)
Specific remediation actions

Example output:

Reading scan results from .vaultguard/results/latest.json
12 issues found across 5 files

━━ Secrets (3 findings) ━━━━━━━━━━━━━━━━━━━━━━━━━━

1. CRITICAL   AWS access key detected src/config.py:15
   Provider: aws
   Action:
     Rotate compromised credential immediately.
     Rotate keys via IAM console.
     Move to environment variable or AWS Secrets Manager.

2. HIGH       GitHub token detected .env:3
   Provider: github
   Action:
     Rotate compromised credential immediately.
     Revoke token at Settings > Developer settings > Tokens.

━━ Vulnerabilities (5 findings) ━━━━━━━━━━━━━━━━━━

3. HIGH       CVE-2024-1234 in lodash@4.17.20 package.json:8
   Action:
     Update to a patched version.
     Run: npm update <package>

Provider-Aware Remediation

For secret findings, VaultGuard generates rotation instructions specific to the detected provider:

Provider	Remediation
AWS	Rotate keys via IAM console, move to Secrets Manager
GitHub	Revoke token at Settings > Developer settings
GitLab	Revoke at Settings > Access Tokens
Stripe	Roll API keys in Stripe Dashboard
OpenAI	Revoke at platform.openai.com/api-keys
Supabase	Rotate in Dashboard > Settings > API
Firebase	Rotate in Firebase Console
Database	Rotate credentials, use DATABASE_URL env var
Discord	Reset bot token in Developer Portal
Slack	Revoke and reissue at api.slack.com/apps
Atlassian	Revoke at id.atlassian.com/manage-profile/security
Vault	Revoke with `vault token revoke`, rotate AppRole credentials
JWT	Rotate signing secret, invalidate existing tokens
PEM	Regenerate private key, update dependent services

Rotate compromised secrets immediately

If VaultGuard finds a real secret in your codebase, treat it as compromised. Rotate the credential before removing it from code. Removing the secret from your current branch does not remove it from git history.

Ecosystem-Aware CVE Remediation

For vulnerability findings, the fix command detects the package ecosystem from the manifest file and provides the correct update command:

Manifest File	Update Command
`package.json` / `package-lock.json`	`npm update <package>`
`Cargo.toml` / `Cargo.lock`	`cargo update`
`requirements.txt` / `Pipfile`	`pip install --upgrade <package>`
`Gemfile` / `Gemfile.lock`	`bundle update <gem>`
`go.mod` / `go.sum`	`go get -u <module>`
`composer.json` / `composer.lock`	`composer update <package>`
`pom.xml` / `build.gradle`	Update dependency version in build file

JSON Output

The --json flag outputs a structured array for programmatic consumption:

vaultguard fix --json

json

[
  {
    "finding_type": "Secret",
    "severity": "Critical",
    "message": "AWS access key detected",
    "file_path": "src/config.py",
    "line_number": 15,
    "provider": "aws",
    "remediation": [
      "Rotate compromised credential immediately.",
      "Rotate keys via IAM console.",
      "Move to environment variable or AWS Secrets Manager."
    ]
  }
]

Workflow

A typical remediation workflow:

# 1. Scan the project
vaultguard scan

# 2. Review remediation steps
vaultguard fix

# 3. Fix issues

# 4. Re-scan to verify
vaultguard scan

# 5. Repeat until clean

AI-powered auto-fix coming soon

VaultGuard Pro will include AI-powered remediation that can generate fix patches automatically. See vaultguard.sh/pricing.

Fix Command ​

Basic Usage ​

Options ​

How Results Are Saved ​

Report Structure ​

Provider-Aware Remediation ​

Ecosystem-Aware CVE Remediation ​

JSON Output ​

Workflow ​