vulkro fix
Read-only, mechanical fix suggestions for a narrow set of findings where the safe rewrite is unambiguous. Vulkro never modifies your files. It prints a unified diff (or a machine-applicable JSON envelope); you apply it.
vulkro fix . # unified diffs on stdout
vulkro fix . --kind hardcoded-secret
vulkro fix . --format json # agent / MCP-consumable schema
What it rewrites
The set is intentionally narrow - only suggestions whose rewrite is mechanical:
| Kind | Rewrite |
|---|---|
cors-wildcard | Replace a wildcard CORS origin (*) with an explicit allow-list placeholder. |
debug-on | Flip DEBUG = True / debug=true to off. |
hardcoded-secret | Replace a literal secret with a runtime env lookup (os.environ[...] / process.env...). Rotate the exposed value too. |
Anything else yields no suggestion: Vulkro does not guess at fixes it cannot mechanically prove safe.
Applying a fix
vulkro fix . > fixes.patch
git apply fixes.patch # review first; selectively apply hunks by hand
JSON schema (--format json)
--format json emits a stable, versioned envelope for agents and MCP
consumers. Each fix carries the originating finding id, the rule, file/line,
a prose explanation, and a git apply-ready unified diff:
{
"schema_version": 1,
"generated_by": "vulkro 0.11.0",
"count": 1,
"fixes": [
{
"finding_id": "a1b2c3d4",
"rule": "cors-wildcard",
"file": "src/app.py",
"line": 42,
"explanation": "Replace wildcard CORS origin with an explicit allowlist. ...",
"patch_format": "unified-diff",
"diff": "--- a/src/app.py\n+++ b/src/app.py\n@@ -42,1 +42,1 @@\n-CORS(app, origins=[\"*\"])\n+CORS(app, origins=[\"https://your-app.example\"])\n"
}
]
}
schema_version is bumped on any breaking change, so a consumer can pin
against it. patch_format is always unified-diff today.
Agent fix loop
The JSON envelope is the contract for an autonomous fix loop. An agent (driving
Vulkro directly, or alongside vulkro mcp serve) can:
vulkro scan . --format jsonto get findings.vulkro fix . --format jsonto get the machine-applicable diffs.- Apply a selected
diffwithgit apply. - Re-run
vulkro scanand confirm the finding is gone.
vulkro fix <dir> works from any working directory: the diff paths are relative
to the scanned root, so apply them with git apply from that root.
The same loop runs entirely inside vulkro mcp serve via the
suggest_fixes({scan_id}) tool, which returns this identical envelope for a
prior scan_project call.
Vulkro stays read-only throughout: step 3 is the agent's action, not Vulkro's. This keeps the "Vulkro reads, you write" guarantee even inside an automated loop.
Exit code
0 always. vulkro fix is informational, not a gate.