Introducing Autofix Bot API

Sanket Saurav on October 31, 2025

Autofix Bot is an AI agent purpose-built for securing code — whether it's you writing it or your AI assistant. Today, we're announcing a REST API to help you integrate Autofix Bot into any application or workflow where you're writing or generating code with AI.

To learn more about how Autofix Bot performs better in security reviews than other LLM-only agents while being cheaper, you can review our Benchmarks.

API Flowchart

Why use the Autofix Bot API?

The Autofix Bot API is built for developers who need to embed code security into their own products and workflows. Whether you're building an AI coding assistant, a CI/CD pipeline, or an internal developer platform, the API gives you programmatic access to production-grade security analysis and automated fixes.

The API lets you analyze any code from any source without needing to share any SCM credentials (GitHub, GitLab, BitBucket, Azure DevOps), making it perfect for custom workflows, multi-tenant applications, or integrations where you need full control over when and how security scans run — continuously, or one-off.

Key Capabilities

  • Comprehensive detection: Scan for security vulnerabilities and hardcoded secrets across your codebase. Support for code quality analysis is coming shortly.
  • Automated remediation: Get ready-to-apply git patches that fix issues
  • Incremental analysis: Analyze only what changed — from a single commit to a range of commits, or even uncommitted patches
  • Async-first design: Built for long-running analysis on codebases of any size with webhook support.
  • Multi-language support: Python, JavaScript, TypeScript, Go, Java, Ruby, and more.

How to use Autofix Bot API

Ensuring that AI generated code is secure and safe for production is top-of-mind for most vibe-coding tool builders and adopters. The Autofix Bot API provides an easy-to-use harness to plug in continuous code security for any workflow where AI-generated code is meant to make its way to production. With primitives like Repository, Sync, and Analysis, the API enables seamless integration for continuous code scanning and automated remediation.

Use Case: Shippable

Let's say you're building Shippable, a revolutionary new platform that allows users to create apps and websites by simply chatting with an AI. You're using an assortment of LLMs and agentic loops to generate application code that you can ask the user to ship. How do you ensure that the generated code is secure?

Autofix Bot API to the rescue.

First, create a repository for a user's code. This can be mapped to any folder or project-like abstraction you might have on your platform.

$ curl https://api.autofix.bot/repositories --request POST \
  --data '{
    "name": "cryptocurrency-trading-dashboard",
    "external_id": "github:8421733488",
    "languages": [ "python", "javascript" ]
  }'

Then, create a Sync object for syncing the current state of the repository to Autofix Bot.

$ curl https://api.autofix.bot/repositories/external:github:8421733488/syncs --request POST \
  --data '{
    "type": "full"
  }'

This will give you the Sync object which you can use to upload the repository state. Among other things, the object contains the id and the upload_url.

{
  "id": "sync_019a37b34cc175b8a33f4b206bd8c2a4",
  "format": "bundle",
  "object": "sync",
  "repository": "repo_019a37b3391c78e48fbdf0cea127fcd3",
  "status": "pending_upload",
  "type": "full",
  "upload_expires_at": 1761872888,
  "upload_url": "https://storage.googleapis.com/..."
  ... // a few other properties
}

Now create a git bundle for the repository, assuming the default branch is called master.

$ git bundle create master.bundle master

Upload the master.bundle file to the upload_url using a PUT request. This will sync the repository content at the specified branch to Autofix Bot. Once the sync is complete, you can run analysis on the repository.

$ curl https://api.autofix.bot/analysis --request POST \
  --data '{
    "repository_id": "external:github:8421733488",
    "from_ref": "HEAD~5",
    "to_ref": "HEAD",
    "detection": [
      "security",
      "secrets"
    ],
    "fix": [
      "security"
    ]
  }'

Autofix Bot will run the analysis agent on HEAD~5...HEAD, detect security vulnerabilities and hardcoded credentials in the code, and return issues it has found along with a patch with the remediation that's ready to apply on the repository. Since the analysis and remediation can take some time, you can also listen to the analysis.completed webhook event.

Once the analysis completes, you'll get back a detailed response with detected issues and production-ready fixes:

{
  "id": "an_018e8c5f789a78960123456789012345",
  "status": "completed",
  "detection_result": {
    "issues_detected_count": 12,
    "issues_detected_by_category": {
      "security": 10,
      "secrets": 2
    },
    "issues": [
      {
        "file": "src/validation.py",
        "position": { "begin": { "line": 42, "column": 12 }, "end": { "line": 42, "column": 28 } },
        "explanation": "Use of eval() with user input can lead to arbitrary code execution",
        "category": "security"
      },
      {
        "file": "config.py",
        "position": { "begin": { "line": 8, "column": 15 }, "end": { "line": 8, "column": 47 } },
        "explanation": "Hardcoded API key detected",
        "category": "secrets"
      }
    ]
  },
  "fix_result": {
    "patch": "diff --git a/src/auth.py...",
    "issues_fixed_count": 8,
    "fixes": [
      {
        "category": "security",
        "explanation": "Replace dangerous eval() with safe ast.literal_eval()",
        "patch": "diff --git a/src/validation.py..."
      }
    ]
  },
  "cost": {
    "input_loc": 1250,
    "output_fix_loc": 45,
    "total": 14.75
  }
}

Afterwards, whenever the user (or your AI agent) makes changes to the repository's code, just create a new sync object to sync the committed changes or directly run analysis on uncommitted changes by providing the patch in the analysis request.

Use Cases

The Autofix Bot API enables agentic code security in several workflows and applications:

AI Coding Platforms & App Builders

Building a platform where users create apps by chatting with AI or using visual builders? Ensuring AI-generated code is secure before deployment is critical. Integrate Autofix Bot to scan and fix code before users ship to production, giving them confidence that their AI-generated applications are secure and production-ready.

Agentic Workflows

Building multi-agent systems where one agent generates code, another handles testing, and you need security validation in the loop? The Autofix Bot API becomes your security agent, providing a reliable primitive for validating code security in complex agentic workflows.

Internal Developer Platforms

You're building an internal platform where engineers scaffold services, generate boilerplate, or use templates. Integrate Autofix Bot to ensure all generated code meets security standards before being added to your monorepo. Platform teams can enforce security policies at scale without slowing down developers.

Code Migration & Modernization

Building tools that help migrate legacy codebases or refactor architecture? Use Autofix Bot to ensure migrations don't introduce security regressions. Catch issues early and maintain or improve your security posture during major refactoring efforts.

API Pricing

The API is pay-per-use, priced at $8 per 100k source lines of code (SLOC) analyzed (input), and $4 per 10K SLOC fixed (output). You also get a promotional $10 in free credits upon signing up, and you can add a credit card for auto-refills.

Get Started

The Autofix Bot API is available to use right away. You can sign up and grab an API key here. Read the full API reference at docs.autofix.bot/api.

If you'd like help exploring how you can leverage the API in your application, we're happy to chat. Please reach out here.