kissrosecicd-hub/autofix-bot-api
.agents/skills/deepsource-autofix-bot-api/SKILL.md
Scan code for security vulnerabilities, leaked secrets, and dependency issues using the Autofix Bot API (api.autofix.bot), and auto-fix detected issues. Use this skill when asked to: (1) Scan or analyze a repository or code for security issues, secrets, or vulnerabilities using Autofix Bot, (2) Upload/sync a local git repository to Autofix Bot for analysis, (3) Run Autofix Bot on code changes, pull requests, or patches, (4) Apply auto-fixes from Autofix Bot analysis results. Requires an Autofix Bot API key (environment variable AUTOFIX_BOT_API_KEY).
$ install --global
skillsauthnpx skillsauth add kissrosecicd-hub/agents-evolution autofix-bot-apiInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 11:02 AM10.6s4 files scanned
SKILL.md
- name:
- autofix-bot-api
- description:
- >
Autofix Bot API
Scan code for security vulnerabilities, secrets, and dependency issues via the Autofix Bot REST API, and auto-fix detected issues.
Authentication
All API calls require a Bearer token. Read the key from the AUTOFIX_BOT_API_KEY environment variable:
curl https://api.autofix.bot/workspace \
-H "Authorization: Bearer $AUTOFIX_BOT_API_KEY"
If the key is not set, ask the user to provide it. Never hardcode API keys or pass them as command-line arguments. All bundled scripts read from this environment variable automatically.
Workflow
Step 1: Create a repository
curl -X POST https://api.autofix.bot/repositories \
-H "Authorization: Bearer $AUTOFIX_BOT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "my-repo",
"external_id": "local:my-repo",
"detection": ["security", "secrets"],
"fix": ["security", "secrets"]
}'
Save the returned id (e.g., repo_...). Use external_id to avoid duplicates — if a repo with the same external_id exists, retrieve it with GET /repositories/external:local:my-repo instead.
Step 2: Sync code
Use the bundled scripts/sync_repo.sh script:
# Full sync (first time)
./scripts/sync_repo.sh /path/to/repo <repo_id>
# Incremental sync (subsequent updates)
./scripts/sync_repo.sh /path/to/repo <repo_id> <base_ref>
The script creates a git bundle, obtains a signed upload URL, uploads the bundle, and polls until sync completes. It outputs the sync ID on success.
Manual sync steps (if not using the script):
-
Create a git bundle:
# Full git bundle create repo.bundle --all # Incremental from a base ref git bundle create repo.bundle <base_ref>..HEAD -
Create a sync:
POST /repositories/{id}/syncswith{"type": "full"}or{"type": "incremental", "base_ref": "<ref>"} -
Upload the bundle to the
upload_urlfrom the response:curl -X PUT "<upload_url>" -H "Content-Type: application/octet-stream" --data-binary @repo.bundle -
Poll
GET /repositories/{id}/syncs/{sync_id}untilstatusiscompleted.
Step 3: Run analysis
curl -X POST https://api.autofix.bot/analysis \
-H "Authorization: Bearer $AUTOFIX_BOT_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"type": "repository",
"repository_id": "<repo_id>",
"from_ref": "<commit_sha>"
}'
from_ref(required): the git commit/ref to analyze from. Use the full SHA of HEAD for a full scan.to_ref(optional): end ref for analyzing a range of changes.patch(optional): git patch to apply before analysis. Mutually exclusive withto_ref.
Step 4: Poll for results
Use the bundled scripts/poll_analysis.sh script:
RESULT=$(./scripts/poll_analysis.sh <analysis_id>)
Or poll manually: GET /analysis/{id} until status is completed.
Step 5: Inspect results and apply fixes
The completed analysis contains:
detection_result.issues— list of detected issues with file, position, explanation, categoryfix_result.patch— unified diff patch that fixes the detected issuesfix_result.fixes— individual fixes with explanations
Apply the fix patch:
echo "$FIX_PATCH" | git apply
If only the first 50 issues/fixes are returned (has_more: true), paginate with:
GET /analysis/{id}/issues?limit=100GET /analysis/{id}/fixes?limit=100
Detection Categories
| Category | Description |
|----------|-------------|
| security | Code vulnerabilities (injection, XSS, unsafe deserialization, etc.) |
| secrets | Leaked credentials, API keys, tokens in source code |
| dependencies | Vulnerable dependencies |
Default detection: ["security", "secrets"]. Set per-repository or per-analysis.
Key Patterns
Reuse repositories: Look up existing repos by external_id (GET /repositories/external:<external_id>) before creating new ones.
Incremental syncs: After the first full sync, use incremental syncs with base_ref set to the last synced commit for faster uploads.
Idempotency: Send Idempotency-Key header on create operations for safe retries.
Ref for full scan: To scan the entire repo, set from_ref to the root commit or the HEAD commit SHA after syncing.
API Reference
For detailed endpoint documentation, request/response schemas, pagination, and error codes, see references/api-reference.md.
Related Skills
kissrosecicd-hub/v2raya-linux-basic
tools
VerifiedTrustedCommunity
KISS reference skill for v2rayA on Arch/Ubuntu/Fedora with TUN, RoutingA, DoH DNS and Outline key import.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/supply-chain-risk-auditor
testing
VerifiedTrustedCommunity
Identifies dependencies at heightened risk of exploitation or takeover. Use when assessing supply chain attack surface, evaluating dependency health, or scoping security engagements.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/semgrep
development
VerifiedTrustedCommunity
Run Semgrep static analysis scan on a codebase using parallel subagents. Supports two scan modes — "run all" (full ruleset coverage) and "important only" (high-confidence security vulnerabilities). Automatically detects and uses Semgrep Pro for cross-file taint analysis when available. Use when asked to scan code for vulnerabilities, run a security audit with Semgrep, find bugs, or perform static analysis. Spawns parallel workers for multi-language codebases.
26SKILL.mdUpdated Apr 16, 2026
kissrosecicd-hub/sharp-edges
development
VerifiedTrustedCommunity
Identifies error-prone APIs, dangerous configurations, and footgun designs that enable security mistakes. Use when reviewing API designs, configuration schemas, cryptographic library ergonomics, or evaluating whether code follows 'secure by default' and 'pit of success' principles. Triggers: footgun, misuse-resistant, secure defaults, API usability, dangerous configuration.
26SKILL.mdUpdated Apr 16, 2026