search

Deterministic Agentic Remediation

Heeler automates dependency remediation by combining deterministic analysis with agent-driven code changes. The system identifies safe upgrade paths, validates the changes, and generates pull requests that perform the upgrade.

  • Dependency Graph. Heeler builds a complete dependency graph, including direct, transitive, first-party, and bundled dependencies. This graph is used to determine the exact upgrade path required to remediate a vulnerability.

  • Upgrade Recommendation. For each vulnerable dependency, Heeler selects the version that has the highest security impact while minimizing potential breaking changes.

  • Breaking Change Detection. Proposed upgrades are evaluated against the dependency graph to detect incompatible version requirements or downstream conflicts before remediation begins.

  • Automated Remediation Workflow. When remediation is triggered, Heeler performs the dependency upgrade and makes required first party code changes, validates the build and dependency resolution using ecosystem-specific checks and CI tests, and generates a pull request documenting the changes and validation results.

Remediations that support agentic remediation are clearly marked with the Auto-Fixable status. This allows you to quickly filter for fixes that can be safely automated and combine them with other context, such as Direct vs. Transitive dependency classification. This lets teams start with low-risk, high-confidence fixes and gradually expand automation as trust builds.

When triggered, Heeler:

  • Performs the dependency upgrade

  • Validates the change using package ecosystem-specific build and resolution checks

  • Creates a validated pull request, automatically linked to the associated ticket

You can trigger agentic remediation directly from the dependency listing or the dependency detail page using the Fix Now action.

Once a remediation is triggered, the Heeler agent provides real-time status updates, giving full visibility into each step taken during the fix.

The remediation status links directly to the generated pull request. Both the status view and the PR clearly show:

  • The changes made

  • The validation steps performed

  • The vulnerabilities remediated

hashtag
CI Testing Loop

Heeler automates dependency upgrades end-to-end by not only generating fixes, but validating them through your existing CI pipeline. The CI Testing Loop helps ensure that the change is safe, functional, and merge-ready, without requiring manual intervention.

hashtag
Overview

When Heeler identifies a vulnerable dependency, it automatically:

  • Upgrades the dependency

  • Applies any required code or configuration changes

  • Submits a merge-ready pull request

From there, Heeler enters an iterative validation loop with your CI system to ensure the change passes all checks before developer review.

hashtag
How It Works

hashtag
1. Pull Request Creation

The Heeler agent:

  • Generates an upgrade for the vulnerable dependency

  • Applies necessary file and code changes

  • Opens a pull request with the full set of modifications

hashtag
2. CI Execution

Once the PR is opened:

  • Your CI pipeline runs automatically

  • Heeler waits for all checks (build, tests, etc.) to complete

hashtag
3. Test Result Ingestion

After CI completes:

  • Heeler collects the full set of test and build results

  • Failures (if any) are analyzed and attributed to the changes introduced

hashtag
4. Automated Remediation Loop

If CI checks fail, Heeler initiates an automated remediation cycle:

  • A new agentic run is triggered with:

    • The failing test results

    • Build and compilation errors

    • Relevant context from the PR

  • The agent attempts to:

    • Fix compilation issues

    • Resolve failing tests

    • Adjust code or configuration as needed

  • Updated commits are pushed to the same PR

hashtag
5. Continuous Re-Validation

Each update triggers CI again automatically.

This loop continues until one of the following occurs:

  • Success: All CI checks pass

  • 🔁 Retry limit reached: Up to 5 additional remediation commits

  • Early exit: The agent determines the issue is unlikely to be resolved automatically

hashtag
6. Developer Handoff (If Needed)

If the agent cannot fully resolve the issue:

  • Heeler leaves a comment on the PR for the developer communicating that all errors could not be resolved.

  • The PR will include:

    • All intermediate commits

    • Full CI results across attempts

    • A link to Heeler for deeper inspection

hashtag
Full Transparency

Every step in the CI Testing Loop is fully traceable:

  • Developers can view:

    • The sequence of agent attempts

    • CI results across iterations

    • All code changes made during remediation

  • A direct link to Heeler provides:

    • Full visibility into the agent’s reasoning

    • Conversations with tools and internal decision-making steps

This ensures every automated fix is auditable, explainable, and non-breaking by design — even when automation is doing the work.

circle-info

Agentic remediation must be enabled per tenant. Before enabling, Heeler will verify your environment, including SCM permissions and artifact registry access.

Reach out when you’re ready — we’ll walk through the setup together.

PreviousDependency RemediationsNextSoftware Bill of Materials (SBOM)

Last updated

Was this helpful?