Skip to content

AI Fixes

Caspian-Explorer edited this page Feb 7, 2026 · 1 revision

AI Fixes with Smart Context

Caspian Security generates AI-powered security fixes that understand your code's full context -- not just the line with the issue.


How It Works

When you click AI Fix on a detected issue, the extension performs three steps before calling the AI:

1. Function Scope Extraction

Using VS Code's built-in DocumentSymbolProvider, the extension finds the smallest enclosing function, method, or constructor that contains the vulnerable line. The entire function body is sent to the AI -- not just 20 surrounding lines.

This means the AI sees:

  • The full function logic and control flow
  • All local variables and parameters
  • Return statements and error handling
  • The complete context needed to produce a safe fix

2. Variable Definition Tracing

The extension scans backwards within the function scope to find where each variable referenced on the vulnerable line was defined. This includes:

  • const, let, var declarations
  • Function parameters
  • Destructured assignments

The AI receives these definitions so it understands the data types and sources involved.

3. Security-Expert Prompt

When function scope is available, the AI receives a specialized instruction:

"You are a security expert. Fix the [ISSUE_CODE] issue on line [N] within the function scope shown above without breaking the surrounding logic."

This produces fixes that are:

  • Context-aware -- respects the surrounding function logic
  • Minimal -- only changes what's needed to resolve the vulnerability
  • Safe -- avoids breaking existing behavior

Fallback Behavior

If no DocumentSymbolProvider is available (e.g., for plain text files or unsupported languages), the extension falls back to sending the standard 20-line surrounding context (10 lines above + 10 lines below the issue).


Supported AI Providers

Provider Model Setup
Anthropic Claude claude-sonnet-4-20250514 (default) Get API key
OpenAI GPT-4 gpt-4o (default) Get API key
Google Gemini gemini-2.0-flash (default) Get API key

You can override the default model for any provider using the caspianSecurity.aiModel setting.


Setting Up an AI Provider

  1. Open the Command Palette (Ctrl+Shift+P)
  2. Run "Caspian Security: Configure AI Fix Provider"
  3. Select your provider
  4. Enter your API key

API keys are stored in the OS keychain via VS Code's SecretStorage API. They never appear in settings files.


Usage

From the Results Panel

  1. Run a scan
  2. Open the Results Panel
  3. Click AI Fix on any issue
  4. The fix is generated and applied to your code
  5. Review the changes and verify

From Diagnostics

  1. Hover over a diagnostic squiggle
  2. Click Quick Fix (or Ctrl+.)
  3. Select "Fix with AI"

Tips

  • Review every AI fix before committing. AI can produce incorrect fixes.
  • Use Verify after applying a fix to confirm the issue is resolved.
  • Fixes work best on code-detectable rules (pattern-matched issues) rather than informational rules.
  • If a fix doesn't look right, undo with Ctrl+Z and try again -- AI responses vary between calls.

Next Steps

Clone this wiki locally