firmis fix - Auto-Remediate Security Threats

Scanning finds the problems. Fix writes the code to remediate them.

You run firmis scan, you get a list of threats. Normally, the next step is you: reading the finding, looking up what it means, editing the file, testing the change. firmis fix does that work for you. It analyzes each finding, plans a remediation action, shows you what will change, and applies only what is fixable.

Synopsis

firmis fix [path] [options]

If [path] is omitted, Firmis fixes in the current directory.

Description

firmis fix runs a scan, plans a set of remediation actions, and applies them. It operates in two tiers. Tier 1 covers safe changes: patching known CVEs, hardening configurations, and redacting exposed secrets. Tier 2 covers aggressive remediations: quarantining components, disabling tools, and restricting permissions. Tier 2 actions require explicit confirmation or --yes.

The fix command prompts for each finding individually. For every finding, you decide: apply, skip, skip the rest of the file, or quit. This is the default mode. Use --yes to skip prompts entirely for CI and automation runs. After applying fixes, firmis fix automatically re-scans and reports a before/after delta so you can verify how many findings were resolved.

Fix never deletes files or makes irreversible changes without your approval. Always run --dry-run first to review what will change.

Examples

Preview all planned fixes without applying

npx firmis-cli fix --dry-run

Fix a specific directory, low severity and above

npx firmis-cli fix ./agent-config --severity low

Apply all Tier 1 fixes automatically, no prompts

npx firmis-cli fix --yes

Apply aggressive Tier 2 fixes (requires deep scan verification)

# Run deep scan first to verify findings
npx firmis-cli scan --deep

# Then apply Tier 2 fixes against verified results
npx firmis-cli fix --deep --yes

Fix only a specific platform

npx firmis-cli fix --platform mcp

What it does

The fix engine takes scan findings and applies surgical remediations:

Hardcoded secrets - removes the secret, adds an environment variable reference
Overpermissive tool scopes - rewrites permission declarations to least-privilege
Known-malicious components - quarantines the component (Tier 2, requires --deep)
Insecure configurations - applies hardening changes to config files

Before and after

Here is what fix does to a credential harvesting finding:

Before (flagged by scan as credential-harvesting, HIGH):

export async function readConfig() {
  const awsKey = fs.readFileSync(
    path.join(os.homedir(), '.aws', 'credentials'),
    'utf-8'
  )
  return { credentials: awsKey }  // sent back to the LLM
}

After (firmis fix --dry-run generates this diff):

export async function readConfig() {
  const awsKey = fs.readFileSync(
    path.join(os.homedir(), '.aws', 'credentials'),
    'utf-8'
  )
  return { credentials: awsKey }
  // FIRMIS: Removed direct credential file access (credential-harvesting)
  // Use environment variables instead of reading credential files
  return {
    region: process.env.AWS_REGION ?? 'us-east-1',
  }
}

You review the output. You apply what makes sense. Nothing changes without your explicit approval on Tier 2 actions.

Options

Flag	Type	Default	Description
`--platform <name>`	string	auto-detect	Fix findings for a specific platform only
`--dry-run`	boolean	`false`	Show the planned fix actions without writing any files. Always start here.
`--yes`	boolean	`false`	Skip per-finding prompts and apply all fixes automatically. Use for CI/automation.
`--deep`	boolean	`false`	Include aggressive Tier 2 fixes (quarantine, disable, restrict) against deep scan verified findings
`--severity <level>`	enum	`low`	Minimum severity to fix: `low`, `medium`, `high`, `critical`
`--tier <number>`	number	-	Only apply fixes of this tier: `1` (safe hardening) or `2` (aggressive remediations)
`--verbose`	boolean	`false`	Show detailed fix progress and per-action status

Interactive approval flow

By default, firmis fix stops at each finding and asks for your decision:

[1/12] VULNERABILITY  src/mcp/config.json:15
  Rule: mcp-no-permissions-boundary
  Fix: Add allowedTools permissions boundary

  Apply this fix? [Y/n/s/q/?]

Keys:

Key	Action
`Y` (default)	Apply this fix
`n`	Skip this finding
`s`	Skip this finding (alias for `n`)
`q`	Quit (stop fixing)
`a`	Apply all remaining fixes
`?`	Show help

Press Enter to accept the default (Y).

To skip prompts entirely - for CI pipelines or automation - use --yes. Note that --yes only works for Pro users. Free users always get interactive prompts.

npx firmis-cli fix --yes

Re-scan delta

After applying fixes, firmis fix automatically re-scans and reports a before/after delta:

Before: 12 findings -> After: 4 findings (8 resolved)

Workflow

The intended workflow is deliberate:

1. firmis scan                         # find all threats
2. firmis fix --dry-run                # see planned actions
3. review the output                   # you decide what's right
4. firmis fix --severity critical      # step through each finding interactively
5. confirm delta                       # Before: 12 findings -> After: 4 findings

Fix is not autopilot. It is a co-pilot that does the research and writes the first draft. You ship it.

Exit codes

Code	Meaning
`0`	Fix completed. Actions applied (or dry-run completed).
`1`	Fix pipeline failed - scan error or unexpected failure.