Corgea: an AI security platform that automatically fixes code vulnerabilities

General Introduction

Corgea is an AI-based code security platform focused on helping developers and security teams discover, analyze, and automatically fix vulnerabilities in code. It scans code for potential issues by integrating with existing static application security testing (SAST) tools such as Snyk and Semgrep, and utilizes AI to generate high-quality fixes for developers to review.Corgea supports multiple programming languages, including Java, Python, Go, and more, and covers complex issues such as business logic errors and authentication vulnerabilities. It reduces false positives by about 30%, significantly reduces remediation costs and time, and saves an average of 80% in development effort. The platform is easy to operate and can be quickly integrated via GitHub apps, making it suitable for teams pursuing efficient and secure development.

Function List

• vulnerability scan: Detect business logic errors, authentication vulnerabilities, API security issues, and hard-coded keys in your code.
• AI auto-repair: Generate high-quality fixes for discovered vulnerabilities and create Pull Requests for developers to review.
• False alarm filtering: Automatically reduce approximately 30% false positives through AI analysis to improve security team efficiency.
• Multi-language support: Support for Java, JavaScript, TypeScript, Go, Ruby, Python, C#, C, C++, PHP and other languages and their frameworks.
• Integration with SAST tools: Enhance existing workflows by seamlessly connecting to tools like Snyk, Semgrep, and more.
• SLA Tracking: Provide vulnerability remediation progress tracking and notifications to ensure security issues are resolved on time.
• strategy implementationBlocking Rules: Block non-compliant code from going live to secure your application.

Using Help

Installation and Integration

Corgea offers a GitHub app that is easy to install and can be done in less than 30 seconds. Here are the detailed steps:

1. Visit the official website: Open https://corgea.com/Click on "Sign up today for free" to register your account.
2. Installing the GitHub app::
   • Log in to GitHub and go to https://github.com/apps/corgeaThe
   • Click the "Install" button and select the organization or repository you want to authorize.
   • Confirming the permissions, Corgea will be given permission to read the code and create pull requests.
3. configuration repository::
   • In the Corgea dashboard, select the GitHub repositories to scan.
   • Set the scanning frequency (e.g., per submission or daily).
4. Connecting the SAST Tool(Optional):
   • On the Corgea settings page, add the API key for Snyk or Semgrep.
   • Corgea will automatically import the scan results from these tools and generate repair recommendations.

Once installed, Corgea automatically scans the code and creates a fix pull request in the GitHub repository.

Main function operation flow

1. Vulnerability scanning

Corgea's BLAST (Business Logic and Security Testing) technology combines AI and static analysis to scan code for complex vulnerabilities. Users don't need to manually configure rules, Corgea dynamically adapts to the code environment. Procedure:

• Start scanning: Select the target repository in the Corgea dashboard and click "Scan Now".
• View Results: Once the scan is complete, the dashboard displays a list of vulnerabilities, including the type of vulnerability (e.g., SQL injection, path traversal), location, and severity.
• Export report: Supports exporting scan results to PDF or CSV for easy team sharing.

2. Automatic AI repair

Corgea's core feature is the generation of repair code and its integration into the development process. Operational Processes:

• Viewing Fixes Suggestions: In the dashboard, click Vulnerability Details to see the code fix recommendations generated by the AI.
• Creating a pull request::
  • Click "Generate Pull Request" to have Corgea automatically create a pull request in your GitHub repository.
  • The pull request contains the fix code, a description of the vulnerability, and a description of the change.
• Developer review: The developer reviews the code in GitHub and merges the fixes after confirmation.
• Verification Fixes: Corgea rescan the code to ensure the vulnerability has been resolved.

3. False alarm filtering

Corgea uses AI to analyze scan results, automatically flagging and filtering false positives. Method of operation:

• Checking for False Alarms: In the list of vulnerabilities, entries labeled "False Positive" have been filtered by the AI.
• manual adjustment: Users can manually flag false positives or confirm valid vulnerabilities, and Corgea learns from user feedback to optimize subsequent scans.
• statistical analysis: The dashboard provides false alarm rate statistics to help teams evaluate scanning efficiency.

4. SLA tracking and strategy implementation

Corgea provides vulnerability management tools to ensure that remediation efforts are on track:

• Setting the SLA: Set a remediation deadline in the dashboard for the vulnerability type (e.g., 7 days for a high risk vulnerability).
• Receive notification: Corgea sends reminders via email or Slack to notify of upcoming fixes that are due.
• Configuring Blocking Rules::
  • Enable Blocking Rules on the Settings page to specify the types of vulnerabilities that are prohibited from going live (e.g. hard-coded keys).
  • Corgea will block code merges that contain these vulnerabilities to ensure compliance.

5. Multilingual support and integration

Corgea supports multiple programming languages and can be used by developers without having to adjust the code structure. Integration with the operation of existing SAST tools:

• Importing Scan Results: Upload JSON reports from Snyk or Semgrep in Corgea.
• unified management: Corgea aggregates vulnerability reports from all tools to provide a unified view.
• Automated restoration: For imported vulnerabilities, Corgea also generates fix code and creates pull requests.

Featured Functions

• Business Logic Vulnerability Detection: Corgea's AI understands code context and recognizes errors in business logic that are difficult for traditional tools to detect. For example, it can detect logic gaps in the payment process to prevent potential financial losses.
• Hard-coded key scanning: Corgea scans the code for sensitive information (e.g. API keys, passwords) and suggests migrating it to environment variables.
• Real-time feedback: Every time you commit code, Corgea automatically scans and provides real-time feedback in GitHub, shortening the fix cycle.

caveat

• Rights Management: Ensure that the GitHub app authorizes enough permissions on the repository, otherwise it may not be able to create a pull request.
• network requirement: Corgea requires a stable network connection to synchronize scan results in real time.
• Free version limitations: The free version supports 2 warehouses and 10 pull request scans per month and is suitable for small teams to try.

By doing so, users can quickly get started with Corgea and automate the management of code security.

application scenario

1. Rapid development for startups
   Small development teams with limited resources can't dedicate a lot of time to fixing security vulnerabilities, so Corgea automates the scanning and fixing of code, reducing the security workload and allowing teams to focus on feature development. For example, a fintech startup used Corgea to scan a payment module, quickly fixing an authentication vulnerability and ensuring compliance before the product went live.
2. Enterprise-level code compliance
   Large organizations need to comply with regulations such as GDPR, HIPAA, and more, and Corgea's Blocking Rules and SLA tracking capabilities help security teams enforce compliance standards. For example, a medical technology company utilizes Corgea to detect hard-coded keys and ensure patient data is secure.
3. Open Source Project Maintenance
   Open source projects often face overlooked security vulnerabilities, and Corgea's GitHub integration makes it easy for maintainers to scan and fix code. For example, an open source web framework project used Corgea to fix a SQL injection vulnerability, increasing community trust.

QA

1. What programming languages does Corgea support?
   Corgea supports Java, JavaScript, TypeScript, Go, Ruby, Python, C#, C, C++, PHP and their frameworks, covering most mainstream development scenarios.
2. How do I ensure the security of my repair code?
   Corgea's AI models are trained based on a large amount of code and security patches, and the generated fixes are validated in multiple rounds. Developers are required to review and test pull requests to ensure the code meets project requirements.
3. What is the difference between the free version and the paid version?
   The free version supports 2 warehouses and 10 pull request scans per month for individuals or small teams. Paid versions (such as the Growth program) offer unlimited repositories and scans for larger teams.
4. Will Corgea interfere with existing workflows?
   Corgea integrates through GitHub, eliminating the need to change the development process. Security teams can create pull requests with a single click, and developers review code in the familiar GitHub environment.