Non-AI Remediation¶
Not all security findings require AI-assisted remediation. For certain vulnerability types, BoostSecurity provides deterministic, well-established remediation guidance without relying on AI-generated suggestions.
This ensures remediation remains consistent, predictable, and easy to validate, especially for findings with industry-standard fixes.
When Non-AI Remediation Is Used¶
Non-AI remediation applies in the following scenarios:
- SCA (Software Composition Analysis) findings Dependency vulnerabilities typically have known remediation paths, such as upgrading to a fixed version or replacing a vulnerable package.
- AI remediation is disabled at the policy level
- No supported AI provider is configured
- Findings fall outside supported AI remediation categories
In these cases, BoostSecurity surfaces remediation guidance using predefined rules, vendor advisories, and vulnerability metadata.
What Non-AI Remediation Looks Like¶
--
Instead of AI-generated comments, developers receive clear remediation instructions based on trusted sources such as CVE records, package maintainers, and security advisories.
Example: SCA Dependency Upgrade Guidance¶
-
Screenshot of a BoostSecurity finding showing:
- Vulnerable dependency name
- Current version
- Recommended fixed version
- Link to advisory or changelog
Why AI Is Not Used for SCA Findings¶
SCA remediation is intentionally excluded from AI-generated comments because:
- Remediation steps are well-understood and deterministic
- Fixes usually involve version upgrades or dependency replacement
- AI-generated suggestions could introduce unnecessary variability or ambiguity
By relying on standardized remediation guidance, BoostSecurity ensures:
- Consistent fixes across teams
- Easier validation during reviews
- Reduced risk of incorrect dependency changes
Combining AI and Non-AI Remediation¶
BoostSecurity supports a hybrid remediation approach:
-
AI remediation for:
-
SAST
- IaC
-
Secrets
-
Non-AI remediation for:
-
SCA
- Findings with known, repeatable fixes
This allows teams to benefit from AI where context and code understanding matter most, while maintaining reliability for dependency-based vulnerabilities.