Enable AI-Generated PR Comments for Security Remediation¶

BoostSecurity's AI integration allows you to enhance your security workflow by enabling AI-assisted remediation comments directly within your pull requests (PRs). When you select the "Add a comment to the pull request" option in the policy settings, the platform enables you to bring your own AI provider (e.g., OpenAI, Gemini, or Anthropic), ensuring your code analysis is performed only by previously approved services already tuned for your use cases, to generate actionable code suggestions and comments, helping developers address vulnerabilities efficiently without leaving their workflow.

Note that AI-assisted remediation is supported for SAST, IaC, and Secrets findings but not for SCA, as the remediation path for SCA findings is already very clear and well-understood by BoostSecurity, making the value added by an AI overlay minimal.

Key Benefits¶

Automated PR Comments: Receive AI-generated suggestions and comments tailored to detected vulnerabilities.
Contextual Assistance: Comments appear seamlessly in your pull requests across supported SCM platforms like GitHub, GitLab, Azure DevOps (ADO), and Bitbucket.
Enhanced Developer Productivity: Enable developers to review and apply remediation advice directly in their PR environment.
Customizable Feedback: Leverage the selected AI model to align comments with your team's coding standards and security needs.

Prerequisites¶

Before enabling AI-generated comments, ensure the following:

AI Provider Integration: An AI provider (e.g., OpenAI, Gemini, Anthropic) is configured with a valid API key, as outlined in the Integrating AI Providers for Assisted Remediation guide.
Suitable AI Model: The chosen model must support text generation and code analysis (e.g., gpt-4, claude-sonnet, gemini-pro). Models designed for image or audio processing are incompatible and may result in errors.

Configuration Steps¶

Follow these steps to enable and customize AI-generated comments in your pull requests:

Navigate to the Policy page and select the policy where you want to enable AI comments or create a new policy.
In the policy editor, configure the "Add a comment" action by doing either or both of the following:
1. Set as Default Action: Locate the "Default action" dropdown and select "Add a comment to the pull request".
2. Create New Rule: Click the +Action button, define a trigger, and select the conditional response to the selected action be "Add a comment to the pull request".
Click Save to apply the policy. BoostSecurity will now generate AI-assisted comments for findings detected in PRs.

What AI-Generated Comments Look Like¶

When AI remediation is enabled, comments appear as follows in your pull request:

Example AI Security Finding¶

Example AI Remediation¶

Comments are posted directly in the PR thread, linking to the affected code line.
Suggestions include code snippets, explanations, and best practices based on the selected AI model.

Managing AI-Generated PR Comments¶

Edit Policy: Adjust or switch AI models via the Integrations > AI page if comment quality needs improvement.
Disable Comments: Unselect the "Add a comment to the pull request" option to stop AI-generated comments while keeping other remediation features active.

Troubleshooting¶

Issue	Possible Cause	Solution
No Comments Appear in PRs	"Add a comment to the pull request" is disabled, the policy is not configured correctly, or AI provider misconfigured.	Verify the policy settings and check AI provider setup in Integrations.
Irrelevant or Poor Comments	Model unsuitable for code analysis.	Switch to a text/code-oriented model (e.g., `gpt-4` over `gpt-3.5`).
Comments Missing Context	Insufficient PR data or model limitations.	Ensure PR includes full context; test with a more advanced model.
No auto-remediation	There's no SAST, Secrets, or Iac findings in the PR	auto-remediation only triggers for SAST, Secrets, or IaC vulnerabilities.