Skip to main content

Remediation Overview

Cloudgeni provides AI-powered remediation to help you fix security findings quickly and accurately. From analyzing issues to generating code fixes and creating pull requests, the remediation workflow streamlines your security response.

What You'll Get

  • AI-powered fix generation for IaC security issues - One-click PR creation with validated code changes - Cloud validation to verify fixes before deploying - Bulk remediation for addressing multiple findings

How Remediation Works

The Remediation Workflow

┌──────────────┐    ┌──────────────┐    ┌──────────────┐    ┌──────────────┐
│   Finding    │ →  │  AI Analysis │ →  │  Generate    │ →  │  Create PR   │
│   Detected   │    │  & Planning  │    │  Code Fix    │    │  & Validate  │
└──────────────┘    └──────────────┘    └──────────────┘    └──────────────┘
  1. Finding Detected - Security scan identifies a misconfiguration
  2. AI Analysis - Cloudgeni analyzes the finding and plans a fix
  3. Generate Code - AI generates IaC code to resolve the issue
  4. Create PR - Code is submitted as a pull request for review

Finding Analysis

When you select a finding for remediation, Cloudgeni:

Analyzes the Issue

  • Reviews the specific misconfiguration
  • Identifies affected resources
  • Determines the compliance requirement
  • Checks related configurations

Plans the Fix

  • Evaluates remediation options
  • Considers impact on other resources
  • Ensures fix meets policy requirements
  • Plans minimal-change approach

Code Generation

Supported Formats

FormatSupport Level
Terraform (HCL)Full
BicepFull
TerragruntPartial
CloudFormationComing soon

Generated Code Examples

Terraform - Enable S3 Encryption: 
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.data_bucket.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}
Bicep - Enable Storage Account HTTPS: 
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
  name: storageAccountName
  location: location
  properties: {
    supportsHttpsTrafficOnly: true  // Added by remediation
    minimumTlsVersion: 'TLS1_2'     // Added by remediation
  }
}

Code Quality

Generated code follows best practices:
  • Maintains existing code style
  • Uses existing variable references
  • Follows resource naming conventions
  • Includes necessary dependencies

Cloud Validation

What is Cloud Validation?

Before creating a PR, Cloudgeni can validate the fix against your actual cloud environment:
  1. Syntax Check - Validates IaC syntax
  2. Plan Generation - Runs terraform plan or equivalent
  3. Impact Analysis - Shows what will change
  4. Policy Check - Verifies fix passes security policies

Validation Results

StatusMeaning
PassedFix is valid and ready to apply
WarningFix works but has advisories
FailedFix has errors that need review

External Validation

For advanced validation, configure external validation webhooks:
  • CI/CD pipeline validation
  • Custom policy checks
  • Integration testing
  • Manual approval workflows
See External Validation Webhooks for setup.

Pull Request Creation

Automatic PR Generation

When remediation completes:
  1. Cloudgeni creates a new branch
  2. Commits the generated code
  3. Opens a pull request
  4. Adds description with finding details

PR Contents

SectionDescription
TitleClear description of the fix
SummaryWhat finding is being resolved
ChangesFiles and lines modified
Finding LinkReference to original finding
ValidationResults of code validation

Example PR

## Fix: Enable S3 Bucket Encryption

### Finding

S3 bucket `data-bucket` does not have encryption enabled.

**Severity:** High
**Check ID:** CKV_AWS_19

### Changes

- Added server-side encryption configuration
- Configured AES256 encryption algorithm

### Validation

✅ Terraform syntax valid
✅ Plan shows expected changes
✅ Security policies pass

Remediation Options

Single Finding

  1. Navigate to the finding
  2. Click Remediate
  3. Review generated fix
  4. Approve and create PR

Bulk Remediation

Fix multiple related findings at once:
  1. Filter findings by type or policy
  2. Select multiple findings
  3. Click Bulk Remediate
  4. Review consolidated fix
  5. Create single PR

AI DevOps Agent

For complex fixes or custom requirements:
  1. Open AI DevOps session
  2. Describe what you want to fix
  3. Agent generates comprehensive solution
  4. Review and approve changes
  5. Create PR
See AI DevOps for more details.

Impact Analysis

Before Applying Fixes

Cloudgeni shows potential impact:
  • Resources that will be modified
  • Services that may be affected
  • Estimated deployment time
  • Rollback considerations

Risk Assessment

Risk LevelDescriptionRecommendation
LowNo service impactSafe to apply
MediumBrief interruption possiblePlan maintenance window
HighService may restartSchedule carefully

Best Practices

Review Generated Code

Always review before merging:
  • Verify the fix is appropriate
  • Check for unintended changes
  • Ensure variables are correct
  • Test in non-production first

Test Before Production

  1. Apply fix to development environment
  2. Verify resources work correctly
  3. Run integration tests
  4. Then merge to production

Track Remediation

  • Mark findings as “In Progress” when working on them
  • Update status when PR is merged
  • Verify fix with new scan
  • Document any manual steps needed

Troubleshooting

Code generation failed:
  • Finding type may not support auto-remediation
  • Use AI DevOps agent for complex cases
  • Check resource exists in repository
PR creation failed:
  • Verify repository write access
  • Check branch doesn’t already exist
  • Review branch protection rules
Validation errors:
  • Review error message details
  • Check for missing dependencies
  • Verify cloud credentials are valid

AI DevOps

AI-powered infrastructure assistance

Understanding Findings

Learn about finding types

External Validation

Configure validation pipelines

PR Reviews

Automated PR security reviews