Security vulnerabilities are a constant challenge for software teams. Every week brings new CVEs, Dependabot alerts pile up, and the backlog of security fixes grows faster than teams can address them. We've written before about how AI agents can help tackle this challenge at scale.

Today, we're releasing Vulnerability Fixer, an open-source application that automates the process of finding and fixing security vulnerabilities in your repositories. But this release serves two purposes: it's both a useful tool and a reference implementation for building your own AI-powered applications using the OpenHands Cloud API.

Try It Now

Want to see it in action? The demo is live at openhands-vulnerability-fixer.vercel.app. Enter a GitHub repository URL, configure your API keys, and watch as the AI agent scans for vulnerabilities and generates fixes.

What Vulnerability Fixer Does

Vulnerability Fixer uses AI agents to automate the entire vulnerability remediation workflow:

1. Scan - Run Trivy security scans on any GitHub repository, or upload reports from other scanners like Snyk, Veracode, or Checkmarx
2. Analyze - The AI automatically identifies and prioritizes security vulnerabilities, detecting formats and converting them to a common schema
3. Fix - AI agents generate code fixes for selected vulnerabilities, testing them to ensure they work
4. Ship - Pull requests are automatically created on GitHub with the fix implementations

The application provides a web interface where you can monitor agent progress in real-time, view logs, and track the status of each remediation. You can fix multiple vulnerabilities simultaneously, with each agent working independently on its assigned task.

How It Works

The architecture is straightforward. The browser (React UI) communicates with OpenHands Cloud (or a local deployment), which interacts with the GitHub API. The agent also uses Trivy Scanner for vulnerability detection and LLM APIs for generating fixes.

When you enter a repository URL or upload a vulnerability report, the OpenHands agent takes over. It scans the repository using Trivy, parses the results, and presents them in a sortable table. When you select vulnerabilities to fix, individual agents analyze each issue, determine the appropriate fix, implement it, and create a pull request—all without manual intervention.

The application supports both OpenHands Cloud and local agent deployments. For local development, you can run the OpenHands agent server in Docker and point the application at your local instance.

Building Your Own Applications with OpenHands

What makes Vulnerability Fixer particularly interesting isn't just what it does—it's how it's built. The project demonstrates several key patterns for building applications on top of OpenHands Cloud:

Conversation Management - The application creates and manages multiple agent conversations simultaneously, each handling a different vulnerability fix.

Task Execution - It shows how to send prompts to agents and receive structured results back, including handling long-running operations.

Real-time Updates - The UI streams agent progress and logs as work happens, giving users visibility into what the agent is doing.

Error Handling - Production applications need to handle agent failures gracefully. The code shows patterns for retrying, recovering, and reporting errors.

All of this is implemented using the OpenHands TypeScript SDK, which provides a clean interface for interacting with both cloud and local agent deployments.

Running It Yourself

The easiest way to try Vulnerability Fixer is to use the live demo. If you want to run it locally or customize it for your needs, clone the repository:

git clone https://github.com/OpenHands/vulnerability-fixer.git

cd vulnerability-fixer

npm install

npm run dev

Then open http://localhost:3001 and configure your API keys:

• OpenHands Cloud API Key - Get one from OpenHands Cloud
• LLM API Key - Your OpenAI, Anthropic, or OpenHands LLM key
• GitHub Token - Create one at github.com/settings/tokens with repo scope

All credentials are stored locally in your browser and never sent to external servers except for the services they authenticate with.

A Reference Implementation

Vulnerability Fixer serves two purposes beyond just fixing security issues.

First, it's a practical tool for a real problem. Security vulnerabilities are universal—every organization has a backlog of unfixed CVEs, and the manual process of tracking down, fixing, and testing each one consumes significant engineering time. This tool can help teams make progress on that backlog.

Second, it's a reference implementation for building on the OpenHands Cloud API. The OpenHands Cloud API provides the infrastructure to run AI agents at scale, but seeing a complete, working application makes it easier to understand how to build your own.

Vulnerability Fixer is one example. We've seen teams build custom debugging agents, automated code review bots, data ingestion tools, and more. The patterns in this codebase—conversation management, task execution, real-time updates—apply to any application that wants to leverage AI agents for software tasks.

What's Next

Vulnerability Fixer is a working application, but it's also a starting point. The codebase is MIT licensed, and we encourage teams to fork it and adapt it to their specific needs. Maybe you want to integrate with your existing security tooling, add support for specific vulnerability types, or build a custom workflow for your organization's remediation process.

We're continuing to improve both the application and the underlying SDK. If you build something interesting on top of OpenHands, we'd love to hear about it—join our Slack community and share what you're working on.

Check out the Vulnerability Fixer repository to get started, and see the IMPLEMENTATION.md file for technical details on the architecture and configuration options.