Xygeni Bot
The Xygeni Bot brings automation into the remediation workflow for SAST, SCA, and Secrets findings. It enables teams to define how and when remediation runs:
On-demand execution for manual control
On every PR to keep branches clean at merge time
Daily scheduled runs for continuous upkeep
The bot integrates directly into the development process, creating pull requests with fixes. Developers only need to review and approve or reject the changes, which streamlines collaboration and reduces remediation workload.
With this capability, organizations establish a continuous remediation loop—security issues are fixed proactively while developers stay focused on delivering new features and innovations.
Integration
Automatic
Navigate to Projects View: After integrating your project with the managed scans, go to the Projects view.
Click the three dots menu for the project you have integrated

Click "View Details":

Select the "AI AutoFix" tab

Configure the bot and save configuration

Manual
XygeniBot can also be configured manually if you prefer to test its behaviour first.
For manually integrating it just place the following xygenibot.yml
within the root directory of your repository.
deps:
# Pull request strategy:
# always: always create the PR.
# no-duplicate: create PR only if not exists a PR with the same component, version and fix version (open or close).
# create-if-close: create PR if not exists a PR with the same component, version and fix version or this is closed (default value).
pull-request-strategy: 'create-if-close'
# Dependencies filter to include/exclude dependencies
filter-includes:
- group: '*'
name: '*'
filter-excludes:
- group: '*'
name: '*'
# Dependencies for bumping
# direct: only direct dependencies
# indirect: only indirect dependencies
# in-app-code: only dependencies that will be part of the application, that is, those dependencies for development or testing will be excluded.
# with-vulnerabilities: only dependencies with known vulnerabilities
dependency-types:
- 'direct'
- 'indirect'
- 'in-app-code'
- 'with-vulnerabilities'
# Bumping version strategies:
# all: bump to the latest version for the component.
# minor: bump with the same major version (for example 1.x.x -> max version less than 2.0.0).
# patch: bump with the same major and minor versions (for example 1.1.x -> max version less than 1.2.0).
# without-vulnerabilities: bump to the first version without vulnerabilities
# compatible: bump with max version compatible with the current (unsupported for private repositories).
# exclude-pre-release: pre-release will be excluded for the bump version.
bumping-version-strategies:
- 'all'
- 'minor'
- 'patch'
- 'without-vulnerabilities'
- 'compatible'
- 'exclude-pre-release'
#Only use the repositories configured in 'repositories' section
only-use-repositories-configured: false
# Repositories to find component versions
repositories:
- type: 'maven'
url: 'htpps://.....'
directory: '/home/.m2/repository'
username: ....
password: '${pass}'
# Configuration by package manager (maven, npm, pypi,...)
package-managers:
- type: 'maven'
# Pull request strategy:
# always: always create the PR.
# no-duplicate: create PR only if not exists a PR with the same component, version and fix version (open or close).
# create-if-close: create PR if not exists a PR with the same component, version and fix version or this is closed (default value).
pull-request-strategy: 'create-if-close'
# Dependencies filter to include/exclude dependencies
filter-includes:
- group: '*'
name: '*'
filter-excludes:
- group: '*'
name: '*'
# Dependencies for bumping
# direct: only direct dependencies
# indirect: only indirect dependencies
# in-app-code: only dependencies that will be part of the application, that is, those dependencies for development or testing will be excluded.
# with-vulnerabilities: only dependencies with known vulnerabilities
dependency-types:
- 'direct'
- 'indirect'
- 'in-app-code'
- 'with-vulnerabilities'
# Bumping version strategies:
# all: bump to the latest version for the component.
# minor: bump with the same major version (for example 1.x.x -> max version less than 2.0.0).
# patch: bump with the same major and minor versions (for example 1.1.x -> max version less than 1.2.0).
# compatible: bump with max version compatible with the current (unsupported for private repositories).
# exclude-pre-release: pre-release will be excluded for the bump version.
bumping-version-strategies:
- 'all'
- 'minor'
- 'patch'
- 'compatible'
- 'exclude-pre-release'
#Only use the repositories configured in 'repositories' section
only-use-repositories-configured: false
# Repositories to find component versions
repositories:
- type: 'maven'
url: 'htpps://.....'
directory: '/home/.m2/repository'
username: ....
password: '${pass}'
sast:
# Pull request strategy:
# always: always create the PR.
# no-duplicate: create PR only if not exists a PR with the same component, version and fix version (open or close).
# create-if-close: create PR if not exists a PR with the same component, version and fix version or this is closed (default value).
pull-request-strategy: 'create-if-close'
# Max pull request created:
max-pull-request: 0
# Files filter to include/exclude vulnerabilities remediation
# filter-includes: list of glob patterns to include to remediate vulnerabilities.
#
# A pattern could use ** (to match zero or more directories), * (zero or more characters
# in a directory or file name), and ? (one character).
# Examples: **/*.java matches all files with 'java' extension. **/java/** matches all files under any java directory.
#
# If empty, ALL files will be matched.
#
# A file is analyzed when matched by 'filter-includes' AND NOT matched by 'filter-excludes'.
filter-includes:
# filter-excludes: list of glob patterns to exclude to remediate vulnerabilities.
# If empty, NO file will be excluded
filter-excludes:
# Vulnerabilities to remediate
# in-app-code: only vulnerabilities that will be part of the application, that is, those vulnerabilities for development or testing will be excluded.
tags:
- 'in-app-code'
# Languages of vulnerabilities to remediate
languages:
- 'java'
- 'javascript'
- 'php'
- 'python'
# severities of vulnerabilities to remediate
severities:
- 'critical'
- 'high'
- 'low'
- 'info'
# list of ruleId to include to remediate vulnerabilities.
# If empty, ALL rules.
rule-ids-includes:
# rule-ids-excludes: list of ruleId to exclude to remediate vulnerabilities.
# If empty, NO rule will be excluded
rule-ids-excludes:
# Remediation strategies:
# fix-all-files: one pr to remediate all vulnerabilities.
# fix-all-by-file: one pr to remediate all vulnerabilities in a file
# fix-one-by-file: one pr to remediate all vulnerabilities of same rule in a file
# fix-all-same-rule-files: one pr to remediate all vulnerabilities of same rule in all files
remediation-strategy: 'fix-all-by-file'
ai-agents:
# Use the default Xygeni Remediation AI
xygeni:
# Or configure these agents to use your own Remediation AI
anthropic:
host: ${ANTHROPIC_HOST:-https://api.anthropic.com/v1}
token: ${ANTHROPIC_TOKEN}
model: ${ANTHROPIC_MODEL:-claude-sonnet-4-20250514}
gemini:
host: ${GEMINI_HOST:-https://generativelanguage.googleapis.com/v1beta}
token: ${GEMINI_TOKEN}
model: ${GEMINI_MODEL:-gemini-2.5-flash}
groq:
host: ${GROQ_HOST:-https://api.groq.com/openai/v1}
token: ${GROQ_TOKEN}
model: ${GROQ_MODEL:-gemma2-9b-it}
openai:
host: ${OPENAI_HOST:-https://api.openai.com/v1}
token: ${OPENAI_TOKEN}
model: ${OPENAI_MODEL:-gpt-4o}
openrouter:
host: ${OPENROUTER_HOST:-https://openrouter.ai/api/v1}
token: ${OPENROUTER_TOKEN}
model: ${OPENROUTER_MODEL:-openai/gpt-4o}
# This property sets the AI agent to be used. One of the available within ai-agents.
# Use global to use the integration configured into your account if any; Else it defaults to xygeni
ai-remediation-agent: global
After that, you should be able to run xygeni scan -d <dir> --auto-remediate
and the XygeniBot will try to remediate all the issues that match your preferences according to your configuration settings.
Configuration settings
SCA (deps)
pull-request-strategy: Indicates the PR strategy to follow. Allowed values are:
always
,no-duplicate
,create-if-close
.filter-includes: Indicates the dependencies includes filter by using glob patterns.
filter-excludes: Indicates the dependencies excludes filter by using glob patterns.
dependency-types: Indicates the dependencies for bumping. Allowed values are:
direct
,indirect
,in-app-code
andwith-vulnerabilities
.bumping-version-strategies: Indicates the bumping version strategies. Allowed values are:
all
,minor
,patch
,without-vulnerabilities
,compatible
,exclude-pre-release
.only-use-repositories-configured: Indicates whether to only use the repositories configured in repositories section.
repositories: Indicates the repositories to find component versions. Currently
maven
is supported.package-managers: Indicates specific configuration settings for every package manager.
SAST
pull-request-strategy: Indicates the Pull Request strategy to follow. Allowed values are:
always
,no-duplicate
,create-if-close
.max-pull-request: Indicates the .
filter-includes: Indicates list of glob patterns to include the vulnerabilities to remediate.
filter-excludes: Indicates list of glob patterns to exclude the vulnerabilities to remediate.
tags: Indicates the list of tags used to filter the vulnerabilities to remediate.
languages: Indicates the list of languages used to filter the vulnerabilities to remediate.
severities: Indicates the list of severities used to filter the vulnerabilities to remediate. Allowed values are:
critical
,high
,low
,info
.rule-ids-includes: Indicates list of rules to include the vulnerabilities to remediate. If empty, all rules will be included.
rule-ids-excludes: Indicates list of rules to exclude the vulnerabilities to remediate. If empty, none rule will be excluded.
remediation-strategy:: Indicates the remediation strategy to follow. Allowed values are:
fix-all-file
: To use one Pull Request to remediate all vulnerabilities.fix-all-by-file
: To use one Pull Request to remediate all vulnerabilities in a file.fix-one-by-file
: One Pull Request to remediate all vulnerabilities of same rule in a file.fix-all-same-rule-files
: To use one Pull Request to remediate all vulnerabilities of same rule in all files.
ai-agents:: Indicates the AI remediation agents configurations. Supported AI providers are:
Anthropic
Google Gemini
Groq
OpenAI
OpenRouter
Configurable settings for each of them are:
host: Indicates the AI agent host to use. Usually this configuration does not need to be modified.
token: Indicates the AI agent token to use. Usually this is read from an environment variable whose name is relative to the AI agent; like
OPENAI_TOKEN
.model: Indicates the specific model to use for remediation. Each of the AI agents has a predefined default model.
ai-remediation-agent:: Indicates the AI remediation agent to use from those that are supported.
Options are:
global : Indicates that the AI agent globally configured for your account will be used. Currently, just
xygeni
is allowed to be globally configured and that's done by default for your account.xygeni : Indicates that the Xygeni AI agent should be used.
anthropic : Indicates that the Anthropic AI agent should be used.
gemini : Indicates that the Google Gemini AI agent should be used.
groq : Indicates that the Groq AI agent should be used.
openai : Indicates that the OpenAI agent should be used.
openrouter : Indicates that the OpenRouter agent should be used.
Last updated