# Secrets Auto-Remediation

### Automatic Fix for Hard Coded Secrets <a href="#automatic-fix-for-open-source-vulnerabilities" id="automatic-fix-for-open-source-vulnerabilities"></a>

Xygeni helps you to automatically fix hardcoded secrets found in your files.

The basic action is to **revoke the secret:**

1. Upon a change pushed (or PR'd) to a repo in the SCM, the xygeni [Secrets scanner](/xygeni-products/secrets-security/secrets-scanner.md) will search for any hardcoded secret.
2. **For every found secret**, the scanner will [**verify** ](/xygeni-products/secrets-security/secrets-scanner.md#secrets-verification)it and, upon successful verification and enabled remediation, the scanner will **revoke** the secret on the end system through specific methods (API, commands, etc.).
3. Upon finishing the scan, the scanner will **upload** the results to Xygeni platform.

<figure><img src="/files/q1E0yHNeFC3sMJxmPg7O" alt="" width="488"><figcaption></figcaption></figure>

[Xygeni Secrets scanner](/xygeni-products/secrets-security/secrets-scanner.md) provides the **`--auto-remediate`** flag. This flag will automatically try to revoke the secret according to its type.

For example, let's say that secret scanner finds a GitLab PAT into your project files. If the --auto-remediate flag is provided, the scanner will revoke the PAT into the GitLab instance.

```bash
xygeni secrets --auto-remediate [rest of flags ...]
```

Xygeni provides out-of-the box remediation playbooks for Slack, AWS access key, Google API Key and GitLab PAT (more will be coming shortly ..)

Auto-remediation is configured for the secrets scanner. If auto-remediation is enabled, **`--auto-remediation`** will work. If it's not enabled, **`--auto-remediation`** will not work.

{% hint style="info" %}
To enable/disable auto-remediation, you can do it setting the `autoRemediationEnabled` property in `conf/xygeni.secrets.yml`
{% endhint %}

<pre class="language-properties"><code class="lang-properties"><strong># File: conf/xygeni.secrets.yml 
</strong><strong># Is auto remediation enabled? If true or yes, --auto-remediate can be used to trigger auto remediation.
</strong># Set to false if you want to disable auto remediation.
# This is useful if you want to remediate secrets manually, or only via web UI or automation workflow.
autoRemediationEnabled: yes
</code></pre>

{% hint style="info" %}
**Incident Severity**

After using **`--auto-remediate`** flag, the **severity** of those issues that have been successfully revoked is changed to **`Info`** and tagged as **`remediated`**
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-products/secrets-security/secrets-auto-remediation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.