Skip to content

Auto Fix Engine

Jump to bottom
PenumbraForge edited this page Mar 29, 2026 · 1 revision

Auto-Fix Engine

Gate doesn't just find secrets -- it fixes them. The auto-fix engine extracts secrets to .env files and rewrites source code to use environment variable references.

Usage

gate fix                    # Fix all findings
gate fix --dry-run          # Preview changes without writing
gate fix --interactive      # Fix one at a time
gate fix --undo             # Restore from snapshot

How It Works

  1. Snapshot -- backs up all files that will be modified
  2. Extract -- writes each secret value to a .env file with a derived variable name
  3. Rewrite -- replaces the secret in source with the appropriate env var reference
  4. Import -- adds necessary import statements (require('dotenv'), import os, etc.)
  5. Protect -- adds .env to .gitignore if not already present
  6. Verify -- re-scans modified files to confirm secrets are gone

Supported Languages

Language Env Var Reference Import Added
JavaScript/TypeScript process.env.VAR_NAME require('dotenv').config()
Python os.environ['VAR_NAME'] import os
Go os.Getenv("VAR_NAME") "os" import
Ruby ENV['VAR_NAME'] require 'dotenv/load'
Java System.getenv("VAR_NAME") None needed
YAML ${VAR_NAME} None needed
Terraform var.var_name Variable block added
Dockerfile ${VAR_NAME} None needed
JSON Extract only (manual migration) N/A

Variable Name Derivation

Gate generates .env variable names from the rule ID and surrounding code context:

stripe-live-secret  →  STRIPE_SECRET_KEY
aws-access-key-id   →  AWS_ACCESS_KEY_ID
mongodb-uri         →  MONGODB_URI

.env File Safety

  • Values containing special characters (#, $, spaces, quotes) are automatically double-quoted and escaped
  • Existing .env values are checked before writing -- duplicates are skipped, conflicts get a _NEW suffix
  • .env file is created with 0600 permissions (owner-only read/write)
  • File permissions are preserved on modified source files (executables keep +x)

Line Number Tracking

When fixing multiple secrets in the same file, Gate processes findings bottom-up and tracks import insertions to prevent line number drift. If an import statement is added at the top of the file, remaining findings have their line numbers adjusted automatically.

Undo

If something goes wrong:

gate fix --undo

This restores all modified files from the snapshot created before fixing.

Getting Started

Core Features

Security Operations

Reporting

Reference

Clone this wiki locally