Auto-Fix PRs
CodePeel can automatically create a pull request that resolves all fixable findings from your review. After the standard review completes, the system identifies findings with concrete code suggestions, fetches the original file content, and opens a separate PR targeting your feature branch. Auto-fix is a Pro and Max feature that runs in parallel with comment posting.
Overview
Auto-fix transforms review findings into applied code changes without manual intervention. Rather than reading each inline comment and applying suggestions one by one, auto-fix collects all findings that have a fixCode field, asks CodePeel to rewrite each affected file with all fixes applied, and commits the result to a new branch.
The fix PR targets your feature branch (not main), so the fixes merge alongside your original code. This keeps your feature branch clean and allows you to review the automated changes before they become part of your PR. The fix PR is a normal pull request that goes through your standard review and CI process.
Auto-fix is designed as a background operation. If fix generation fails for any reason (API error, file not found, no fixable findings), it does not affect the main review. Your PR still receives its normal findings and inline comments regardless of whether the fix PR was successfully created.
How to Enable
Auto-fix is disabled by default and must be explicitly enabled. It requires a Pro or Max plan.
Option 1: Via .codepeel.yml
Add to your repository's configuration file:
auto_fix:
enabled: true
Option 2: Via the Dashboard
- Go to Settings in the sidebar
- Navigate to the Automation section
- Toggle Auto-Fix Findings on
The .codepeel.yml setting takes priority if both are configured. See the Configuration documentation for details on how settings merge.
How It Works
The auto-fix pipeline runs immediately after the main review analysis completes, in parallel with inline comment posting and auto-test generation. This minimizes the total time before the fix PR appears.
Step-by-step flow
-
Trigger check. After the review completes, the system checks if
auto_fix.enabledistruein the config AND the user is on a Pro or Max plan. If either condition is false, auto-fix is skipped. -
Finding filtering. All findings from the review are filtered to include only those that have a
fixCodefield, a validlinenumber, and a validfilepath. Findings without concrete code suggestions are excluded. Findings are grouped by file path; each file is processed once with all its fixes applied together. -
PR metadata retrieval. The original PR is fetched to determine the feature branch name and the latest commit.
-
Per-file rewrite. For each file with fixes, the current file content is fetched from the repository. The file content and all the findings for that file (with their
fixCodesuggestions) are sent to CodePeel, which returns a single rewritten version of the file with every fix applied. There is no line-by-line text replacement — CodePeel sees the whole file and produces the whole file. -
Diff assembly. Rewritten file contents are diffed against the originals. Files whose content did not change are skipped.
-
Git tree creation. All modified files are assembled into a new Git tree using the GitHub Git Trees API.
-
Commit creation. A new commit is created with the modified tree, parented to the original PR's head commit. Commit message:
fix(codepeel): apply N automated fix(es)\n\nCo-authored-by: CodePeel <bot@codepeel.com>. -
Branch creation. A new branch reference is created pointing to the new commit:
codepeel/fix-pr-{pullNumber}-{timestamp}. -
PR creation. A pull request is opened from the new branch targeting the original PR's feature branch.
-
Notification. A comment is posted on the original PR linking to the fix PR.
Why CodePeel rewrites the whole file
Each finding's fixCode is a code snippet, not a unified diff. Trying to apply multiple snippets to one file via line-number replacement is fragile — fixes shift lines, snippets don't include surrounding context, and overlapping fixes collide. Asking CodePeel to rewrite the whole file with all fixes applied at once produces a coherent result that respects indentation, imports, and adjacent code.
The trade-off: the rewrite can occasionally introduce unintended changes. Always review the fix PR diff before merging — the original PR comment includes a link.
What Gets Auto-Fixed
Auto-fix only applies to findings that have a concrete fixCode value. This field is populated by the AI analysis engine when it can generate a specific code replacement. Not all findings produce a fix — complex issues that require architectural changes or multi-file refactoring do not.
The filter is: a finding must include a fixCode value, a valid line number, and a valid file path. There is no per-category logic — if the AI produces a fixCode for a finding, auto-fix will attempt to apply it.
Fixable finding types (typical)
| Category | Examples |
|---|---|
| Security patterns | Replacing eval(), innerHTML, unsafe deserialization, hardcoded secrets |
| Missing error handling | Adding try/catch, .catch() handlers, null checks |
| Performance fixes | Memoization, lazy loading, removing unnecessary re-renders |
| Import fixes | Missing imports, unused imports, incorrect paths |
| Simple refactorings | const vs let, template literals, nullish coalescing, optional chaining |
| Typo fixes | Variable names, comments, string literals |
| API usage | Deprecated method replacements, correct parameter usage |
What does NOT get auto-fixed
| Category | Reason |
|---|---|
| Complex logic changes | Too risky to automate without full context |
| Architectural refactoring | Requires human judgment about design |
| Multi-file refactoring | Cross-cutting concerns need coordinated changes |
| Business logic changes | Requires domain knowledge |
Findings without fixCode | The AI could not generate a concrete replacement |
Generated PR Format
When fixes are successfully applied, a new pull request is created with the following structure:
Branch naming
codepeel/fix-pr-{pullNumber}-{timestamp}
For example: codepeel/fix-pr-42-1717200000000
PR title
🤖 [CodePeel] Auto-Fixes for PR #42
PR body
The PR description includes:
- A link back to the original PR (
#42) - The count of files with applied fixes
- A review-required note listing what to verify
Example body:
## Auto-Fix PR
CodePeel has applied automated fixes for findings in #42.
**3 file(s) modified.**
### ⚠️ Review Required
These fixes are AI-generated and may need adjustments:
- Verify indentation and code structure
- Ensure referenced types/classes exist
- Run your test suite before merging
---
<sub>Generated by CodePeel AI · [Docs](https://codepeel.com/docs/auto-fix)</sub>
PR target
The fix PR targets your feature branch, not main. This means the fixes merge into your feature branch and ship together with your code changes.
Commit message
fix(codepeel): apply 3 automated fixes
Co-authored-by: CodePeel <bot@codepeel.com>
Notification comment
A comment is posted on your original PR:
**Auto-Fix PR Available**
CodePeel has generated fixes for this review: https://github.com/owner/repo/pull/43
Individual Fix Generation
In addition to the automatic bulk fix PR, CodePeel provides an API for generating and applying individual fixes. This is used by the VS Code extension "Fix with AI" feature and the MCP server fix_code tool.
The individual-fix flow uses a different mechanism from the bulk auto-fix pipeline: it generates a unified-diff patch and applies it to a fresh branch.
Fix generation (generate mode)
Generates a fix without applying it. Returns the patch and description for the user to review:
POST /api/fixes
{
"finding": { "file": "src/auth.ts", "line": 42, "explanation": "..." },
"action": "generate"
}
Returns:
{
"patch": "--- a/src/auth.ts\n+++ b/src/auth.ts\n@@ -42,1 +42,1 @@\n const result = await db.query(query, [email]);",
"description": "Use parameterized query to prevent SQL injection"
}
Fix application (apply mode)
Generates a fix and creates a branch + PR with the fix applied:
POST /api/fixes
{
"finding": { "file": "src/auth.ts", "line": 42, "explanation": "..." },
"action": "apply",
"repo": "my-app",
"owner": "my-org",
"targetBranch": "master",
"installationId": 12345
}
This creates a branch named codepeel/fix-{filename}-{timestamp} and opens a PR with the single fix applied. The default targetBranch is master when not supplied.
Patch application
For the apply action, the generated patch is parsed and merged with the original file content from the base branch:
- The original file content is fetched from the base branch.
- The patch is applied to the original content, matching the section to be replaced.
- The patched content is committed to a new branch, then a PR is opened with that branch as the head and the target branch as the base.
Validation: The patch is validated to ensure it only references the intended file path. This blocks path traversal attempts where a malicious finding could try to modify unrelated files. Patches that fail validation are rejected before any branch or PR is created.
Credit Consumption
Auto-fix generation consumes 1 review from your monthly quota. This deduction happens only if a fix PR is successfully created. If generation fails or produces no valid fixes, no review is consumed.
| Scenario | Reviews consumed |
|---|---|
| Fix PR created successfully | 1 review |
| No fixable findings | 0 reviews |
| Fix generation fails | 0 reviews |
| Pro user at quota limit | 0 reviews (PR still created if work was done) |
For Pro users who have reached their 500-review monthly limit, the fix PR is still created if the generation work was already completed, but no additional review is deducted. This prevents wasted work.
Auto-Fix vs Suggestion Blocks
CodePeel provides two mechanisms for applying fixes. They serve different workflows and can be used together.
| Feature | Suggestion blocks | Auto-fix PR |
|---|---|---|
| Where it appears | Inline on each finding comment | Separate pull request |
| Apply individually | Yes (one-click per finding) | No (all fixes at once) |
| Apply all at once | No | Yes |
| Creates reviewable diff | No (applied directly) | Yes (full PR diff) |
| Requires opt-in | No (always available) | Yes (must enable) |
| Plan required | All plans | Pro or Max |
| Consumes reviews | No | 1 review |
Even without auto-fix enabled, every fixable finding includes a GitHub suggestion block in its inline comment. You can apply these individually by clicking "Commit suggestion" on each comment. Auto-fix is the bulk alternative that applies all suggestions at once.
Configuration
Minimal configuration
auto_fix:
enabled: true
This is the only configuration needed. The system automatically identifies fixable findings and applies them.
Combined with auto-test
Auto-fix and auto-test can both be enabled simultaneously. They run in parallel and create separate PRs:
auto_fix:
enabled: true
auto_test:
enabled: true
Disabling for specific repositories
If auto-fix is enabled in your dashboard settings but you want to disable it for a specific repository, add to that repo's .codepeel.yml:
auto_fix:
enabled: false
The .codepeel.yml setting overrides the dashboard setting.
Plan Requirements
Auto-fix requires a Pro or Max plan. On the Free tier, the auto_fix.enabled setting is ignored and no fix PR is generated.
| Plan | Auto-fix available | Reviews consumed |
|---|---|---|
| Free | No | -- |
| Pro | Yes | 1 review per generation |
| Max | Yes | 1 review per generation |
Limitations
CodePeel rewrites whole files
The bulk auto-fix does NOT do line-by-line replacement. For each file with fixable findings, CodePeel is given the current file content plus all the findings' fixCode snippets, and it returns a completely rewritten file. This means:
- The rewrite can occasionally drop or modify code unrelated to the listed findings.
- The fix is only as good as CodePeel's interpretation of the
fixCodesnippets in context. - Always review the fix PR diff before merging.
No conflict detection with simultaneous changes
If your PR has multiple files with overlapping concerns, each file is rewritten independently. There is no cross-file coordination. If your fix depends on changes in another file, CodePeel may not see that context.
File must exist at head commit
If a file was deleted or renamed in the PR, fixes targeting that file will fail silently.
No compilation verification
Generated fixes are not compiled or tested before being committed. The fix PR may contain code that does not compile. Always review the fix PR and run your CI pipeline before merging.
Background operation
Auto-fix runs asynchronously and does not block the main review. If it fails, no notification is posted about the failure. The main review is completely unaffected.
fixCode quality
The quality of auto-fixes depends on the fixCode field generated by the AI analysis engine. Some snippets may be incomplete, incorrect, or not account for surrounding context. Always review the fix PR before merging.
Troubleshooting
Fix PR not appearing
If auto-fix is enabled but no fix PR is created:
- Verify you are on a Pro or Max plan (auto-fix is not available on Free)
- Check that
auto_fix.enabledistruein your config or dashboard - Ensure the review produced findings with
fixCodevalues (not all findings are fixable) - Check that the files referenced by findings exist in the PR's head commit
- Verify the GitHub App has write permissions on the repository
Fix PR has no changes
If the fix PR is created but shows no diff:
- The rewrite of the file produced content identical to the original (no fixes needed)
- The findings'
fixCodesnippets were trivial (e.g., adding a semicolon) and the rewrite chose not to apply them
Fixes look wrong
The rewrite can occasionally introduce unintended changes. To debug:
- The PR has been updated since the review ran (new commits shifted lines)
- CodePeel may have applied or omitted a fix differently than expected — check the finding's
fixCodein the original review comment
Push a new commit to trigger an incremental review with fresh findings.
"No valid fixes could be applied"
This means all fixable findings failed during the file processing step. Common causes:
- Files could not be fetched (permissions, deleted files)
- The rewrite produced no actual change (all
fixCodesnippets were no-ops) - A target file is a directory or submodule, not a file
Individual fix (/api/fixes apply mode) fails
If the API returns 400 with "Invalid patch: only target file may be modified", the generated patch references a path other than the target file. This is blocked by the patch validator. Rephrase the finding or manually craft the fix.
Auto-fix consuming reviews unexpectedly
Auto-fix consumes 1 review from your quota each time it successfully creates a fix PR. If you are on Pro with limited reviews, consider disabling auto-fix when approaching your quota limit. Check your usage on the billing page.
Frequently Asked Questions
Does auto-fix run on every PR?
Yes, when enabled. Auto-fix runs after every PR review that completes successfully, as long as you are on a Pro or Max plan, have available quota, and the review produced at least one finding with a fixCode. There is no way to trigger it selectively per PR.
Can I choose which fixes to apply?
Not with the bulk auto-fix feature. It applies all fixable findings at once. If you want to apply fixes selectively, use the suggestion blocks on individual inline comments instead. You can also review the fix PR and revert specific changes before merging.
What happens if the fix PR conflicts with my feature branch?
Since the fix PR targets your feature branch and is based on the same head commit, conflicts are unlikely for the initial creation. However, if you push new commits to your feature branch after the fix PR is created, merge conflicts may arise. Resolve them as you would any other PR conflict.
Can I use auto-fix without auto-test?
Yes. Auto-fix and auto-test are independent features. You can enable either one, both, or neither. They run in parallel and create separate PRs when both are enabled.
Does auto-fix work with the VS Code extension?
The bulk auto-fix (creating a PR with all fixes) only runs on GitHub PR reviews. However, the VS Code extension provides its own fix mechanisms: "Apply Suggested Fix" for direct inline application and "Fix with AI" for routing to an AI agent. See the VS Code Extension documentation for details.
How is auto-fix different from the MCP fix_code tool?
The MCP fix_code tool generates a fix for a single specific issue on demand. Auto-fix is an automated pipeline that applies all fixable findings from a review at once. The MCP tool is interactive (you ask for a fix), while auto-fix is automatic (runs after every review).
Examples
Security fix: SQL injection
Original finding:
File: src/db/users.ts
Line: 42
Severity: critical
Type: security
Explanation: User input is concatenated directly into the SQL query string.
fixCode: const result = await db.query('SELECT * FROM users WHERE email = $1', [email]);
Applied fix in the auto-fix PR:
The line at position 42 in src/db/users.ts is replaced with the parameterized query (CodePeel rewrites the whole file with the fix applied). The fix PR diff shows:
- const result = await db.query(`SELECT * FROM users WHERE email = '${email}'`);
+ const result = await db.query('SELECT * FROM users WHERE email = $1', [email]);
Bug fix: Missing null check
Original finding:
File: src/api/profile.ts
Line: 18
Severity: high
Type: bug
Explanation: Accessing user.name without checking if user is null.
fixCode: const name = user?.name ?? 'Anonymous';
Applied fix:
- const name = user.name;
+ const name = user?.name ?? 'Anonymous';
Performance fix: Unnecessary re-render
Original finding:
File: src/components/Dashboard.tsx
Line: 7
Severity: medium
Type: performance
Explanation: Object literal in dependency array causes re-render on every cycle.
fixCode: const options = useMemo(() => ({ limit: 10, offset: 0 }), []);
Applied fix:
- const options = { limit: 10, offset: 0 };
+ const options = useMemo(() => ({ limit: 10, offset: 0 }), []);
Security Considerations
Fix validation
Before applying fixes, the system performs basic validation:
- The
fixCodemust be a non-empty string - The target file must exist in the repository at the specified commit
- The target line number must be within the file's line count
- For individual fixes (apply mode), the patch is validated to ensure it only modifies the target file
Patch sanitization
Individual fix patches (from the /api/fixes endpoint) are validated to ensure the patch only references the intended file path. This prevents path traversal attacks where a malicious finding could attempt to modify unrelated files.
Review before merge
Auto-fix PRs should always be reviewed before merging. The fixes are AI-generated suggestions that may:
- Introduce new bugs while fixing the original issue
- Not account for surrounding code context
- Use patterns inconsistent with your codebase conventions
- Produce syntactically valid but semantically incorrect code
Treat auto-fix PRs as a starting point, not a final solution. Your CI pipeline and code review process should catch any issues before the fixes reach production.
Comparison: Fix Methods
CodePeel provides multiple ways to apply fixes. Choose the method that fits your workflow:
| Method | Scope | Trigger | Creates PR | Plan |
|---|---|---|---|---|
| Suggestion blocks | Single finding | Manual (click) | No | All |
| Auto-fix PR | All fixable findings | Automatic | Yes | Pro/Max |
| VS Code "Apply Fix" | Single finding | Manual (click) | No | All |
| VS Code "Fix with AI" | Single finding | Manual (click) | No | All |
MCP fix_code | Single finding | Agent decides | No | All |
API action: apply | Single finding | Programmatic | Yes | All |
When to use each
- Suggestion blocks -- Quick one-click fixes during PR review on GitHub
- Auto-fix PR -- Bulk application when you want all fixes applied and reviewed as a diff
- VS Code "Apply Fix" -- Immediate local application during development
- VS Code "Fix with AI" -- Route to an AI agent for more context-aware fixing
- MCP
fix_code-- Let your AI agent generate and apply fixes programmatically - API
action: apply-- Automated workflows and CI integrations
Related Documentation
- Auto-Test -- Automatic test PR generation (companion feature)
- Configuration --
.codepeel.ymlreference includingauto_fixsettings - Billing -- Plan requirements and review consumption
- Features -- How suggestion blocks work in inline comments
- VS Code Extension -- Individual fix application from the IDE