Skip to content

Auto-Remediation

Kovar can generate framework-specific code fixes for security findings. Given a list of findings and a target framework, it produces copy-pasteable code suggestions.

Basic Usage

import { generateRemediation } from "@orlalabs/kovar/core";

const remediation = generateRemediation(findings, {
  framework: "express",     // "express" | "fastify" | "next" | "koa" | "hono" | "generic"
  language: "typescript",   // "typescript" | "javascript"
});

for (const suggestion of remediation.suggestions) {
  console.log(`Finding: ${suggestion.findingId}`);
  console.log(`File: ${suggestion.filePath}`);
  console.log(`Fix:\n${suggestion.code}`);
}

Options

Option	Type	Description
`framework`	`string`	Target framework (see Framework Support)
`language`	`"typescript" \| "javascript"`	Output language

RemediationSuggestion

Each suggestion includes:

interface RemediationSuggestion {
  findingId: string;                        // e.g. "header-missing-hsts"
  framework: Framework;                     // detected or specified framework
  description: string;                      // human-readable explanation
  code: string;                             // copy-pasteable fix
  filePath?: string;                        // suggested file (e.g. "middleware.ts", "next.config.js")
  language: "typescript" | "javascript";
  confidence: "high" | "medium" | "low";
  references: string[];                     // links to docs
}

RemediationReport

The full report structure:

interface RemediationReport {
  findings: number;                         // total findings processed
  suggestions: RemediationSuggestion[];     // actionable suggestions
  unsupported: string[];                    // finding IDs without auto-remediation
}

Framework Default

If you omit the framework option, it defaults to "generic". If you want auto-detection based on your package.json dependencies, you can use the standalone detectFramework() utility and pass the result:

import { detectFramework, generateRemediation } from "@orlalabs/kovar/core";

const framework = detectFramework(); // reads package.json, returns best match
const remediation = generateRemediation(findings, { framework, language: "typescript" });

Framework Support — framework-specific examples.
Standalone API — use generateRemediation() in scripts.
SecurityFinding — the finding type that remediation processes.