Security scanners are good at finding vulnerabilities. Fixing them is the hard part. Teams accumulate a backlog of findings that grows faster than developers can address it. Developers see security fixes as toil. And tools that auto-generate PRs via text search-and-replace often produce changes that are insufficiently tested or break the application — creating more work, not less.
Ona takes a different approach:
- An AI software engineer analyzes each finding and crafts the code change — not a regex substitution, but a reasoned fix that accounts for the project's structure and conventions.
- The fix is built and tested in a fully equipped dev environment where the modified code can actually compile and run.
- The agent iterates until the fix is proven not to break the app — if tests fail, it reads the errors, adjusts, and retries.
The result is a PR that is ready to review and merge, not a starting point that needs manual cleanup.
This repo demonstrates the setup using Spring PetClinic (Java/Maven) with GitHub's free security features.
All tools below are free for public repos on GitHub's free org plan.
Dependabot monitors your dependency graph for known vulnerabilities and creates alerts under Security > Dependabot.
For Maven projects, GitHub's dependency graph often can't resolve versions inherited from a parent BOM. The dependency-submission.yml workflow solves this by running mvn to resolve the full dependency tree and submitting it to GitHub's dependency graph API.
CodeQL performs static analysis on your source code. GitHub's default setup analyzes Java and Actions code on every push and PR. Results appear under Security > Code scanning.
Trivy scans dependency files (pom.xml, lock files, etc.) for known CVEs. The trivy.yml workflow runs a filesystem scan and uploads SARIF results to Security > Code scanning.
OSV-Scanner checks dependencies against the OSV database. The osv-scanner.yml workflow runs on push (scheduled scan) and on PRs (diff scan to catch newly introduced vulnerabilities). Results upload to Security > Code scanning.
Two Ona automations in .ona/ use the GitHub CLI to fetch the highest-severity open alert, apply a fix, run tests, and open a PR.
.ona/fix-dependabot-alert.yaml
- Install gh CLI if not present
- Fetch the highest-severity open Dependabot alert via
gh api - Analyze the alert and read the manifest to understand how the dependency is declared
- Upgrade the dependency to the patched version
- Verify with
./mvnw compile testand./mvnw dependency:tree - Open a PR with alert details, CVE, CVSS score, and verification checklist
- Install gh CLI if not present
- Fetch the highest-severity open code scanning alert via
gh api - Analyze the alert, read the affected source file and context
- Fix the issue (code change for CodeQL findings, dependency upgrade for Trivy/OSV findings)
- Verify with
./mvnw compile test - Open a PR with alert details and verification checklist
Both automations authenticate using the token from the git credential helper (GITHUB_TOKEN env var), avoiding the need for additional secrets.
Set up scanners so that alerts appear under Security in your GitHub repo. This repo uses Dependabot, CodeQL, Trivy, and OSV-Scanner — see the .github/workflows/ directory for examples. Use whichever combination fits your project.
GitHub docs:
- Dependabot alerts
- Code scanning (CodeQL)
- Third-party SARIF uploads (Trivy, OSV-Scanner, etc.)
Copy the two automation files into your repo:
.ona/fix-dependabot-alert.yaml
.ona/fix-codescan-alert.yaml
Adjust the agent prompts if your project uses a different build tool (e.g., replace ./mvnw with ./gradlew or npm).
Log in to Ona before running any ona ai commands:
ona loginUse the Ona CLI to register each automation:
ona ai automation create .ona/fix-dependabot-alert.yaml
ona ai automation create .ona/fix-codescan-alert.yamlAfter editing a YAML file, update the registered automation. First find the automation ID:
ona ai automation listThen apply the updated file:
ona ai automation update <automation-id> .ona/fix-dependabot-alert.yamlTrigger them manually from the Ona dashboard or via the CLI. Each run picks the highest-severity open alert, fixes it, and opens a PR.
The Spring PetClinic sample application is released under version 2.0 of the Apache License.