> ## Documentation Index
> Fetch the complete documentation index at: https://gump.build/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Fix

> Audit vulnerabilities, then patch each one with a regression test.

# Security Fix

Audit vulnerabilities, then patch each one.

<Note>
  **Community pattern** — copy this YAML and adapt the security scanner to your project. Not available as a built-in via `gump run`.
</Note>

## When to use

When you want to systematically audit and fix security vulnerabilities with regression tests.

## The workflow

```yaml theme={null}
name: security-fix
max_budget: 8.00

steps:
  - name: audit
    type: split
    get:
      context:
        - bash: "gosec ./... 2>&1 || true"
      prompt: |
        Analyze the security scan results.
        Produce a task for each vulnerability with the fix strategy and affected files.
    run:
      agent: claude-opus
    gate: [schema]
    hitl: before_gate
    each:
      - name: fix
        type: code
        get:
          prompt: |
            Fix this vulnerability: {task.description}
            Write a regression test proving the fix.
            Only modify: {task.files}
        run:
          agent: claude-sonnet
          guard:
            max_turns: 40
        gate: [compile, test, "touched: *_test.*"]
        retry:
          - attempt: 3
            agent: claude-opus
          - exit: 4

  - name: quality
    gate: [compile, test]
```

## Customize

<AccordionGroup>
  <Accordion title="Use a different scanner">
    Replace `gosec` with `npm audit`, `cargo audit`, or your own tool.
  </Accordion>

  <Accordion title="Add manual review">
    Add `hitl: after_gate` on the fix step to review each patch before moving on.
  </Accordion>
</AccordionGroup>