Skip to content

feat: add Snyk Remediation Agent code action provider [IDE-2052]#1327

Draft
bastiandoetsch wants to merge 2 commits into
feat/IDE-2052-pr1from
feat/IDE-2052-pr2
Draft

feat: add Snyk Remediation Agent code action provider [IDE-2052]#1327
bastiandoetsch wants to merge 2 commits into
feat/IDE-2052-pr1from
feat/IDE-2052-pr2

Conversation

@bastiandoetsch

@bastiandoetsch bastiandoetsch commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

User description

Summary

  • Add RemediationProvider interface and NoopProvider
  • Add CodeActionsService.remediationCodeActions — offers RemediationAgentQuickFix for Code issues with HasAIFix=true and non-empty FindingId
  • Action is deferred: edit is nil at list time, computed on codeAction/resolve
  • Product filter guards: non-Code products and non-AI-fixable issues get no action
  • Wire RemediationProvider into di/init.go (nil when feature flag off)

PR Stack — Merge Order

flowchart LR
    main(["main"])
    PR1["#1326 PR-1\nfindingId + kind"]
    PR2["#? PR-2 ← YOU ARE HERE\nCA provider"]
    PR3["#? PR-3\nremy initial"]
    PR4["#? PR-4\nworktree impl"]
    PR5["#? PR-5\nunit tests"]
    PR6["#? PR-6\ninteg+smoke tests"]
    main --> PR1 --> PR2 --> PR3 --> PR4 --> PR5 --> PR6
    style PR2 fill:#ffd700,color:#000
Loading

Depends on: #1326

Test plan

  • make test passes

PR Type

Enhancement, Tests


Description

  • Introduce the RemediationProvider interface and NoopProvider.

  • Integrate the Remediation Agent into the CodeActionsService.

  • Offer deferred "Fix with Snyk Remediation Agent" code actions for fixable findings.

  • Add comprehensive tests for the new remediation functionality.


Diagram Walkthrough

flowchart LR
  CodeActionsService["CodeActionsService"] -- "Uses" --> RemediationProvider["RemediationProvider (Interface)"]
  RemediationProvider -- "Implemented by" --> NoopProvider["NoopProvider (Initial)"]
  CodeActionsService -- "Generates" --> DeferredCodeAction["Deferred Code Action"]
  DeferredCodeAction -- "Resolves via" --> RemediationProvider
  RemediationProvider -- "Requests" --> RemediationRequest["RemediationRequest"]
  RemediationRequest -- "Contains" --> FindingDetails["Finding ID, File, Range"]
  RemediationProvider -- "Returns" --> WorkspaceEdit["WorkspaceEdit (Lazy)"]
Loading

File Walkthrough

Relevant files
Enhancement
4 files
codeaction.go
Integrate remediation provider into code actions service 
+75/-15 
init.go
Initialize code action service with nil remediation provider
+1/-1     
noop.go
Add Noop remediation provider implementation                         
+32/-0   
provider.go
Define remediation provider interface and request               
+40/-0   
Tests
4 files
codeaction_test.go
Update code action tests for new constructor                         
+3/-3     
remediation_test.go
Add remediation agent code action tests                                   
+272/-0 
test_init.go
Test DI initialization with nil remediation provider         
+1/-1     
noop_test.go
Test Noop remediation provider                                                     
+34/-0   

@snyk-io

snyk-io Bot commented Jun 8, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@snyk-pr-review-bot

Copy link
Copy Markdown

PR Reviewer Guide 🔍

🧪 PR contains tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Improper Context Usage 🟡 [minor]

The deferredEdit closure uses context.Background() when calling provider.Remediate. This prevents the remediation request from being canceled if the client disconnects or times out during the codeAction/resolve call. While ResolveCodeAction currently doesn't accept a context, the closure should ideally be designed to respect the caller's lifecycle if the interface is updated, or at least note that this call cannot be aborted.

edit, err := provider.Remediate(context.Background(), remediation.RemediationRequest{
Incorrect Range Scope 🟡 [minor]

In remediationCodeActions, the code assigns issueRange := r, where r is the range of the overall LSP request (params.Range). If a user selects a large block of code containing multiple issues, the remediation agent for a specific finding will receive the entire selection range instead of the precise range of the finding (issue.GetRange()). This can lead to the agent attempting to fix the wrong code or failing due to lack of local context.

issueRange := r
📚 Repository Context Analyzed

This review considered 17 relevant code sections from 13 files (average relevance: 0.95)

@bastiandoetsch

Copy link
Copy Markdown
Contributor Author

/describe

@snyk-pr-review-bot

Copy link
Copy Markdown

PR Description updated to latest commit (58ce900)

@bastiandoetsch bastiandoetsch marked this pull request as draft June 8, 2026 12:17
@bastiandoetsch

Copy link
Copy Markdown
Contributor Author

/describe

@bastiandoetsch

Copy link
Copy Markdown
Contributor Author

/describe

@snyk-pr-review-bot

Copy link
Copy Markdown

PR Description updated to latest commit (99f2243)

1 similar comment
@snyk-pr-review-bot

Copy link
Copy Markdown

PR Description updated to latest commit (99f2243)

@basti-snyk

Copy link
Copy Markdown
Contributor

/describe

@snyk-pr-review-bot

Copy link
Copy Markdown

PR Description updated to latest commit (a2330ca)

…E-2052]

Add RemediationProvider interface (domain/snyk/remediation) and wire it into
CodeActionsService. When a provider is configured, GetCodeActions attaches a
deferred "Fix with Snyk Remediation Agent" action to each fixable finding that
has a stable FindingId. The action resolves lazily via codeAction/resolve so fix
computation does not block the action list.

Production DI passes nil, so no Remy actions appear until a real provider is
wired. The nil guard suppresses action generation entirely, keeping the current
IDE behaviour unchanged.

The RemediationAgentQuickFix kind ("quickfix.snyk.remediationAgent") lets
clients identify the action by kind rather than by localised title.
Remy remediation is now offered for Snyk Code (HasAIFix), Snyk Open
Source (upgradable), and Snyk IaC findings. Secrets are excluded
because automated secret remediation requires credential rotation
outside remy's scope.

IaC bypasses the IsFixable guard (which always returns false for IaC)
so remy can be offered. Code and OSS retain the IsFixable check to
ensure a fixability signal exists before invoking the agent.

Add tests for Secrets (excluded), ProductUnknown (excluded), and IaC
(offered) product filter branches.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

depends-on-1326 Depends on PR #1326

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants