FixVibe

// docs / ai fix prompts

AI 修复提示词

每个发现项的修复建议下方都有一个“复制修复提示词”按钮。点击后粘贴到 Claude / Cursor / Copilot,智能体就会拿到针对你代码库框架和该漏洞的标准修复方案;我们不会调用 Claude API。

工作方式

点击时会组合两类数据:

  • The finding — the issue summary, affected surface, remediation guidance, and safe evidence needed to help your coding agent fix it.
  • Your app context — FixVibe uses scan context when available to choose a framework-aware remediation shape, and falls back to a generic recipe when it cannot infer enough context.

Fix prompts are rendered server-side from FixVibe remediation guidance. They are designed for copy-paste use in Cursor, Claude Desktop, Copilot, or another coding agent without exposing the internal prompt registry in the browser.

提示词长什么样

Fix the "Reflected XSS in /search?q=" vulnerability at /search.

Issue: Query parameter q is rendered into the response body without
escaping; an attacker can inject <script> via crafted URLs.

Codebase context: Next.js.

Recommended fix:
In Next.js, render user-supplied values through JSX ({value}) so React's
automatic escaping kicks in. For server components rendering rich HTML,
sanitize with DOMPurify (server-side via JSDOM) before output.

Constraints:
- Don't break existing tests; run the test suite after the change.
- Match the codebase's existing style and lint config.
- Add a brief comment explaining the security reasoning only where the
  fix would otherwise look arbitrary.
- If the fix needs a new dependency, install it via the project's
  package manager (npm / pnpm / pip / bundle / composer).

Reference: CWE-79 — see https://cwe.mitre.org/data/definitions/79.html

支持的框架

我们会为这些框架提供特定片段:

  • Next.js、React、Vue、Nuxt、Svelte(前端)
  • Express、Fastify(Node.js 后端)
  • Django、Flask(Python)
  • Ruby on Rails
  • Laravel(PHP)
  • ASP.NET Core fallback guidance

Framework context is best-effort. If FixVibe cannot infer enough safely from the scan, the prompt asks your coding agent to inspect the repository before applying the fix.

从你的 AI 智能体使用

如果你已经接入 MCP server,同一个提示词也会作为 slash command 暴露。从 Claude Desktop:

/fixvibe-fix finding_id=550e8400-e29b-41d4-a716-446655440000

The server looks up the finding, applies available scan context, renders the remediation prompt, and injects it into your conversation as the user message. No third-party LLM API call is made by FixVibe for this templated prompt.

为什么我们不会每次点击都调用 Claude

上线时,我们考虑过每次点击都调用 Anthropic API,用代码库上下文优化提示词。我们没有这么做,因为:

  • 用户粘贴进去的智能体已经有代码库上下文:他们是在打开仓库的 Cursor / Claude Desktop 中使用。
  • Server-side templating covers the common remediation paths without any per-click model call.
  • 如果用户需要,以后可以提供“用我的代码库上下文通过 AI 优化”的可选开关来触发 API。今天没有。
AI 修复提示词 — Docs · FixVibe