Imagine walking into a factory. Conveyor belts hum. Workers move precisely, each knowing their role. Machines whir, inspectors double-check every part. That’s kind of what our Fix Pipeline looks like-except instead of screws and widgets, we’re dealing with vulnerable packages.
Knowing a vulnerability exists isn’t the challenge anymore. The real challenge is fixing it. Resolved Security tackles this by providing secure-by-default, drop-in replacements, of the open-source packages we all rely on, allowing companies to remediate vulnerabilities without changing a single line of code in their own product. But this tall promise can only be achieved if we deliver a tested, production-ready artifact, guaranteeing no breaks of anything else. Welcome to the factory floor.
Preamble: The Vulnerability Arrives on the Dock
Every day, new vulnerabilities roll in like raw materials. A CVE, a patch diff, or an advisory report lands on our dock. But here’s the first lesson: this isn’t enough to ship a fix.
We need context: which code paths matter? Which downstream services will break if we’re careless? The raw material is messy, incomplete, and sometimes outright contradictory-just like any factory receiving a shipment with missing labels.
Step 1: Agentic Patchers Take the Floor
Enter the agents. Think of them as skilled assembly-line workers who can read blueprints in multiple languages. Their job:
- Analyze the vulnerability
- Analyze the known fixes
- Decide if the vulnerability is indeed relevant & patchable, without breaking changes
- Figure out the minimal code changes required
- Adapt fixes across versions and APIs
- Test is thoroughly
This is agentic patching in action. The agents move fast, but they aren’t infallible. Some parts are ambiguous: incomplete advisories, inconsistent version histories, quirks specific to a package ecosystem.
That’s where humans step in. Supervisors walk the line, reviewing tricky cases, giving guidance, and approving final fixes. Automation moves quickly; humans prevent disasters.
Step 2: Building the Package - The Assembly Line
Once a fix is designed, it goes down the conveyor belt into the build station. The package is rebuilt from source, integrating the patch. But building alone isn’t enough.
The Fix Pipeline treats testing as a first-class step:
- Build the original, vulnerable package
- Run its tests
- Augment it with tests that validate the vulnerability and the fix
- Apply the fix
- Rebuild the package
- Run the same tests again
This “before-and-after” check proves two things:
- The vulnerability is gone
- Nothing else broke
Think of it as inspectors checking every product twice: before it leaves the assembly line and after it’s modified. This ensures the vulnerability is gone and nothing else is broken.
If a package fails its tests, it doesn’t move forward on the assembly line. Simple as that.
Step 3: Quality Control Is Non-Negotiable
On our factory floor, quality control isn’t a formality. Each package undergoes:
- Regression tests targeting modified code paths and vulnerable code
- Regression tests for unchanged behavior
- Build and packaging validation
If a package fails at any stage, it gets pulled off the line. No exceptions. We don’t just want “working fixes” - we want trustworthy fixes.
Step 4: Evidence Travels With the Product
Every step-agent patching, builds, tests, approvals-produces metadata. Think of this as a stamped quality certificate attached to each package.
When an artifact leaves the factory, it carries proof: what was fixed, what tests were run, and who approved it. Teams consuming the package don’t just get a patch-they get confidence.
Why a Factory, Not a One-Off Workshop
Fixing one vulnerability by hand is fine. Fixing hundreds or thousands across dozens of ecosystems? That requires a repeatable, observable process.
The Fix Pipeline is our factory:
- Conveyors (automation) keep packages moving
- Workers (agents) do precise assembly
- Inspectors (humans) verify every output before it’s released
Together, they allow us to scale without losing control, and to ship fixes that teams can actually trust.
What Leaves the Factory
When a vulnerability completes the pipeline, it leaves as:
- A rebuilt, secure package
- Tested before and after
- Reviewed and approved by humans
- Ready for production
- Attested and ready for audits
From raw vulnerability to verified fix. That’s what the Fix Pipeline produces: trustworthy artifacts at scale, without the chaos.
Final Thoughts
The Fix Pipeline isn’t magic. It’s sweat, judgment, and a lot of conveyor belts. It’s messy sometimes. It’s complicated. But it works brilliantly and allows us to deliver dozens of secured packages a day.
And if you’ve ever walked a real factory floor, you know: there’s a kind of beauty in watching a messy, chaotic process turn raw material into something reliable. That’s exactly what we do - fixing open-source vulnerabilities at scale.
