how to

How to fix security findings with Claude Code: what a good fix prompt contains

the short answer

To fix security issues with Claude Code or any coding agent, give it a prompt per finding that states the issue, the exact file and line, why it matters, the precise change to make, and constraints — 'smallest diff' so it doesn't refactor things you didn't ask about, and 'check for the same pattern elsewhere' so it fixes every instance — then review the diff before committing; securevibes generates exactly this prompt for every finding it reports, plus one mega-prompt covering all findings in severity order.

If an AI tool built your app, an AI tool can fix its security issues — the fixes for committed secrets, string-built SQL, and debug-mode defaults are well-understood, mechanical changes that coding agents handle well. The catch is that the quality of the fix tracks the quality of the prompt, and "make my app more secure" is among the worst prompts you can write: too vague to act on precisely, broad enough to invite a sprawling refactor.

This guide covers the anatomy of a security fix prompt that works, why the constraints are the most important part, and the review discipline that keeps agent-applied fixes safe. It's also exactly the format securevibes generates automatically — one prompt per finding, ready to paste.

one prompt per findingsecurevibes writes the fix prompt for you — issue, location, why, exact fix, constraints
scan your repoabout securevibes

The five parts of a fix prompt that works

A good security fix prompt has five parts. The issue, named precisely: "SQL query built with an f-string, vulnerable to injection" — not "security problem". The location: file and line, so the agent edits the right code instead of searching and guessing. Why it matters: one sentence of consequence, which anchors the agent on intent rather than pattern-matching the wrong fix. The exact change: "convert to a parameterised query using the driver's placeholder syntax, passing values separately". And constraints — covered next, because they're what separates a fix from a mess.

Specificity is what makes this work. Given the exact location and the exact transformation, a coding agent is excellent at this kind of change; given a vague goal, it improvises, and improvisation in security fixes is how you get a half-rewritten auth layer you didn't ask for.

Why 'smallest diff' and 'check elsewhere' earn their place

"Smallest diff" caps the blast radius. Agents like to improve things they pass — renaming, restructuring, "cleaning up" — and every untouched-by-necessity line in a diff is review burden and regression risk. Constraining the change to the minimum keeps the fix verifiable: you can read the diff and confirm it does exactly one thing.

"Check for the same pattern elsewhere" points the other way: the location names one instance, but codebases repeat their mistakes — string-built SQL appears wherever queries got written, hardcoded keys recur wherever the AI needed credentials. This constraint turns one finding into a sweep of the whole pattern. The two together — smallest possible change, applied everywhere the problem exists — are the shape of a good security fix, and they're in every prompt securevibes generates, along with ordered next steps that put credential rotation first, because keys in git history stay compromised after deletion.

Review the diff — always

Agent-applied fixes get reviewed before they get committed; that's the discipline that makes this workflow safe. Read the diff and check three things: the flagged issue is actually fixed (the interpolated value now goes through a placeholder, the key now comes from an environment variable), nothing unrelated changed, and behaviour is preserved — same queries, same responses, just safe. Then run the app or its checks before committing.

The loop closes with a re-scan: paste the repo into securevibes again and watch the findings disappear and the score move. The free credits fit this exactly — scan, fix, verify. For repos with a long findings list, the fix-everything mega-prompt covers all findings in severity order in a single paste; review the resulting diff with proportionally more care, since the change set is larger.

how it works

  1. 01

    Start from a concrete finding

    Run a scan so each issue comes with a file, line, and severity. A securevibes finding already includes the full fix prompt — for manual prompts, gather the same details first.

  2. 02

    State issue, location, and why

    Name the vulnerability precisely, point at the exact file and line, and include one sentence on the consequence so the agent fixes with intent.

  3. 03

    Specify the exact change

    Say what the code should become — parameterised query, env-var lookup, SafeLoader, verification re-enabled — not just that it should be 'fixed'.

  4. 04

    Add the two constraints

    'Smallest diff' to stop drive-by refactoring, and 'check for the same pattern elsewhere' so every instance gets fixed, not just the one you found.

  5. 05

    Paste into Claude Code and review the diff

    Confirm the flagged issue is fixed, nothing unrelated moved, and behaviour is preserved. Run your checks before committing.

  6. 06

    Handle secrets in the right order

    For any committed credential, rotate it at the provider before code changes — deletion doesn't remove it from git history. securevibes's next steps always lead with rotation.

  7. 07

    Re-scan to verify

    Run the scan again and confirm the findings are gone and the score moved. The free monthly credits cover a fix-and-verify loop.

frequently asked

Why not just ask Claude to 'find and fix all security issues'?
Discovery and fixing are different jobs. A freeform ask produces inconsistent discovery and sprawling changes. A scan gives you a stable, ranked list; targeted prompts give you small, verifiable diffs. securevibes splits it exactly that way: it finds, your agent fixes.
What's in the prompts securevibes generates?
Each one states the issue, the file and line, why it matters, the exact fix, and the constraints — smallest diff, check for the same pattern elsewhere. Every plan includes every prompt and the fix-everything mega-prompt; Pro scans get their analysis from Claude Opus instead of Haiku.
What's the mega-prompt and when should I use it?
A single prompt covering all findings in severity order, so one paste works through the whole report. It suits a dedicated fixing session on a repo with many findings — and warrants a more careful diff review afterwards, because the change set is bigger.
Can the prompt fix a committed API key?
It can move the key to an environment variable and clean up the code — but it can't un-leak it. Rotation at the provider has to come first, because the key stays in git history and may already be harvested. That ordering is built into securevibes's next steps.

Last updated June 10, 2026

more on securevibes

securevibessecurity scores for vibe-coded apps

ready to try securevibes?

scan your repo