Review and respond
Generate and review patches with Defend
Cover acknowledgement-triggered and bundled patch generation, eligibility, progress, generated patches, and revalidation.
userorg admin
capture: defend-findings
Outcome
You have launched Defend patch generation for one or more defend-ready findings — individually or as a bundle — and you can locate the generated patch, its evaluation, and the per-finding coverage.
Who can do it
- Requires the
patch.generatecapability on the repository — held by customers on their own repositories, by organization members with an owner's grant (directly or via the Repo owner role), and by site admins. - Members with only the Findings reviewer role can review decisions but cannot launch patch generation.
Before you begin
- Most patch runs start automatically: clicking Acknowledge true positive & generate patch during finding review launches Defend for that finding. Use this page when you held a patch back, want to relaunch, or want one patch covering several findings.
- Each finding you select must be
defend ready— acknowledged or confirmed, not rejected, and not already in a patch run. - A bundle must target a single environment and a single commit; the selection is refused otherwise.
- Patch generation is a cost-incurring agent run.
Steps
- Open Attack Surface (
/byos), select the repository, and click the defend ready filter chip on the Findings tab. - One finding: click Defend on its row.
- Several findings, one patch: tick the checkbox at the start of each row (Include in defend bundle) or click Select all defend-ready in the Defend bundle bar. The bar counts your selection (e.g. 3 selected); Clear resets it.
- Click Launch defend for selected — or Defend all ready (N) to skip selection and patch every defend-ready finding at once.
- The page reloads with the banner "Defend bundle launched." and
the run id as a link. The selected rows flip to
defend running. - Follow the run from that link (or via Monitor environments and scan jobs). One patch agent works across all bundled findings and produces a single diff.
- When it completes, the rows show
defendedand gain a defend ✓ link. Open it to read the defend result page: the patch evaluation with apass/partial/failverdict, thesource.diffartifact, and — for bundles — a per-finding coverage table with a rationale for each finding.
Verify
- The finding rows show
defendedand link to the defend result via defend ✓. - The defend result page shows an evaluation verdict and lists
source.diffunder the run's artifacts. - For a bundle, every selected finding appears in the coverage table with a verdict and rationale.
Troubleshooting
- "One or more selected findings are pending review or already
defending." — deselect rows that are not
defend ready; decide pending rows first via finding review. - "Bundle selection must target a single env." / "Bundle selection must target a single commit/ref." — your selection spans environments or commits; filter the page to one environment and reselect.
- "No defend-ready findings to bundle." — nothing is currently eligible; acknowledge findings first.
- "Select at least one finding before launching a bundle." — the selected-rows launch needs at least one checkbox ticked.
- Defend button disabled on a scan run page with "another defend is in flight for this run" — wait for the running patch job to finish.
- Patch verdict is
failorpartial— read the coverage rationale; relaunch Defend after a new scan, or capture the constraint as repository knowledge so future runs account for it.
Next steps
Ship the patch: Review and approve a Defend pull request. For where patching sits in the pipeline, see the Scan and finding lifecycle.
Last verified against commit c0bf54d on 2026-07-10 · capture scenario: defend-findings