SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Editorial software dev code review open source supply chain shield repair vulnerable deps
#
DevOps
#
Application Security
#
DevSecOps

Veracode launches Fix for open-source vulnerability repair

Tue, 24th Mar 2026
Author image
By Sean Mitchell, Publisher

Veracode has launched Veracode Fix for Software Composition Analysis, a product designed to automate remediation of open-source vulnerabilities.

The launch comes as software supply chain breaches account for 30% of external attacks, according to figures cited by Veracode, while many development teams continue to carry large numbers of unresolved alerts.

The new tool extends Veracode's existing Fix offering into software composition analysis, which focuses on identifying risks in third-party and open-source components used in applications. It is designed to detect vulnerable dependencies and generate fixes before code reaches production.

The system integrates into existing developer workflows and delivers updates through pull requests in Git environments. It also refactors first-party code when needed to avoid breaking changes that can occur when a library upgrade affects an application's own code.

Veracode is positioning the product against a common complaint in application security: scanning tools often generate more alerts than teams can realistically address. This has contributed to rising security debt, particularly in organisations that rely heavily on open-source software.

Research cited in Veracode's 2026 State of Software Security report found that 82% of organisations are struggling with growing security debt linked largely to open-source dependencies. That has increased pressure on security vendors to show their products can do more than identify flaws and instead help engineering teams clear backlogs.

How it works

The product uses contextual analysis to examine the relationship between third-party dependencies and first-party code. The aim is to prevent fixes from causing build failures or other development disruption.

It also groups configuration changes and source code modifications into single pull requests for developers to review and merge. Veracode said the remediation engine is backed by a proprietary vulnerability database verified by human reviewers, which it says reduces the risk of inaccurate AI-generated fixes.

The company describes the approach as logic-driven AI combined with its own vulnerability intelligence. That is notable at a time when buyers are scrutinising how software suppliers use artificial intelligence and whether automated outputs are dependable enough for production environments.

Tim Jarrett, Vice President of Product Management at Veracode, said the shift reflects a broader change in the market.

"AI is accelerating software development-but it's also enabling an unprecedented explosion of supply chain risks," said Tim Jarrett, Vice President of Product Management, Veracode.

He said many organisations now need remediation as well as visibility.

"Visibility into these risks is no longer enough. Organisations need intelligent, automated solutions that not only find vulnerabilities but fix them with precision, giving development teams the confidence to innovate securely," Jarrett said.

Market pressure

Software composition analysis has become a more prominent part of application security as businesses increase their use of open-source packages and frameworks. This has expanded the attack surface beyond code written internally while also creating practical maintenance challenges for teams trying to keep dependencies up to date.

Security teams have long argued that patching open-source vulnerabilities is harder in practice than it appears in theory. A dependency may be deeply embedded in an application, and updating it can trigger compatibility issues across multiple files, settings and services. As a result, known issues can remain unresolved for long periods even after a scanner has identified them.

Veracode's latest launch reflects a wider industry effort to move remediation closer to the development process. Rather than handing developers lists of issues to triage manually, vendors are increasingly trying to insert code changes directly into source repositories and make fixes easier to test and merge.

The trend also reflects pressure on security teams, which are being asked to manage larger software estates without corresponding growth in headcount. Tools that can cut alert volumes or reduce the manual work tied to dependency management are likely to attract interest, especially among organisations with mature DevOps practices.

Jarrett said the goal is to automate library upgrades while handling any associated code changes in a single update.

"By enabling development teams to upgrade to safe open-source libraries automatically while addressing breaking changes with a single, testable update, we move organizations from seeing risk to actively eliminating it, strengthening the security of their software supply chains," Jarrett said.

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member