LegacyFixer

Automated Python dependency security, without PR noise

LegacyFixer is a controlled GitHub App that scans selected repositories, detects known vulnerable Python dependencies, and opens review-ready pull requests only when repository settings allow it.

Audit-driven, not generative

Uses pip-audit for known Python dependency vulnerabilities. LegacyFixer does not rewrite application logic.

Review-first workflow

Creates isolated branches and pull requests for human review. It does not merge automatically.

No PR flooding

Repository-level limits control how many automated pull requests can be open at once.

Controlled beta scope

LegacyFixer monitors selected GitHub repositories, detects Python dependency vulnerabilities, and can open controlled pull requests when explicitly enabled.

Scans run asynchronously in the cloud. Pull requests are created only when repository settings allow it and when a fix is available.

LegacyFixer does not make broad code changes, refactor applications, or merge anything automatically. Fixes are proposed through pull requests for human review.

Review the public demo

Before requesting access, you can review a real LegacyFixer run on a public demo repository.

  1. Read-only status page showing the scan result, queue/run timing, and generated pull request link.
  2. Generated pull request showing the dependency-file change, CI result, and no automatic merge.

The demo shows the current v0.1 flow: a small dependency security change proposed as a reviewable pull request.

Request beta access

LegacyFixer is currently available only for selected beta repositories. It is not an open self-serve beta.

To request access, email [email protected] with a small public Python repository you would be comfortable testing on. If the repository fits the current beta scope, we will confirm the next steps.

  1. Send the GitHub repository URL for review.
  2. Use a small, non-critical public Python repository.
  3. Start with passive monitoring or one controlled PR-creation test, depending on the repository.
  4. If selected, install the GitHub App only on the approved repository.
  5. After the first push, review the read-only beta status page.

For the current PR-creation beta, the supported dependency manifest is requirements.txt. Do not use a production repository or sensitive code.

Request beta access

What beta testers see after a scan

LegacyFixer records scan status, result, queue wait, run time, and the reason why a pull request was or was not opened.

Latest job ID
example
Trigger
webhook
Status
success
Result
NO_ACTION
Reason
passive_findings
Queue wait
2m 56s
Run time
27s

This example means LegacyFixer completed the scan, found dependency findings, and deliberately did not open a pull request because passive beta monitoring is enabled.

Controlled beta is open for selected repositories. The safest first step is passive monitoring: LegacyFixer records the result without creating pull requests. PR creation can be enabled later with explicit limits.

Beta access is currently invitation-only.