Frequently asked questions about integrations | Fluid Attacks Help

Integrations FAQ

This page provides answers to frequently asked questions about Fluid Attacks' API and IDE plugin, especially privacy concerns regarding the features powered by GPT-4.

API

How can I start using the platform API?

To begin using the API, we recommend you read the articles on this Knowledge Base's Use the API section. Bear in mind that you will need prior knowledge of the GraphQL language to make requests to the API.

VS Code plugin

What technology do you use to generate the fixes?

Fluid Attacks uses large language models (LLMs), i.e., artificial intelligence designed for advanced text processing and generation. Based on enormous databases, LLMs can create natural language content and even code with accuracy and consistency.

Which LLM provider for the plugin is used?

OpenAI GPT-4.

How does it work, and what is the role of GPT-4 in your plugin?

GPT-4 in Fluid Attacks' IDE plugin or extension is crucial in generating code-based remediation guidelines ("Custom fix" functionality) and automatic code correction ("Autofix" functionality). The process begins with extracting a specific code fragment from the selected vulnerable file. This fragment is securely sent to GPT-4 through safe API-backend connectivity, and a response with remediation suggestions is later obtained.

What is the code access level of GPT-4?

The code sent to GPT-4 is interpreted using the context provided at the function/class level, specifically about the line of code containing the vulnerability. This AI model has no global knowledge of the source code or the business logic of the application under evaluation. It is clarified that its access to the code is limited to a small piece representing a specific function.

Does GPT-4 retain data, and for how long?

GPT-4 does not use the information sent for purposes other than generating solutions for correcting vulnerabilities. The data transmitted is retained for approximately 30 days to validate possible abuses of artificial intelligence. This approach ensures a privacy and security policy, guaranteeing that the information provided is treated with the utmost respect and used exclusively for the established purposes.

What is the data privacy with GPT-4?

Fluid Attacks understands the importance of maintaining the confidentiality and security of its customers' code. Fluid Attacks ensures compliance with strict privacy and data security policies by employing AI, such as the GPT-4 API, for vulnerability management.

Does your company use the plugin for internal usability?

Fluid Attacks' hacking team uses this tool in its daily work in vulnerability reporting.

What information does the plugin take?

Fluid Attacks' IDE extension uses or considers all the available information of the repositories listed in the platform's Scope section.

What version of AI is used?

Fluid Attacks uses the GPT-4 API, independent of the Enterprise version OpenAI offers. This ensures that Fluid Attacks has the necessary control over the information processed and is not subject to the data storage policies of the web or Enterprise versions.

Is the plugin available in other editors?

No. Fluid Attacks' initiative started with Visual Studio Code (VS Code), which is recognized as one of the industry's most widely used integrated development environments (IDE). This choice is supported by its outstanding popularity, extensibility, and robustness within the development community.

Why doesn't the IDE extension check for vulnerabilities?

Although it is technically possible to test from the IDE —as several automated tools do— it often lacks security rigor. For example, security testing could be outside the control of management and security teams and follow the developers' discretionary frequency.

What should I do if, once I install the extension, I have problems loading the window to enter the API Token?

Enter the VS Code configuration file (JSON) and manually add the configuration key and value:

"fluidattacks.apiToken": "API_Token"

VSC plugin configuration
Api token on VSC extension