This page provides answers to frequently asked questions about Fluid Attacks' API and IDE plugin, especially privacy concerns regarding the features powered by Claude Sonnet.

API

How can I start using the platform API?

To begin using the API, we recommend you read the articles on this Knowledge Base's Use the API section. Bear in mind that you will need prior knowledge of the GraphQL language to make requests to the API.

VS Code plugin

What technology do you use to generate the fixes?

Fluid Attacks uses large language models (LLMs), i.e., artificial intelligence designed for advanced text processing and generation. Based on enormous databases, LLMs can create natural language content and even code with accuracy and consistency.

Which LLM provider for the plugin is used?

Anthropic's Claude 3.5 Sonnet in Amazon Bedrock.

How does it work, and what is the role of Claude in your plugin?

Claude Sonnet in Fluid Attacks' IDE plugin or extension is crucial in generating code-based remediation guidelines ("Custom fix" functionality) and automatic code correction ("Autofix" functionality). The process begins with extracting a specific code fragment from the selected vulnerable file. This fragment is securely sent to the Claude 3.5 Sonnet instance hosted by Amazon Bedrock, and a response with remediation suggestions is later obtained.

What is the code access level of Claude?

The code sent to Claude Sonnet is interpreted using the context provided at the function/class level, specifically about the line of code containing the vulnerability. This AI model has no global knowledge of the source code or the business logic of the application under evaluation. It is clarified that its access to the code is limited to a small piece representing a specific function.

Does Claude retain data, and for how long?

The Claude 3.5 Sonnet model is hosted by Amazon Bedrock, which does not retain data.

What is the data privacy with Claude?

Fluid Attacks understands the importance of maintaining the confidentiality and security of its customers' code. Fluid Attacks ensures compliance with strict privacy and data security policies when employing AI for vulnerability management. The key policies in Amazon Bedrock, which hosts the Claude 3.5 Sonnet model used by Fluid Attacks, can be expressed as follows:

1. Amazon Bedrock hosts the supported foundation models (FMs) directly on AWS infrastructure managed and owned by AWS. Customer data such as prompts and continuations, or Amazon Bedrock service logs, cannot be accessed by model providers.
   
2. Amazon Bedrock does not log nor store customer's prompts and completions, does not use them to train AWS models, nor does it distribute them to third parties.
   
3. Amazon Bedrock protects data at rest and in transit through encryption.
   

Does your company use the plugin for internal usability?

Fluid Attacks' hacking team uses this tool in its daily work in vulnerability reporting.

What information does the plugin take?

Fluid Attacks' IDE extension uses or considers all the available information of the repositories listed in the platform's Scope section.

What version of AI is used?

Fluid Attacks uses the Claude 3.5 Sonnet model.

Is the plugin available in other editors?

No. Fluid Attacks' initiative started with Visual Studio Code (VS Code), which is recognized as one of the industry's most widely used integrated development environments (IDE). This choice is supported by its outstanding popularity, extensibility, and robustness within the development community.

Why doesn't the IDE extension check for vulnerabilities?

Although it is technically possible to test from the IDE —as several automated tools do— it often lacks security rigor. For example, security testing could be outside the control of management and security teams and follow the developers' discretionary frequency.

What should I do if, once I install the extension, I have problems loading the window to enter the API Token?

On VS Code, select View > Command Palette... and then type the command Fluid Attacks: Set Fluid Attacks token. When you select the command, a box appears where you can paste the token.