This page provides answers to frequently asked questions about Fluid Attacks' API and IDE plugin, especially privacy concerns regarding the features powered by GPT-4.
To begin using the API, we recommend you read the articles on this Knowledge Base's Use the API section. Bear in mind that you will need prior knowledge of the GraphQL language to make requests to the API.
Fluid Attacks uses large language models (LLMs), i.e., artificial intelligence designed for advanced text processing and generation. Based on enormous databases, LLMs can create natural language content and even code with accuracy and consistency.
OpenAI GPT-4.
GPT-4 in Fluid Attacks' IDE plugin or extension is crucial in generating code-based remediation guidelines ("Custom fix" functionality) and automatic code correction ("Autofix" functionality). The process begins with extracting a specific code fragment from the selected vulnerable file. This fragment is securely sent to GPT-4 through safe API-backend connectivity, and a response with remediation suggestions is later obtained.
The code sent to GPT-4 is interpreted using the context provided at the function/class level, specifically about the line of code containing the vulnerability. This AI model has no global knowledge of the source code or the business logic of the application under evaluation. It is clarified that its access to the code is limited to a small piece representing a specific function.
GPT-4 does not use the information sent for purposes other than generating solutions for correcting vulnerabilities. The data transmitted is retained for approximately 30 days to validate possible abuses of artificial intelligence. This approach ensures a privacy and security policy, guaranteeing that the information provided is treated with the utmost respect and used exclusively for the established purposes.
Fluid Attacks understands the importance of maintaining the confidentiality and security of its customers' code. Fluid Attacks ensures compliance with strict privacy and data security policies by employing AI, such as the GPT-4 API, for vulnerability management.
Fluid Attacks' hacking team uses this tool in its daily work in vulnerability reporting.
Fluid Attacks' IDE extension uses or considers all the available information of the repositories listed in the platform's Scope section.
Fluid Attacks uses the GPT-4 API, independent of the Enterprise version OpenAI offers. This ensures that Fluid Attacks has the necessary control over the information processed and is not subject to the data storage policies of the web or Enterprise versions.
No. Fluid Attacks' initiative started with Visual Studio Code (VS Code), which is recognized as one of the industry's most widely used integrated development environments (IDE). This choice is supported by its outstanding popularity, extensibility, and robustness within the development community.
Although it is technically possible to test from the IDE —as several automated tools do— it often lacks security rigor. For example, security testing could be outside the control of management and security teams and follow the developers' discretionary frequency.
Enter the VS Code configuration file (JSON) and manually add the configuration key and value:
"fluidattacks.apiToken": "API_Token"