Add support to generate auto fixes using LLM (AI)

[tran-the-lam]

This feature adds support to generate auto fixes for Go scanning findings using LLM (AI). In a first instance, it relies on Gemini API to get a suggestion for a solution. This can be later extended, to integrate also other AI providers.

[tran-the-lam]

Example Output:

[tran-the-lam]

@ccojocar Please review this pr

[ccojocar]

Thanks @tran-the-lam for this contribution. Please could you address the review comments.

Is is also possible to add a unit tests? Is there an option to use a fake client for gemeni api inside of the unit test?

[ccojocar]

Also after you address the review suggestions, please fix the lint warnings. Thanks

[ccojocar]

Thank you for addressing the review comments. I still left a few more comments which should be addressed before we merge this.

The unit test should not call the real gemeni api, this needs to be mocked. I would convert the GenerateSolution function into a method and use a struct to store the gemeni client. In these you can inject a mocked client instead of the real client.

Also please add a section in the README how to use this feature. Have you done any performance tests? Please mention in the doc if you have any performance data, e.g for instance execution time per number of issues (autofixes to generate).

[ccojocar]

Thanks for addressing the review comments. There are two major things to address in order for me to accept your contribution:

1. Fix the unit test to use a mock server, see the instructions in my comments.
2. Document how to use this feature in README in a dedicated section

Without these two issue addressed, I won't be able to accept this contribution. Thank you for understanding.

[ccojocar]

Also make sure that all checks are passing. The CI is still failing.

[ccojocar]

Thanks for addressing the review comments. It looks better now. Just a few small things to address that we can merge it.

I think still the unit tests are failing.

[ccoVeille]

A few suggestions

I'm also reporting issues that were present in code already there. But I'm noticing them as you worked around them.

Feel free to ignore

[ccojocar]

There are some issue to fix in the build/tests https://github.com/securego/gosec/actions/runs/10259787997/job/28392108382?pr=1177. Otherwise look good! Thanks

[ccojocar]

Unit tests are failing and it seems related to this change, please have a look at https://github.com/securego/gosec/actions/runs/10264724512/job/28456313532?pr=1177#step:5:98

[tran-the-lam]

@ccojocar Please review and merge.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 47.76119% with 35 lines in your changes missing coverage. Please review.

Project coverage is 69.13%. Comparing base (f33fd4b) to head (f97e82f).
Report is 48 commits behind head on master.

Files with missing lines	Patch %	Lines
autofix/ai.go	41.50%	30 Missing and 1 partial ⚠️
cmd/gosec/main.go	0.00%	4 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1177      +/-   ##
==========================================
- Coverage   69.52%   69.13%   -0.39%     
==========================================
  Files          71       72       +1     
  Lines        3865     3930      +65     
==========================================
+ Hits         2687     2717      +30     
- Misses       1061     1095      +34     
- Partials      117      118       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.