Skip to main content
CodeGate’s Layer 4 remediation system lets you fix dangerous findings immediately after a scan. All changes are backed up before any file is modified, and codegate undo can restore the previous state at any time.

Remediation flags

--remediate
boolean
default:"false"
Enter guided remediation mode after the scan completes. CodeGate lists fixable findings and asks for confirmation before making changes. Use --force to skip the confirmation prompt.
--fix-safe
boolean
default:"false"
Automatically apply fixes for unambiguous critical findings without interactive prompts. Combine with --dry-run to preview what would be changed before committing.
--dry-run
boolean
default:"false"
Show proposed remediation changes without writing anything to disk. No backup session is created in dry-run mode.
--patch
boolean
default:"false"
Write the proposed changes as patch-style diff output instead of modifying files directly. Use this flag to review or share changes in a standard diff format.

Remediation workflow

1

Run a scan

Scan the target directory to identify findings.
codegate scan .
2

Review findings

Inspect the output. Findings marked as fixable are candidates for remediation.
3

Preview changes (optional)

Use --dry-run and --patch to see what remediation would do without writing anything.
codegate scan . --remediate --dry-run --patch
4

Apply fixes

Run with --remediate to apply guided fixes, or --fix-safe to auto-apply unambiguous critical fixes.
# Guided remediation — prompts before writing
codegate scan . --remediate

# Auto-fix critical findings without prompts
codegate scan . --fix-safe
Before any file is modified, CodeGate writes a backup session to .codegate-backup/ in the scan target directory.
5

Undo if needed

If you want to revert the changes, run codegate undo from the same directory.
codegate undo

Backup sessions

Every remediation run that modifies files creates a timestamped backup session under .codegate-backup/ in the scan target directory. Each session captures the original content of every file that was modified. codegate undo [dir] restores the most recent backup session. If no [dir] argument is given, it defaults to the current directory (.). 
# Undo the most recent remediation in the current directory
codegate undo

# Undo the most recent remediation in a specific directory
codegate undo ./path/to/project
codegate undo restores only the latest session. To restore an earlier session, inspect the .codegate-backup/ directory manually and copy the files you need.

Scan-state baseline and --reset-state

CodeGate maintains a persistent baseline of MCP server identifiers and config hashes to support rug-pull detection across scans. Default state file location: 
~/.codegate/scan-state.json
You can override the path with scan_state_path in your config file. Paths beginning with ~ resolve to the current user’s home directory. What state tracks:
EntryMeaning
NEW_SERVERAn MCP server identifier seen for the first time in this scan.
CONFIG_CHANGEAn MCP server whose config hash changed since the previous scan.
Both findings appear in scan results when baseline state changes are detected, giving you visibility into additions or modifications to your MCP server surface between scans. Resetting state: 
codegate scan . --reset-state
--reset-state clears the baseline file and exits immediately. No scan is performed. Use this when you want to start tracking MCP servers from a clean baseline — for example, after deliberately adding new servers that you have reviewed.