Applying fixes
Dry run
Always start with --dry-run to preview what Dexter will do:
dexter apply \
--finding sg-open-ingress-22 \
--target sg-0abc123def456 \
--provider aws \
--dry-run
Dry run shows the exact commands/changes without modifying any resources.
Live apply
dexter apply \
--finding sg-open-ingress-22 \
--target sg-0abc123def456 \
--provider aws \
--credential-scope fix
Flags
| Flag | Required | Description |
|---|---|---|
--finding | Yes | Finding ID from scan results |
--target | Yes | Resource identifier to fix |
--provider | No | Cloud provider: aws, azure, gcp, k8s, code |
--credential-scope | No | scan (read) or fix (write). Default: fix |
--dry-run | No | Preview without applying |
--force | No | Skip confirmation prompt |
--format | No | Output format: json or text |
Terraform PR generation
For infrastructure-as-code fixes, Dexter can generate a pull request:
dexter terraform \
--repo https://github.com/org/infra \
--finding sg-open-ingress-22
This:
- Clones the repo
- Identifies the relevant Terraform resource
- Generates the fix as a code change
- Opens a pull request with the diff
Pre/post state capture
Every fix captures state before and after application:
{
"status": "Applied",
"pre_state": {
"security_group": "sg-0abc123",
"ingress_rules": [
{ "port": 22, "cidr": "0.0.0.0/0" }
]
},
"post_state": {
"security_group": "sg-0abc123",
"ingress_rules": [
{ "port": 22, "cidr": "10.0.0.0/8" }
]
}
}
Rollback
If a fix causes issues, Dexter can restore the pre-state:
dexter rollback --finding sg-open-ingress-22 --target sg-0abc123def456
Rollback uses the captured pre-state snapshot to reverse the change.