Show HN: Patchsmith – Agentic wrapper for CodeQL (finetune, triage, fix with AI) (github.com)

Patchsmith is an open-source, agentic wrapper around GitHub’s CodeQL that combines static semantic analysis with AI agents to triage, investigate, generate queries and even propose patches for security vulnerabilities. Delivered as a rich CLI (Python 3.10+; requires CodeQL CLI), it runs a fast triage pass that groups similar findings, prioritizes them, and flags the top 10 groups for optional deep investigation. The investigation step uses AI to produce attack scenarios, exploitability scores, tailored remediation guidance, and project-specific CodeQL queries (finetune) — all surfaced in Markdown/HTML reports and integrated with Git (auto branches/commits) to streamline fixes. Technically, Patchsmith uses a four-layer architecture: a presentation layer (CLI), orchestration for workflow and progress, custom agents (analysis/triage, brainstorming, code-gen, review), and a tools wrapper around CodeQL, Git and GitHub APIs. Typical runtimes are ~5–20 minutes for triage and an additional ~10–30 minutes for investigation, trading some runtime/API cost for focused, deeper analysis. It supports interactive fixing or auto-apply (caution advised), test harnesses, and is GPL‑3.0 licensed to ensure transparency. For practitioners, Patchsmith promises substantial time savings on noisy static results through smart grouping and AI-driven prioritization, but AI-generated patches still warrant human review and CI testing.