Trendslop Pro opens a branch on your repo, applies the fix, and opens a PR. You review the diff, run your tests, and merge if it looks right. We never push directly to your default branch.
Auto-fix is a button on each failing check in your audit results. The flow is the same every time.
On any audit finding, click the Fix button. The first time, a consent modal explains exactly what's about to happen and asks you to confirm.
Named trendslop/fix-<check_id>-<timestamp>, branched off your default branch. We never modify your default branch directly.
For mechanical fixes — like adding entries to .gitignore — we apply the change as a real commit. For others, we add a TRENDSLOP_FIX.md file with step-by-step instructions.
Drafted as a regular pull request against your default branch. The description explains what changed, why, what we touched, and what to verify. You review and merge.
Always. Your CI runs against the PR branch like any other PR. If it passes, merge. If it fails, close the PR — nothing is committed to your default branch.
If the fix is good, merge it. If not, close it. You're in control of what enters your repo. We never auto-merge.
Some fixes are mechanical and safe. Others need human judgment. We treat the two categories very differently.
.env, node_modules/, etc. to your existing .gitignore.package.json or requirements.txt.httpOnly and sameSite to res.cookie() calls.secure: true to session cookie calls./privacy.html and /terms.html placeholder files for you to fill in.origin: '*' with a placeholder allowlist you customize.For every finding we can't auto-fix with a real diff, we still open a PR — but it contains a TRENDSLOP_FIX.md file with detailed step-by-step instructions instead of code changes. You apply them manually and close the PR when done.
Auto-fix is best-effort code generation, not magic. Here's what to watch for.
A dependency version bump might introduce an incompatible API. A cookie flag could break analytics that rely on JavaScript reading cookies. Always let your CI run against the PR branch before merging — that's the whole point of opening a PR rather than auto-committing.
If you've changed your repo since the audit ran, auto-fix may target line numbers that don't match anymore. We refuse to fix findings older than 7 days and ask you to re-audit first. This costs 20 credits but keeps fixes accurate.
When we create stub privacy/terms pages, the text inside is placeholder ("FILL IN YOUR PRIVACY POLICY"). You must replace it with real policy text before merging — or before going to production at all. We open the PR as a draft until you remove the placeholder warning.
Our CORS fix replaces wildcard with an example domain. Our open-redirect fix adds a placeholder allowlist. These default values are deliberately wrong — they'll fail loudly in production until you fill them in correctly. Better than silently exposing data.
Every fix lives in a branch named trendslop/fix-*. You merge through GitHub's normal review flow. Closing a Trendslop PR has no side effects — it's the same as closing any other PR.
Auto-fix uses credits, like audits. Diff-capable fixes (where we actually modify your code) cost 10 credits. Instruction-only PRs — where we hand you a structured markdown checklist of what to change — are free, bundled into the audit price.
If a diff fix turns out to be wrong (the PR breaks your CI in a way that's clearly our bug, not your repo), reply in the PR or contact support — we'll credit you back. Bug-fix refunds are case-by-case, not automatic.
See full pricing →By default, every fix is a draft PR that you review and merge yourself. If you trust your CI and want a hands-off experience, you can enable auto-merge in Settings.
Auto-merge is per-user, not per-repo. If you enable it, every repo's fix PRs will use it. If you want different behavior per repo, leave auto-merge OFF and set up branch protection rules on the repos where you want more caution.
Only if the audit ran within the last 7 days. After that we refuse and ask you to re-audit (20 credits). Reason: your repo may have changed since the audit, and applying a fix to outdated line numbers is dangerous.
For audits alone, read access. For auto-fix, we need contents: write and pull_requests: write so we can create branches and open PRs. We never request push access to your default branch or any admin permissions.
Yes — Trendslop PRs are normal pull requests from GitHub's perspective. Your existing CI workflows trigger on them. If your CI fails, that's a strong signal not to merge the fix.
Credits are spent the moment we open the PR. We don't refund based on whether you merge — opening a PR involves the same backend work either way. Think of it like API costs: you pay for the call, not the outcome.
Yes — if the Trendslop GitHub App has access to the repo (private or public), auto-fix works. Repos you didn't grant access to during install won't show up.
A summary of what we changed and why, a checklist of things you should verify before merging, a link to the original audit finding, and the relevant docs from trendslop.ai/docs. We try to make every PR a self-contained explanation.
For now, you close the ones you don't want — same as any other PR. Auto-archive of stale PRs is on the roadmap. In v1 we open one PR per fix; a "consolidate all fixes into one PR" mode is coming.
Auto-merge uses GitHub's native feature. When enabled, we tell GitHub "merge this PR when its required checks pass." If your repo has GitHub Actions or branch protection, the PR waits. If your repo has no required checks, it merges immediately — which is why we show a warning when you first enable the setting. Default is OFF. Find the toggle in Settings → Pull request behavior.
Auto-fix doesn't have a special undo button — but a Trendslop PR is just a normal commit on your default branch once merged. git revert <commit> works exactly like any other revert.
You don't need to commit to Pro upfront. Hobby's free audit shows you what auto-fix would target. Upgrade only if you want the real diffs.