🤖 AI Summary
Existing Infrastructure-as-Code (IaC) repair approaches often rely on manual intervention or are prone to hallucination, compromising repair validity. This work proposes TerraRepair, the first large language model agent for IaC repair that incorporates a tool-anchoring mechanism. TerraRepair retrieves Terraform dependency context, queries provider schemas, and re-invokes Checkov and Trivy post-repair to ensure correctness. Crucially, when essential contextual information is missing, it proactively escalates the issue rather than generating speculative fixes. Experimental results on an AWS benchmark demonstrate that TerraRepair significantly improves verified repair rates—increasing them from 26.6% to 78.4% for Checkov and from 44.8% to 72.4% for Trivy—with the majority of repairs validated as correct through human evaluation.
📝 Abstract
Background: Infrastructure-as-Code (IaC) scanners detect cloud misconfigurations in Terraform and other IaC languages before deployment, but repairing the flagged configurations remains largely manual. Recent Large Language Model (LLM)-based repair approaches can repair some findings, but may hallucinate unsupported constructs or suppress warnings without fixing the issue. Aims: We study whether tool grounding can improve LLM-based Terraform repair, and when a finding should be escalated because the required deploymnet-specific context is not availble. Method: We present TerraRepair, a prototype of a tool-grounded LLM agent for Terraform repair with structured escalation. TerraRepair retrieves dependency context from Terraform references, consults the installed provider schema, and re-runs the scanner before returning a candidate repair. Then teh required context is absent, TerraRepair escalates instead of fabricating a plausible fix. Results: We evaluate our tool on two vulnerable-by-design Terraform repositories using two IaC security scanners, Checkov and Trivy, across AWS, Azure, and GCP. On the combined AWS benchmark, TerraRepair improves scanner-verified fix rates from 26.6% to 78.4% on Checkov and from 44.8% to 72.4% on Trivy, compared with a controlled one-shot baseline. It repairs are labelled as correct under a majority-vote protocol. Conclusions: These emerging results show that tool grounding can substantially improve scanner-verified LLM-based IaC repair on the studied benchmarks, while missing deployment-specific context remains the main knowledge boundary for full autonomy.