SOOS gives you the power to generate pull requests for GitHub QuickScans and/or scans initiated via  GitHub Webhook.  The pull request feature is only available for scans performed on non-lockfile manifests*.

When vulnerabilities are identified in a scan, a pull request can be created by navigating to the Issues tab on the Project Details page and expanding the issue details. Users will have the ability to select a vulnerability free version to include in the pull request.

SOOS UI vulnerability detail view indicating Create Pull Request button

Pull requests generated by SOOS will create a branch name using the package information, such as "simple-get-3.1.1".  The fix will then be committed to this branch and create the pull request against the branch that the scan originally ran against. Alternatively, in the Configure page within the SOOS App, a target branch can be specified to always create pull requests against. 

There are a rich set of configurable options for pull requests; explore and each of them on the Configure page. Like most configurations, these are available globally or can be overridden for individual projects.

*Why not lock files?

SOOS-to-GitHub pull requests are not available for scans performed on lockfiles.  As developers ourselves, we feel that lock files should be purposefully generated, meaning a human or CI system should be instructed to generate these using the package manager CLI at specific points in time.  Lockfiles are complex and governed by numerous rules and decisions that are best left up to the package manager to determine.