Triggering Generate fix
Request a sealed version on demand for a vulnerable package in the Generate available state.
Generate fix is the action that asks Seal to build a sealed version of a specific package and version on demand. It is the path out of the Generate available state: until you trigger it, the row sits there waiting.
Before you start
You have the Admin, Sealer, or Collaborator role. Watchers cannot trigger Generate fix.
The package is in the Generate available state on the Vulnerable packages tab. If the row is Unfixable instead, Generate fix has already been determined to not apply (see the Unfixable section for why).
Generate fix counts against your package quota. Each Generate fix request commits Seal to backporting, building, and testing a sealed version, and the resulting package is recorded against your tenant's package usage on the Usage page, regardless of whether you go on to deploy it.
Steps
Open the Protection page and the Vulnerable packages tab.
Find the package you want a sealed version for. Filter by Availability > Generate fix to narrow to just the candidates.
Click Generate fix in the row's action column.
Confirm the dialog: "Are you sure you want to request a sealed version for
<package>version<version>?"
The package's state changes to Version in progress immediately. A toast confirms the build was queued.
What happens next
A typical Generate fix build takes 24-72 hours. While it runs, the row shows a progress indicator instead of the action button. When the build finishes, the state changes to:
Ready to seal if the build succeeded. The sealed version is now in Seal's catalog.
Pending deploy if the build succeeded and a matching Sealing Rule already exists, or and the Seal Project uses the Automatic Remediation deployment method. The next CLI run will apply the fix.
Unfixable if the build failed. This is rare. See Unfixable for the reasons.
Once a sealed version is in the catalog, it is available across your tenant. Other Seal Projects that contain the same vulnerable package and version will surface it: their rows move from Generate available to Ready to seal as Seal next reconciles the discovery signal.
Troubleshooting
The Generate fix button is disabled. Either the package is already in the Unfixable state (the tooltip on the disabled button says "There is no feasible fix at the moment"), or your role does not include the GENERATE_FIX permission.
The Generate fix button is missing entirely. The package has been flagged as malicious. The action column shows a red Malicious badge instead. Malicious packages have no sealed counterpart; remove the package from your dependencies.
The build has been running for more than 72 hours. Contact your Seal account team. They can check the build's progress and either explain the delay or escalate.
The state moved to Unfixable. A Generate fix build failure is rare. See Unfixable for the three reasons a row can land there and what to do for each.
Related
Package states: the canonical reference for the six states, including the transitions Generate fix drives.
The Vulnerable packages tab: where Generate fix is triggered.
Sealing Rules: the next step after a successful Generate fix in the Remote and Local deployment methods.
Last updated