AI-powered security scanner & auto-fixer that finds vulnerabilities β and writes the patches itself.
Built for the Lzyr Builder Challenge using GitAgent.
π¬ Live Demo Β· π Quick Start Β· π§ Architecture Β· π©Ή Demo Flow Β· π Design Decisions
You paste a GitHub repo URL (or click demo for zero-setup). SecureBot β a multi-agent system on the GitAgent SDK β scans for OWASP Top 10 vulnerabilities, hardcoded secrets, and known CVEs. Findings stream live to your browser. Click any finding and a second agent generates a minimal, secure patch with a side-by-side diff.
Repo URL βββΆ π Scanner Agent βββΆ Findings (live SSE) βββΆ π©Ή Click "Auto-Fix" βββΆ Fixer Agent βββΆ Diff
π‘ Live mode uses Lyzr / OpenAI / Anthropic via the GitAgent SDK with custom tools, hooks, skills, and a multi-agent workflow. Demo mode ships scripted output so anyone can experience the full UX in 60 seconds with zero setup.
The challenge rewards execution, creativity, product thinking, speed of shipping, and agent workflow design. SecureBot hits each:
| Criterion | How SecureBot delivers |
|---|---|
| π Execution | A working full-stack product, not a sketch. Real custom tools, real hooks, real CWE mappings, real fix templates. Builds clean, deploys in one click. |
| β¨ Creativity | Two-agent pipeline (Scanner β Fixer) glued by a workflow YAML. Tool-anchored LLM pattern β regex rules find anchors, LLM does the reasoning. Fast, reliable, structured output. |
| π― Product thinking | DEMO_MODE=true β 60-second zero-key demo. OPENAI_API_KEY set β live agent mode. One-click deploy buttons for Vercel, Netlify, Codespaces. |
| β± Speed of shipping | Single Next.js codebase (no Python bridge), shipped in hours. CI passes on every commit. Production-ready Dockerfile + multi-cloud configs. |
| 𧬠Agent workflow design | Uses every GitAgent primitive: SDK query(), tool(), programmatic hooks, declarative tools (YAML + shell), skills, workflows, memory, identity files (SOUL/RULES/DUTIES), compliance config, multi-model fallback. |
Zero-config: click any deploy button above β€΄οΈ β defaults to demo mode, no keys needed.
The flow you see in 60 seconds:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π‘οΈ SecureBot GitAgent β Source β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Your codebase has bugs. β
β SecureBot finds them. And fixes them. β
β β
β [ github.com/org/repo or 'demo' ] [βΆ Scan withβ¦ ] β
β β
β Try: [Demo (vulnerable Node.js)] [OWASP Juice Shop] β¦ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
After clicking βΆ Scan:
βββββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββ
β Agent stream (live) β Findings (7) β
β βββββββββββββββββββββ β ββββββββββββββββββββ β
β β β β gitagent Β· live β [CRITICAL] CWE-798 β
β β Hardcoded OpenAI Key π©Ή Auto-Fixβ
β [tool_call] find_secrets β β
β [finding] CRITICAL CWE-798 β [CRITICAL] CWE-89 β
β [tool_call] scan_file β SQL Injection π©Ή Auto-Fixβ
β [finding] CRITICAL CWE-89 β β
β [finding] CRITICAL CWE-78 β [HIGH] CWE-79 β
β [finding] HIGH CWE-338 β DOM XSS π©Ή Auto-Fixβ
β [summary] 7 findings Β· 3.4s β β click Auto-Fix β
β β ββ before ββββ after ββ β
β Generating summaryβ¦ β βvulnerableββ secure β β
β β βββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββ
| Platform | Action |
|---|---|
| Vercel | |
| Netlify | |
| GitHub Codespaces | |
git clone https://github.com/Youranalyst-coder/gitagent-securebot.git
cd gitagent-securebot
npm install --ignore-scripts && npm run devOpen http://localhost:3000 β click "Scan with SecureBot".
The
--ignore-scriptsflag avoids an unrelated postinstall in@googleworkspace/cli(not used by SecureBot). The app itself works perfectly.
docker compose up --build
# β http://localhost:3000cp .env.example .env.local
# Edit .env.local:
# DEMO_MODE=false
# OPENAI_API_KEY=sk-... (or LYZR_API_KEY, or ANTHROPIC_API_KEY)
npm run devNow SecureBot uses the actual GitAgent SDK β runs custom tools, fires hooks, the works.
flowchart TB
User[π€ User<br/>browser] -->|repo URL| FE[π₯ Next.js Frontend<br/>app/scan/page.tsx]
FE -->|POST /api/scan| API1[π‘ Scan API Route<br/>SSE stream]
API1 -->|SDK query| Scanner[π Scanner Agent<br/>skills/scan-security]
Scanner -->|custom tools| Tools1[π scan_file<br/>find_secrets<br/>check_deps]
Scanner -->|preToolUse hook| Audit[πͺ Audit Hook<br/>blocks rm -rf, etc.]
Scanner -->|finding blocks| API1
API1 -->|SSE events| FE
FE -->|click π©Ή Fix β POST /api/fix| API2[π‘ Fix API Route<br/>SSE stream]
API2 -->|SDK query| Fixer[π©Ή Fixer Agent<br/>skills/fix-vulnerability]
Fixer -->|generate_fix tool| Tools2[π Canonical CWE<br/>fix templates]
Fixer -->|fix block| API2
API2 -->|SSE events| FE
subgraph AgentRepo ["π agent/ β the agent IS a git repo"]
SOUL[SOUL.md<br/>identity]
RULES[RULES.md<br/>safety]
DUTIES[DUTIES.md<br/>scope]
AGENT[agent.yaml<br/>model + compliance]
SKILL1[skills/scan-security]
SKILL2[skills/fix-vulnerability]
WORK[workflows/scan-and-fix.yaml]
DECL[tools/grep-secrets.yaml]
HOOKS[hooks/audit.sh]
MEM[memory/MEMORY.md]
end
Scanner -.identity.- SOUL
Scanner -.skill.- SKILL1
Fixer -.skill.- SKILL2
style User fill:#0d1117,stroke:#58a6ff,color:#fff
style FE fill:#21262d,stroke:#58a6ff,color:#fff
style Scanner fill:#1f6feb,stroke:#58a6ff,color:#fff
style Fixer fill:#3fb950,stroke:#3fb950,color:#fff
style Tools1 fill:#21262d,stroke:#bc8cff,color:#fff
style Tools2 fill:#21262d,stroke:#bc8cff,color:#fff
style Audit fill:#21262d,stroke:#f85149,color:#fff
| GitAgent Primitive | Where in this project | What it does |
|---|---|---|
SDK query() |
lib/gitagent-client.ts |
Streams agent events to SSE |
SDK tool() |
lib/tools/*.ts (4 tools) |
Custom security scanners |
| Programmatic hooks | lib/hooks.ts |
preToolUse blocks rm -rf, audits everything |
| Declarative tool | agent/tools/grep-secrets.yaml + .sh |
Shell-script tool from YAML |
| Script hook | agent/hooks/audit.sh |
Filesystem audit log |
| Skills | agent/skills/{scan-security,fix-vulnerability}/SKILL.md |
Composable instruction modules |
| Workflow | agent/workflows/scan-and-fix.yaml |
Chains Scanner β Fixer |
| Identity files | agent/{SOUL,RULES,DUTIES}.md |
Personality, constraints, scope |
| Memory | agent/memory/MEMORY.md |
Git-committed, append-only |
| Compliance | agent.yaml β compliance: block |
risk_level: high, audit logging |
| Multi-model fallback | agent.yaml β model.fallback |
Lyzr β OpenAI β Anthropic |
| Cost tracking | UI status bar | Surfaced from query.costs() |
Each finding maps to a real CWE identifier with a canonical fix template:
| CWE | Vulnerability | Canonical Fix |
|---|---|---|
| CWE-89 | SQL Injection | Parameterized queries |
| CWE-78 | Command Injection | spawn with arg array |
| CWE-94 | Code Injection (eval) |
JSON.parse |
| CWE-79 | DOM XSS (innerHTML) |
textContent / DOMPurify |
| CWE-327 | Weak hashing (MD5/SHA1) | SHA-256 / bcrypt |
| CWE-338 | Math.random() for secrets |
crypto.randomBytes |
| CWE-502 | Unsafe deserialization | safe_load / JSON |
| CWE-798 | Hardcoded secrets | process.env + rotate |
| CWE-352 | CSRF disabled | Re-enable middleware |
| CWE-1104 | Vulnerable dependencies | Bump to patched version |
gitagent-securebot/
βββ π agent/ # The GitAgent agent IS a git repo
β βββ agent.yaml # Model, tools, runtime, compliance
β βββ SOUL.md # Identity & output discipline
β βββ RULES.md # 8 hard safety rules
β βββ DUTIES.md # Scope: scan vs fix duties
β βββ skills/scan-security/ # OWASP Top 10 scanning skill
β βββ skills/fix-vulnerability/ # CWE-mapped fix skill
β βββ workflows/scan-and-fix.yaml # Multi-agent workflow
β βββ tools/grep-secrets.{yaml,sh}
β βββ hooks/{hooks.yaml,audit.sh,alert.sh,session-start.sh}
β βββ memory/MEMORY.md
βββ π app/ # Next.js 14 App Router
β βββ api/scan/route.ts # POST /api/scan β SSE
β βββ api/fix/route.ts # POST /api/fix β SSE
β βββ scan/page.tsx # Real-time dashboard
β βββ components/ # 5 React components
β βββ page.tsx # Landing page
β βββ layout.tsx
βββ π lib/
β βββ gitagent-client.ts # SDK wrapper, demo mode, SSE bridge
β βββ hooks.ts # Programmatic preToolUse + onError
β βββ tools/ # 4 custom GitAgent SDK tools
β βββ types.ts
βββ π³ Dockerfile, docker-compose.yml
βββ β vercel.json, netlify.toml
βββ π€ .github/workflows/ci.yml
βββ π ARCHITECTURE.md # Design decisions for submission
βββ π README.md
βββ π LICENSE
- Open
http://localhost:3000β click "βΆ Scan with SecureBot" (default valuedemo) - Land on
/scan?demo=1 - Watch the left panel light up with
[tool_call] find_secretsβ[finding] CRITICAL CWE-798β¦ - Right panel populates with vulnerability cards as findings stream
- Summary bar crystallizes:
7 findings Β· 4 critical / 2 high / 1 medium - Click π©Ή Auto-Fix on any card β second agent runs β diff appears inline
π₯ Demo Video β 3 minutes (coming soon β record against running app)
- β
GitHub repository β
Youranalyst-coder/gitagent-securebot - β Live deployment β see deploy buttons above
- β
Architecture document β
ARCHITECTURE.md - β
Working demo (zero config via
DEMO_MODE=true) - β Live mode using real GitAgent SDK with custom tools + hooks
- β Multi-agent workflow (Scanner β Fixer chained via workflow YAML)
- β Uses every major GitAgent primitive (12/12 β see matrix above)
- β Production-ready: Dockerfile, CI, multiple deploy targets
- πΉ 3β5 min demo video
MIT β see LICENSE.
- GitAgent β universal git-native agent framework
- Lyzr AI Studio β primary model provider, free tier
- OWASP & MITRE CWE β vulnerability taxonomy
Built with β€οΈ for the Lzyr Builder Challenge
β Star this repo if it helped you understand the GitAgent SDK β