DEV Community

Lakshmi Sravya Vedantham
Lakshmi Sravya Vedantham

Posted on

I built an AI agent that watches your GitHub repo and opens PRs when it finds bugs — automatically

#ai #github #security #python

Security vulnerabilities sit in codebases for months. Not because developers don't care — because nobody has time to review everything.

Existing tools (Dependabot, CodeQL, SonarQube) find issues. They don't fix them. The fix still requires a human.

I built guardian — an AI agent that watches your repository, finds real bugs, and opens PRs with fixes. Autonomously.

What it does

guardian runs three scan passes on every push:

  1. Security — hardcoded secrets, SQL injection, insecure dependencies, OWASP Top 10
  2. Performance — unbounded loops, N+1 patterns, missing error handling
  3. Logic — unreachable code, incorrect conditionals, type mismatches

For each finding above a confidence threshold, guardian generates a fix and opens a PR — with explanation, evidence, and a link back to the finding.

Not a linter. An autonomous developer.

The difference is the PR. A linter tells you something is wrong. guardian fixes it.

You still review the PR. You still merge it (or don't). But the first-draft fix is already there, waiting for you.

Self-hosted mode (just GitHub Actions + your API key) 

# .github/workflows/guardian.yml
# generated by: guardian init-action
- uses: LakshmiSravyaVedantham/guardian-action@v1
  with:
    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
Enter fullscreen mode Exit fullscreen mode

That's the entire setup. No servers. No accounts. Runs on your infrastructure with your key.

Local scanning 

pip install guardian
guardian scan .                    # Scan current directory
guardian scan . --fix              # Apply fixes directly  
guardian scan . --output report.json
Enter fullscreen mode Exit fullscreen mode

Configuration 

# guardian.yml in your repo root
scans:
  security: true
  performance: true
  logic: true
severity_threshold: medium
exclude:
  - tests/
  - migrations/
auto_pr: true
Enter fullscreen mode Exit fullscreen mode

What makes a good autonomous fix

guardian only opens a PR when it's confident — not just that the bug exists, but that the fix is correct and minimal. If it can't generate a high-confidence fix, it creates an issue instead.

This matters: a wrong auto-fix is worse than no fix.

GitHub: https://github.com/LakshmiSravyaVedantham/guardian

Built this because I spent a week watching a critical vulnerability sit in a PR queue while the reviewer was on vacation. guardian would have caught and fixed it the same day it landed.

Top comments (0)