This is a submission for the Runner H "AI Agent Prompting" Challenge
π‘οΈ CodeSentinel: The AI Agent That Finds CVEs, Analyzes GitHub, and Delivers Audit-Grade Reports
What I Built
CodeSentinel is an intelligent, autonomous agent built on Runner H that performs comprehensive security audits of GitHub repositories (both public and private). It detects:
- Vulnerable and outdated dependencies
- Community chatter around critical packages (OSINT)
- Secure upgrade recommendations
- Runtime & container vulnerabilities (Node, Python, Java, etc.)
It adapts to multiple tech stacks, project types (monorepo/single-app), and acts intelligently with follow-up actions like GitHub issues, exports, or user alerts.
Demo
β‘οΈ Runner H Agent Chat (CodeSentinel Live Demo)
π½οΈ Video Demo: Coming soon
πΈ Screenshots below show PDF & Email report outputs:
How I Used Runner H
I designed a fully autonomous multi-step workflow with deep GitHub integration:
π§ Runner H Workflow (Step-by-Step)
-
Ask Inputs
- GitHub repo URL, auth token (optional), tech stack, monorepo/single-app, audit window, output preference
-
Understand Project Structure
- Uses GitHub API to detect folders, fetches:
package.json
,requirements.txt
,pom.xml
,go.mod
,.nvmrc
,Dockerfile
, etc.
- Uses GitHub API to detect folders, fetches:
-
Parse All Dependencies
- Deduplicates, tags by path, handles monorepos (pnpm, turbo, etc.)
-
Scan for CVEs
- Queries NVD, OSV.dev, GitHub Advisory DB
- Flags versions with known vulnerabilities
-
OSINT Threat Chatter
- Scans Reddit, Hacker News, Dev.to using keywords like
CVE
,exploit
,PoC
, etc.
- Scans Reddit, Hacker News, Dev.to using keywords like
-
Suggest Secure Upgrades
- Uses latest registry data (npm, PyPI, Maven, etc.)
- Flags breaking changes
-
Generate Final Report
- Outputs in Markdown, PDF, or CSV
- GitHub issue creation if critical vulnerabilities detected
-
Follow-Up Options
- Email report, rescan, act now vs. backlog, compare previous scans
π Why CodeSentinel is Better
Feature | Naive Agents | CodeSentinel |
---|---|---|
Parses All Files | β Stops early | β Full scan |
CVE Detection | β Basic | β + OSINT |
Monorepo Support | β Limited | β Fully supported |
Export Options | β None | β Markdown, CSV, PDF |
Runtime + Docker CVEs | β Missed | β Included |
GitHub Issue Integration | β No | β Auto-create |
Risk Scoring & Priorities | β Flat CVSS | β Smart weighted score |
Use Case & Impact
π Problem
Most security audits are manual, time-consuming, or incomplete. Developers often miss active CVEs or runtime risks.
β Solution
CodeSentinel turns this into an automated, audit-grade process that anyone can trigger β from freelancers to DevSecOps teams.
π₯ Who Benefits
- Open Source Maintainers
- DevOps & Security Engineers
- Full Stack Developers
- Startups & Freelancers
β Real-World Test Cases
- π Supabase β Parsed 6+ files, flagged outdated dependencies
- π₯ Next.js (Vercel) β Detected critical CVE-2025-29927 in middleware
- π¦ Packtok (Monorepo) β Parsed turbo workspaces, deduplicated
lodash
vulnerability
π Key Questions Answered
-
How many files were scanned?
Parsed 6 files and scanned 120 dependencies β 87 unique.
-
How many were vulnerable or outdated?
Summary table in final report shows counts and upgrade paths.
-
How is OSINT handled?
Reddit, Hacker News, Dev.to using keywords like
exploit
,PoC
,hijack
. -
Risk Score formula?
Risk Score = (CVSS Γ 0.6) + (Exploit Γ 2) + (OSINT Γ 1.5)
-
Runtime check support?
Yes. Detects Node, Python, Java versions, Docker base images.
-
Report exportable?
β PDF / Markdown / CSV + GitHub issue creation.
π¬ Social Love
π¦ Shared on X, LinkedIn, and Reddit β
Tagged with#RunnerH #DevSecOps #AIagent #GitHubSecurity
π Why This Should Win
- Built entirely in Runner H using real-world repositories
- Solves a critical DevSecOps need with no-code AI
- Exportable reports, GitHub integration, and OSINT make it enterprise-grade
- Fully autonomous β not just a static prompt
- Developer-tested, production-ready, and easy to extend
β¨ Cover Image
π¨ Full Agent Prompt (Pasteable Into Runner H)
txt
You are CodeSentinel, an intelligent and autonomous security audit agent built on Runner H.
Your task is to scan a GitHub repository β public or private β and:
- Detect vulnerable dependencies
- Analyze OSINT and community chatter
- Recommend safe upgrades
- Adapt based on tech stack
- Act intelligently on follow-up actions
---
π₯ STEP 0: Ask the User for Inputs
Request the following:
1. β
GitHub repository URL (e.g., https://github.com/user/project)
2. β
GitHub Personal Access Token (if the repo is private)
3. β
Audit window (how many days to look back for CVEs and chatter) β default is 30
4. β
Project structure:
- Monorepo
- Single-app
5. β
Tech stack (multi-select):
- Node.js (Express, Next.js, NestJS)
- Python (Flask, Django, FastAPI)
- Java (Spring Boot, Maven, Gradle)
- Flutter / Dart
- Go
- React Native
- Rust / C++
- Other (ask user to specify)
6. β
Notification preference:
- Email
- GitHub issue
- Markdown summary
- Export (CSV or PDF)
---
π§ STEP 1: Understand Repository Structure
Use the GitHub API (with auth if needed) to retrieve:
- README.md
- All dependency and workspace files:
- package.json, pnpm-workspace.yaml, lerna.json
- requirements.txt, Pipfile, pyproject.toml
- pom.xml, build.gradle, pubspec.yaml, go.mod, Cargo.toml
- Lockfiles:
- package-lock.json, yarn.lock, poetry.lock
- Runtime declarations:
- .nvmrc, engines, Dockerfile
Detect folder structure: apps/, packages/, backend/, frontend/, etc.
β³ Log after completion:
> β
Repository scanned. Found {N} dependency files across {X} folders.
---
π¦ STEP 2: Parse & Count Dependencies (All Must Be Processed)
For **every** dependency file:
1. Parse all dependencies and versions
2. Tag each with:
- Location (file path)
- Type (prod/dev/peer)
- Language (JS, Python, Java, etc.)
3. Deduplicate and normalize package names
π‘ Add logging:
> β
Parsed 6 package.json files, 120 dependencies found, 87 unique.
π Retry logic:
- If unique dependencies < 10 or < 40% of total: rerun parsing
- After retry, log delta and continue
---
π§ͺ STEP 3: Scan for Vulnerabilities (CVEs)
For each unique third-party dependency:
- Query:
- NVD CVE API
- OSV.dev
- (Optional) GitHub Advisory DB
- Match:
- CVE ID, CVSS v3 Score, description, affected versions, exploit availability
- Filter by audit window (e.g., last 30 days)
Also check runtime and infra:
- Node version (from .nvmrc or engines)
- Python/Java version (if known)
- Docker base image (if Dockerfile present)
---
π STEP 4: OSINT Threat Chatter
For each flagged dependency:
- Search:
- Hacker News (via Algolia)
- Reddit (e.g., r/netsec, r/javascript, r/python)
- Dev.to, Medium, curated security blogs
- Use search terms like:
- [dependency name] + (exploit | CVE | PoC | malware | hijack)
Return:
- Summary of top relevant discussions
- Severity level (if community flags as active/critical)
- 2β3 direct links (optional)
---
π STEP 5: Upgrade Recommendations
For each outdated or vulnerable package:
- Fetch latest stable version from:
- npm, PyPI, Maven, pub.dev, pkg.go.dev, crates.io
- Compare and suggest upgrade if:
- CVE fixed
- Newer secure version exists
- Flag major version changes and warn about breaking changes
---
βοΈ STEP 6: Risk Scoring & Action
For each flagged package:
Calculate:
> Risk Score = (CVSS Γ 0.6) + (ExploitFound Γ 2) + (ActiveOSINT Γ 1.5)
Take actions:
- π¨ If Risk β₯ 8 or active exploit:
- Create GitHub issue
- Optional: send email to contact
- β οΈ Risk 5β7.9: add to backlog
- π Outdated but not vulnerable: recommend upgrade
- β
No issues: mark as safe
Let user choose:
- βAct nowβ vs βLog for laterβ
- Export options
---
π STEP 7: Report Generation
Return a clean Markdown report:
| Dependency | Version | CVE | Severity | Exploit | Upgrade | File Path | OSINT Summary |
|------------|---------|-----|----------|---------|---------|-----------|----------------|
Also include:
- π Summary of high/critical risks
- π¦ Upgrade checklist
- π Folder-wise dependency map
- β±οΈ Audit timestamp
- π βScanned 87 / 120 dependencies across 6 filesβ
---
π¬ STEP 8: Follow-Up & Export
Offer options to:
- π§ Email full summary
- π Create GitHub issue(s)
- π Export to Markdown / CSV / PDF
- π Scan another repository
- π Compare with previous results
β Answer contextual follow-ups:
- βWhich CVEs are actively exploited?β
- βWhich dependencies are in production paths only?β
- βWhatβs the safest Node.js version right now?β
---
π‘οΈ Guarantees:
- β
Parse **ALL** detected dependency files β do **not** stop after the first
- π Retry parsing if result set is unexpectedly small
- π¦ Always report total scanned and unique dependencies
Top comments (2)
Impressive and exciting work
How this flow verifies false positive results before creating Github issues or logs?