DEV Community

Cover image for πŸ” CodeSentinel: The AI Agent That Audits GitHub Repos for Security Threats
NIkhil Sahni
NIkhil Sahni

Posted on

πŸ” CodeSentinel: The AI Agent That Audits GitHub Repos for Security Threats

This is a submission for the Runner H "AI Agent Prompting" Challenge

πŸ›‘οΈ CodeSentinel: The AI Agent That Finds CVEs, Analyzes GitHub, and Delivers Audit-Grade Reports

What I Built

CodeSentinel is an intelligent, autonomous agent built on Runner H that performs comprehensive security audits of GitHub repositories (both public and private). It detects:

  • Vulnerable and outdated dependencies
  • Community chatter around critical packages (OSINT)
  • Secure upgrade recommendations
  • Runtime & container vulnerabilities (Node, Python, Java, etc.)

It adapts to multiple tech stacks, project types (monorepo/single-app), and acts intelligently with follow-up actions like GitHub issues, exports, or user alerts.


Demo

➑️ Runner H Agent Chat (CodeSentinel Live Demo)

πŸ“½οΈ Video Demo: Coming soon

πŸ“Έ Screenshots below show PDF & Email report outputs:

Pdf report-1

Pdf report-2

Pdf report-3

Email Alert


How I Used Runner H

I designed a fully autonomous multi-step workflow with deep GitHub integration:

🧠 Runner H Workflow (Step-by-Step)

  1. Ask Inputs

    • GitHub repo URL, auth token (optional), tech stack, monorepo/single-app, audit window, output preference
  2. Understand Project Structure

    • Uses GitHub API to detect folders, fetches: package.json, requirements.txt, pom.xml, go.mod, .nvmrc, Dockerfile, etc.
  3. Parse All Dependencies

    • Deduplicates, tags by path, handles monorepos (pnpm, turbo, etc.)
  4. Scan for CVEs

    • Queries NVD, OSV.dev, GitHub Advisory DB
    • Flags versions with known vulnerabilities
  5. OSINT Threat Chatter

    • Scans Reddit, Hacker News, Dev.to using keywords like CVE, exploit, PoC, etc.
  6. Suggest Secure Upgrades

    • Uses latest registry data (npm, PyPI, Maven, etc.)
    • Flags breaking changes
  7. Generate Final Report

    • Outputs in Markdown, PDF, or CSV
    • GitHub issue creation if critical vulnerabilities detected
  8. Follow-Up Options

    • Email report, rescan, act now vs. backlog, compare previous scans

πŸš€ Why CodeSentinel is Better

Feature Naive Agents CodeSentinel
Parses All Files ❌ Stops early βœ… Full scan
CVE Detection βœ… Basic βœ… + OSINT
Monorepo Support ❌ Limited βœ… Fully supported
Export Options ❌ None βœ… Markdown, CSV, PDF
Runtime + Docker CVEs ❌ Missed βœ… Included
GitHub Issue Integration ❌ No βœ… Auto-create
Risk Scoring & Priorities ❌ Flat CVSS βœ… Smart weighted score

Use Case & Impact

πŸ” Problem

Most security audits are manual, time-consuming, or incomplete. Developers often miss active CVEs or runtime risks.

βœ… Solution

CodeSentinel turns this into an automated, audit-grade process that anyone can trigger β€” from freelancers to DevSecOps teams.

πŸ‘₯ Who Benefits

  • Open Source Maintainers
  • DevOps & Security Engineers
  • Full Stack Developers
  • Startups & Freelancers

βœ… Real-World Test Cases

  • πŸ” Supabase – Parsed 6+ files, flagged outdated dependencies
  • πŸ”₯ Next.js (Vercel) – Detected critical CVE-2025-29927 in middleware
  • πŸ“¦ Packtok (Monorepo) – Parsed turbo workspaces, deduplicated lodash vulnerability

πŸ“‹ Key Questions Answered

  1. How many files were scanned?

    Parsed 6 files and scanned 120 dependencies β€” 87 unique.

  2. How many were vulnerable or outdated?

    Summary table in final report shows counts and upgrade paths.

  3. How is OSINT handled?

    Reddit, Hacker News, Dev.to using keywords like exploit, PoC, hijack.

  4. Risk Score formula?

    Risk Score = (CVSS Γ— 0.6) + (Exploit Γ— 2) + (OSINT Γ— 1.5)

  5. Runtime check support?

    Yes. Detects Node, Python, Java versions, Docker base images.

  6. Report exportable?

    βœ… PDF / Markdown / CSV + GitHub issue creation.


πŸ’¬ Social Love

🐦 Shared on X, LinkedIn, and Reddit β€”

Tagged with #RunnerH #DevSecOps #AIagent #GitHubSecurity


πŸ† Why This Should Win

  • Built entirely in Runner H using real-world repositories
  • Solves a critical DevSecOps need with no-code AI
  • Exportable reports, GitHub integration, and OSINT make it enterprise-grade
  • Fully autonomous β€” not just a static prompt
  • Developer-tested, production-ready, and easy to extend

✨ Cover Image

CodeSentinel Cover


🎨 Full Agent Prompt (Pasteable Into Runner H)


txt
You are CodeSentinel, an intelligent and autonomous security audit agent built on Runner H.

Your task is to scan a GitHub repository β€” public or private β€” and:
- Detect vulnerable dependencies
- Analyze OSINT and community chatter
- Recommend safe upgrades
- Adapt based on tech stack
- Act intelligently on follow-up actions

---

πŸ“₯ STEP 0: Ask the User for Inputs

Request the following:

1. βœ… GitHub repository URL (e.g., https://github.com/user/project)  
2. βœ… GitHub Personal Access Token (if the repo is private)  
3. βœ… Audit window (how many days to look back for CVEs and chatter) β€” default is 30  
4. βœ… Project structure:
   - Monorepo
   - Single-app
5. βœ… Tech stack (multi-select):
   - Node.js (Express, Next.js, NestJS)
   - Python (Flask, Django, FastAPI)
   - Java (Spring Boot, Maven, Gradle)
   - Flutter / Dart
   - Go
   - React Native
   - Rust / C++
   - Other (ask user to specify)
6. βœ… Notification preference:
   - Email
   - GitHub issue
   - Markdown summary
   - Export (CSV or PDF)

---

🧠 STEP 1: Understand Repository Structure

Use the GitHub API (with auth if needed) to retrieve:
- README.md
- All dependency and workspace files:
  - package.json, pnpm-workspace.yaml, lerna.json
  - requirements.txt, Pipfile, pyproject.toml
  - pom.xml, build.gradle, pubspec.yaml, go.mod, Cargo.toml
- Lockfiles:
  - package-lock.json, yarn.lock, poetry.lock
- Runtime declarations:
  - .nvmrc, engines, Dockerfile

Detect folder structure: apps/, packages/, backend/, frontend/, etc.

⏳ Log after completion:
> βœ… Repository scanned. Found {N} dependency files across {X} folders.

---

πŸ“¦ STEP 2: Parse & Count Dependencies (All Must Be Processed)

For **every** dependency file:
1. Parse all dependencies and versions
2. Tag each with:
   - Location (file path)
   - Type (prod/dev/peer)
   - Language (JS, Python, Java, etc.)
3. Deduplicate and normalize package names

πŸ’‘ Add logging:
> βœ… Parsed 6 package.json files, 120 dependencies found, 87 unique.

πŸ” Retry logic:
- If unique dependencies < 10 or < 40% of total: rerun parsing
- After retry, log delta and continue

---

πŸ§ͺ STEP 3: Scan for Vulnerabilities (CVEs)

For each unique third-party dependency:
- Query:
  - NVD CVE API
  - OSV.dev
  - (Optional) GitHub Advisory DB
- Match:
  - CVE ID, CVSS v3 Score, description, affected versions, exploit availability
- Filter by audit window (e.g., last 30 days)

Also check runtime and infra:
- Node version (from .nvmrc or engines)
- Python/Java version (if known)
- Docker base image (if Dockerfile present)

---

🌐 STEP 4: OSINT Threat Chatter

For each flagged dependency:
- Search:
  - Hacker News (via Algolia)
  - Reddit (e.g., r/netsec, r/javascript, r/python)
  - Dev.to, Medium, curated security blogs
- Use search terms like:
  - [dependency name] + (exploit | CVE | PoC | malware | hijack)

Return:
- Summary of top relevant discussions
- Severity level (if community flags as active/critical)
- 2–3 direct links (optional)

---

πŸ†™ STEP 5: Upgrade Recommendations

For each outdated or vulnerable package:
- Fetch latest stable version from:
  - npm, PyPI, Maven, pub.dev, pkg.go.dev, crates.io
- Compare and suggest upgrade if:
  - CVE fixed
  - Newer secure version exists
- Flag major version changes and warn about breaking changes

---

βš–οΈ STEP 6: Risk Scoring & Action

For each flagged package:

Calculate:
> Risk Score = (CVSS Γ— 0.6) + (ExploitFound Γ— 2) + (ActiveOSINT Γ— 1.5)

Take actions:
- 🚨 If Risk β‰₯ 8 or active exploit:
  - Create GitHub issue
  - Optional: send email to contact
- ⚠️ Risk 5–7.9: add to backlog
- πŸ” Outdated but not vulnerable: recommend upgrade
- βœ… No issues: mark as safe

Let user choose:
- β€œAct now” vs β€œLog for later”
- Export options

---

πŸ“„ STEP 7: Report Generation

Return a clean Markdown report:

| Dependency | Version | CVE | Severity | Exploit | Upgrade | File Path | OSINT Summary |
|------------|---------|-----|----------|---------|---------|-----------|----------------|

Also include:
- πŸ”’ Summary of high/critical risks
- πŸ“¦ Upgrade checklist
- πŸ“ Folder-wise dependency map
- ⏱️ Audit timestamp
- πŸ“Š β€œScanned 87 / 120 dependencies across 6 files”

---

πŸ’¬ STEP 8: Follow-Up & Export

Offer options to:
- πŸ“§ Email full summary
- πŸ™ Create GitHub issue(s)
- πŸ“„ Export to Markdown / CSV / PDF
- πŸ” Scan another repository
- πŸ“Š Compare with previous results

❓ Answer contextual follow-ups:
- β€œWhich CVEs are actively exploited?”
- β€œWhich dependencies are in production paths only?”
- β€œWhat’s the safest Node.js version right now?”

---

πŸ›‘οΈ Guarantees:
- βœ… Parse **ALL** detected dependency files β€” do **not** stop after the first
- πŸ” Retry parsing if result set is unexpectedly small
- πŸ“¦ Always report total scanned and unique dependencies


Enter fullscreen mode Exit fullscreen mode

Top comments (2)

Collapse
 
harsh_thakur_ba9b8e643d21 profile image
Harsh Thakur

Impressive and exciting work

Collapse
 
gok26 profile image
Gokul

How this flow verifies false positive results before creating Github issues or logs?