← Back to home← Back to My Work

Security-Focused Development Agent

Combining static code analysis with LLM-powered reasoning to detect and fix security vulnerabilities

2025

I co-developed a DevOps-oriented security agent that automates vulnerability detection, analysis, and remediation in Python repositories. The system bridges the gap between raw security findings and actionable fixes by orchestrating scanning, LLM-based reasoning, automated patching, and validation in a single workflow.

The Challenge we address

Developers, especially those in data science and rapid prototyping, often prioritize functionality over security hardening. While static analysis tools flag suspicious patterns, they rarely explain findings clearly or provide context-aware fixes. This project addressed that gap by making security accessible without requiring deep security expertise.

What We Built

A modular multi-agent system with four specialized components:

  • Scanner Agent reads repositories while respecting .gitignore patterns and extracts Python files for analysis.
  • Analyzer Agent orchestrates Semgrep scanning, parses findings into structured objects, and uses the LLM to classify true positives and generate risk explanations.
  • Fixer Agent applies fixes deterministically or via LLM generation, validates syntax with Python's AST parser, creates backups for reversibility, and produces diffs for code review.
  • Validator Agent performs syntax checks, import resolution, and runs test suites to ensure changes don't break functionality.

Key Features

  • Detects common Python vulnerabilities: hard-coded secrets, unsafe eval/exec, command injection, SQL injection
  • Generates context-aware fixes that follow secure coding best practices (environment variables, subprocess calls, parameterized queries)
  • Integrates with Git workflows: creates fix branches, commits with templated messages, generates pull request descriptions
  • Produces structured security reports with severity levels, explanations, and remediation suggestions
  • Validates all changes before deployment to prevent unintended breakage

Tech Stack

  • Backend: Python, Semgrep (static analysis), Anthropic Claude API & Google Gemini API
  • Architecture: Multi-agent system with pluggable LLM providers and retry/fallback logic
  • Tools: AST parser for syntax validation, subprocess for safe code execution, unified diffs for auditability
  • UI: Streamlit for user-friendly configuration and result visualization
  • Integration: Git client wrapper, YAML-based configuration, environment variable management