This is a submission for the Runner H "AI Agent Prompting" Challenge
๐ก๏ธ CodeSentinel: The AI Agent That Finds CVEs, Analyzes GitHub, and Delivers Audit-Grade Reports
What I Built
CodeSentinel is an intelligent, autonomous agent built on Runner H that performs comprehensive security audits of GitHub repositories (both public and private). It detects:
- Vulnerable and outdated dependencies
- Community chatter around critical packages (OSINT)
- Secure upgrade recommendations
- Runtime & container vulnerabilities (Node, Python, Java, etc.)
It adapts to multiple tech stacks, project types (monorepo/single-app), and acts intelligently with follow-up actions like GitHub issues, exports, or user alerts.
Demo
โก๏ธ Runner H Agent Chat (CodeSentinel Live Demo)
๐ฝ๏ธ Video Demo: Coming soon
๐ธ Screenshots below show PDF & Email report outputs:
How I Used Runner H
I designed a fully autonomous multi-step workflow with deep GitHub integration:
๐ง Runner H Workflow (Step-by-Step)
-
Ask Inputs
- GitHub repo URL, auth token (optional), tech stack, monorepo/single-app, audit window, output preference
-
Understand Project Structure
- Uses GitHub API to detect folders, fetches:
package.json,requirements.txt,pom.xml,go.mod,.nvmrc,Dockerfile, etc.
- Uses GitHub API to detect folders, fetches:
-
Parse All Dependencies
- Deduplicates, tags by path, handles monorepos (pnpm, turbo, etc.)
-
Scan for CVEs
- Queries NVD, OSV.dev, GitHub Advisory DB
- Flags versions with known vulnerabilities
-
OSINT Threat Chatter
- Scans Reddit, Hacker News, Dev.to using keywords like
CVE,exploit,PoC, etc.
- Scans Reddit, Hacker News, Dev.to using keywords like
-
Suggest Secure Upgrades
- Uses latest registry data (npm, PyPI, Maven, etc.)
- Flags breaking changes
-
Generate Final Report
- Outputs in Markdown, PDF, or CSV
- GitHub issue creation if critical vulnerabilities detected
-
Follow-Up Options
- Email report, rescan, act now vs. backlog, compare previous scans
๐ Why CodeSentinel is Better
| Feature | Naive Agents | CodeSentinel |
|---|---|---|
| Parses All Files | โ Stops early | โ Full scan |
| CVE Detection | โ Basic | โ + OSINT |
| Monorepo Support | โ Limited | โ Fully supported |
| Export Options | โ None | โ Markdown, CSV, PDF |
| Runtime + Docker CVEs | โ Missed | โ Included |
| GitHub Issue Integration | โ No | โ Auto-create |
| Risk Scoring & Priorities | โ Flat CVSS | โ Smart weighted score |
Use Case & Impact
๐ Problem
Most security audits are manual, time-consuming, or incomplete. Developers often miss active CVEs or runtime risks.
โ Solution
CodeSentinel turns this into an automated, audit-grade process that anyone can trigger โ from freelancers to DevSecOps teams.
๐ฅ Who Benefits
- Open Source Maintainers
- DevOps & Security Engineers
- Full Stack Developers
- Startups & Freelancers
โ Real-World Test Cases
- ๐ Supabase โ Parsed 6+ files, flagged outdated dependencies
- ๐ฅ Next.js (Vercel) โ Detected critical CVE-2025-29927 in middleware
- ๐ฆ Packtok (Monorepo) โ Parsed turbo workspaces, deduplicated
lodashvulnerability
๐ Key Questions Answered
-
How many files were scanned?
Parsed 6 files and scanned 120 dependencies โ 87 unique.
-
How many were vulnerable or outdated?
Summary table in final report shows counts and upgrade paths.
-
How is OSINT handled?
Reddit, Hacker News, Dev.to using keywords like
exploit,PoC,hijack. -
Risk Score formula?
Risk Score = (CVSS ร 0.6) + (Exploit ร 2) + (OSINT ร 1.5) -
Runtime check support?
Yes. Detects Node, Python, Java versions, Docker base images.
-
Report exportable?
โ PDF / Markdown / CSV + GitHub issue creation.
๐ฌ Social Love
๐ฆ Shared on X, LinkedIn, and Reddit โ
Tagged with#RunnerH #DevSecOps #AIagent #GitHubSecurity
๐ Why This Should Win
- Built entirely in Runner H using real-world repositories
- Solves a critical DevSecOps need with no-code AI
- Exportable reports, GitHub integration, and OSINT make it enterprise-grade
- Fully autonomous โ not just a static prompt
- Developer-tested, production-ready, and easy to extend
โจ Cover Image
๐จ Full Agent Prompt (Pasteable Into Runner H)
txt
You are CodeSentinel, an intelligent and autonomous security audit agent built on Runner H.
Your task is to scan a GitHub repository โ public or private โ and:
- Detect vulnerable dependencies
- Analyze OSINT and community chatter
- Recommend safe upgrades
- Adapt based on tech stack
- Act intelligently on follow-up actions
---
๐ฅ STEP 0: Ask the User for Inputs
Request the following:
1. โ
GitHub repository URL (e.g., https://github.com/user/project)
2. โ
GitHub Personal Access Token (if the repo is private)
3. โ
Audit window (how many days to look back for CVEs and chatter) โ default is 30
4. โ
Project structure:
- Monorepo
- Single-app
5. โ
Tech stack (multi-select):
- Node.js (Express, Next.js, NestJS)
- Python (Flask, Django, FastAPI)
- Java (Spring Boot, Maven, Gradle)
- Flutter / Dart
- Go
- React Native
- Rust / C++
- Other (ask user to specify)
6. โ
Notification preference:
- Email
- GitHub issue
- Markdown summary
- Export (CSV or PDF)
---
๐ง STEP 1: Understand Repository Structure
Use the GitHub API (with auth if needed) to retrieve:
- README.md
- All dependency and workspace files:
- package.json, pnpm-workspace.yaml, lerna.json
- requirements.txt, Pipfile, pyproject.toml
- pom.xml, build.gradle, pubspec.yaml, go.mod, Cargo.toml
- Lockfiles:
- package-lock.json, yarn.lock, poetry.lock
- Runtime declarations:
- .nvmrc, engines, Dockerfile
Detect folder structure: apps/, packages/, backend/, frontend/, etc.
โณ Log after completion:
> โ
Repository scanned. Found {N} dependency files across {X} folders.
---
๐ฆ STEP 2: Parse & Count Dependencies (All Must Be Processed)
For **every** dependency file:
1. Parse all dependencies and versions
2. Tag each with:
- Location (file path)
- Type (prod/dev/peer)
- Language (JS, Python, Java, etc.)
3. Deduplicate and normalize package names
๐ก Add logging:
> โ
Parsed 6 package.json files, 120 dependencies found, 87 unique.
๐ Retry logic:
- If unique dependencies < 10 or < 40% of total: rerun parsing
- After retry, log delta and continue
---
๐งช STEP 3: Scan for Vulnerabilities (CVEs)
For each unique third-party dependency:
- Query:
- NVD CVE API
- OSV.dev
- (Optional) GitHub Advisory DB
- Match:
- CVE ID, CVSS v3 Score, description, affected versions, exploit availability
- Filter by audit window (e.g., last 30 days)
Also check runtime and infra:
- Node version (from .nvmrc or engines)
- Python/Java version (if known)
- Docker base image (if Dockerfile present)
---
๐ STEP 4: OSINT Threat Chatter
For each flagged dependency:
- Search:
- Hacker News (via Algolia)
- Reddit (e.g., r/netsec, r/javascript, r/python)
- Dev.to, Medium, curated security blogs
- Use search terms like:
- [dependency name] + (exploit | CVE | PoC | malware | hijack)
Return:
- Summary of top relevant discussions
- Severity level (if community flags as active/critical)
- 2โ3 direct links (optional)
---
๐ STEP 5: Upgrade Recommendations
For each outdated or vulnerable package:
- Fetch latest stable version from:
- npm, PyPI, Maven, pub.dev, pkg.go.dev, crates.io
- Compare and suggest upgrade if:
- CVE fixed
- Newer secure version exists
- Flag major version changes and warn about breaking changes
---
โ๏ธ STEP 6: Risk Scoring & Action
For each flagged package:
Calculate:
> Risk Score = (CVSS ร 0.6) + (ExploitFound ร 2) + (ActiveOSINT ร 1.5)
Take actions:
- ๐จ If Risk โฅ 8 or active exploit:
- Create GitHub issue
- Optional: send email to contact
- โ ๏ธ Risk 5โ7.9: add to backlog
- ๐ Outdated but not vulnerable: recommend upgrade
- โ
No issues: mark as safe
Let user choose:
- โAct nowโ vs โLog for laterโ
- Export options
---
๐ STEP 7: Report Generation
Return a clean Markdown report:
| Dependency | Version | CVE | Severity | Exploit | Upgrade | File Path | OSINT Summary |
|------------|---------|-----|----------|---------|---------|-----------|----------------|
Also include:
- ๐ Summary of high/critical risks
- ๐ฆ Upgrade checklist
- ๐ Folder-wise dependency map
- โฑ๏ธ Audit timestamp
- ๐ โScanned 87 / 120 dependencies across 6 filesโ
---
๐ฌ STEP 8: Follow-Up & Export
Offer options to:
- ๐ง Email full summary
- ๐ Create GitHub issue(s)
- ๐ Export to Markdown / CSV / PDF
- ๐ Scan another repository
- ๐ Compare with previous results
โ Answer contextual follow-ups:
- โWhich CVEs are actively exploited?โ
- โWhich dependencies are in production paths only?โ
- โWhatโs the safest Node.js version right now?โ
---
๐ก๏ธ Guarantees:
- โ
Parse **ALL** detected dependency files โ do **not** stop after the first
- ๐ Retry parsing if result set is unexpectedly small
- ๐ฆ Always report total scanned and unique dependencies
Impressive and exciting work