Your codebase has bugs.
SecureBot finds them. And fixes them.
An autonomous security agent that scans repositories for OWASP Top 10 vulnerabilities, hardcoded secrets, and known CVEs — then writes the patches itself. Powered by GitAgent's git-native agent runtime.
Two specialized GitAgent agents — Scanner and Fixer — chained via a workflow YAML. Each one a real git-committable agent repo.
scan_file, find_secrets, check_deps, generate_fix. A preToolUse hook gates destructive shell commands; an audit log captures every call.
Watch the agent think, call tools, and emit findings live via SSE. No waiting for a final report — you see the reasoning unfold.
One click on any finding spins up the Fixer Agent. Canonical patches per CWE — SQL injection → parameterized query, weak crypto → SHA-256, etc.
Every scan appends to memory/MEMORY.md and is committed. The agent's history is its memory — diff it, fork it, branch it.
agent.yaml declares risk_level: high and audit_logging: true. Findings reference real CWE IDs — security-team-ready by default.
User submits repo URL
│
▼
┌─────────────────────────┐ ┌──────────────────────────────────┐
│ POST /api/scan │ ──SSE──▶│ Frontend (live thinking + cards) │
└─────────────────────────┘ └──────────────────────────────────┘
│
▼
GitAgent SDK query()
│
├── tools: scan_file, find_secrets, check_deps
├── hooks: preToolUse (audit + block), onError
└── agent: securebot/ (SOUL.md · RULES.md · skills/ · memory/)
│
▼
Findings stream back as `finding` JSON blocks
User clicks "Fix"
│
▼
POST /api/fix → Fixer Agent → generate_fix tool → `fix` block