Security Audit Agent Blueprint
Continuously scans your codebase for vulnerabilities, misconfigurations, and policy violations — with human review gates for critical findings.
What This Blueprint Does
The Security Audit Agent continuously scans your codebase, infrastructure configuration, and dependency tree for vulnerabilities, misconfigurations, and policy violations. It goes beyond static analysis: understanding code context to identify logic-level security issues that automated scanners miss.
Critically: this agent is read-only. It can access repos and config files but cannot modify them. Findings are reported to the Gateway dashboard and Slack — never written back. Critical findings require human review before any action is taken.
What It Scans
- Dependency Vulnerabilities — Scans manifests against known CVE databases, including transitive dependencies
- Hardcoded Secrets — API keys, tokens, passwords, private keys using pattern matching and entropy analysis
- IAM Misconfigurations — Wildcard permissions, unused roles, policies violating least privilege
- Code Security Patterns — SQL injection, XSS, SSRF, insecure deserialization, authentication bypass
- Configuration Drift — Infrastructure state vs. declared configuration (Terraform, Kubernetes)
- Compliance Violations — SOC 2, HIPAA, PCI-DSS, CIS benchmarks
Policy Configuration
project: acme-platform
agent: security-audit
policies:
# Read-only on all repos
- git:read on repos/*
# Read infrastructure metadata
- aws:iam:GetPolicy on arn:aws:iam::*:policy/*
- aws:iam:ListRoles on arn:aws:iam::*:role/*
- aws:s3:GetBucketPolicy on arn:aws:s3:::*
- aws:ec2:DescribeSecurityGroups on *
# Write findings to dashboard only — NO write to repos or AWS
- gateway:findings:write on projects/acme-platform
# Critical findings require human review
- security:critical:acknowledge
requires_approval: true
approval_channel: slack:#security-team
schedule:
frequency: daily
time: "02:00 UTC"
notifications:
on_complete: slack:#security-reports
on_critical: slack:#security-alerts
Finding Severity
| Severity | Description | SLA |
|---|---|---|
| Critical | Actively exploitable or exposed secret | Immediate Slack alert, requires human ack |
| High | Significant vulnerability or misconfiguration | Review within 24 hours |
| Medium | Best-practice violation | Review in next sprint |
| Low | Minor improvement | Monthly report |
Critical Finding Example
CRITICAL — Hardcoded AWS access key in
config/deploy.sh:47
Risk: Full access to production S3 buckets. Committed 3 days ago.
Evidence:AKIA*pattern with high entropy suffix. Not in .gitignore.
Recommendation: Rotate key immediately, remove from git history.
Confidence: High
[Acknowledge] [False Positive] [View Details]
Why Read-Only Matters
A security scanner with write access is a contradiction. If the scanner can modify code, it can introduce vulnerabilities. Sentrely enforces read-only by policy — the agent literally cannot write to repositories or modify infrastructure, regardless of what it’s prompted to do.
Deploy this blueprint
Get this agent running in 1 day with Sentrely's managed control plane.