Almag

The Safety Rail for AI-Accelerated Development.

Comment

Inspiration

The inspiration for Almag came from an observation in the modern software factory: velocity is outpacing security. With AI agents writing code 10x faster, security teams are facing a "signal-to-noise" crisis. Current tools are siloed—developers have to check Gitleaks for secrets, Trivy for containers, and Semgrep for code—making it impossible to get a clear answer to a simple question: "Is this PR ready to ship?" We wanted to build the "Safety Rail" for the AI era—a platform that turns fragmented telemetry into a unified, enforceable release signal.

What it does

Almag is an intelligent security intelligence platform and release gate.

  • Normalization: It ingests raw data from virtually any security tool (Trivy, Gitleaks, Grype, Semgrep, and generic SARIF) and translates it into a single, standard security schema.
  • Enforceable Governance: It identifies "Release Blockers" in real-time. If a high-priority risk is detected, the dashboard signal shifts to "DEPLOYMENT BLOCKED," preventing dangerous code from reaching production.
  • SLA & Ownership: It automatically assigns fix deadlines based on risk severity (e.g., 24h for Critical, 7d for High) and tracks ownership across teams.
  • Almag Actions: We’ve built a custom GitHub Action that allows developers to push scan results to Almag directly from their CI pipelines with a single line of YAML. How we built it
  • The Engine: A high-performance Go backend handles the normalization and business logic, providing sub-second processing for massive security reports.
  • The Brain: SQLite + GORM provide a lightweight yet robust storage layer with full multi-tenancy support.
  • The Interface: A premium React (Vite) dashboard designed with rich aesthetics and micro-animations to give security posture the executive visibility it deserves.
  • The Delivery: A fully containerized architecture using Docker and Nginx, ensuring Almag can be deployed on any infrastructure in minutes. Challenges we ran into
  • Schema Chaos: Security tools all speak different "languages." Mapping the highly complex SARIF standard alongside ad-hoc JSON outputs from various scanners into a normalized format was a significant technical hurdle.
  • Aesthetic vs. Utility: We didn't want a "boring" security tool. We spent significant effort building a custom UI that uses vibrant alerts and dark-mode glassmorphism to make critical risk data impossible to ignore while maintaining high information density.
  • State Integrity: Managing sensitive auth states across page refreshes in a stateless JWT environment required a custom-built persistence layer to ensure a seamless "pro" user experience. Accomplishments that we're proud of
  • True Release Gating: Building a logic engine that actually accurately classifies "Release Blockers" based on real-world industry standards.
  • Custom CI/CD Integration: Successfully building a reusable GitHub Action that our project can use internally and that third-party developers can adopt today.
  • Engineering Quality: Achieving a high level of security hardening (CSP headers, secure ID generation, sanitization) in a hackathon-speed project.

What we learned

We learned that "Developer Experience" is just as important in security as it is in coding. If a security tool is hard to integrate or painful to read, developers will ignore it. We also gained deep technical insights into the SARIF (Static Analysis Results Interchange Format) standard and how to build resilient multi-tenant systems in Go.

What's next for Almag

Nexos AI integration: Moving from identification to remediation. Using LLMs to automatically generate "Verified Fix" Pull Requests for detected findings. Cloud Connectors: Direct integrations with AWS and Azure to pull in infrastructure risks alongside application code risks. Predictive Risk Scoring: Developing a machine-learning model to predict which parts of a codebase are most likely to contain the next critical vulnerability.

Share this project:

Updates