CodeGuardian

Autonomous AI agent on AWS Bedrock scans, analyzes, and generates validated security fixes for Python code, reducing remediation time and manual effort. Autonomous Security Remediation.

Comment

Inspiration

CodeGuardian was inspired by a common pain point in software development: the slow, manual process of fixing security vulnerabilities. While tools can find issues quickly, developers often spend excessive time—industry reports suggest over 15 hours per week [¹]— remediating them, delaying feature work. With the average time to patch vulnerabilities stretching over months [²] and 60% of breaches exploiting known flaws [³], the need for automation is clear. Observing the potential of agentic AI with Amazon Bedrock and AgentCore, we asked: Could an AI agent autonomously handle the entire security fix lifecycle? CodeGuardian is our answer, aiming to automate remediation and bridge the gap between detection and deployment.

[1] Secure Code Warrior, "The State of Developer-Centric Security," 2023. [2] IBM, "Cost of a Data Breach Report," 2024. [3] Tenable, "Tenable Annual Threat Report," 2023.

What it does

CodeGuardian is an autonomous AI agent that analyzes Python code repositories to identify, understand, and remediate code quality and security issues. Without human intervention, it performs a sequence of actions:

  1. Scans the codebase using static analysis (Bandit) to find potential issues.
  2. Analyzes the context of each finding by reading relevant source files and parsing the code structure (AST).
  3. Reasons about the root cause and potential impact.
  4. Generates specific, modernized code fixes.
  5. Validates that the generated fixes are syntactically correct.
  6. Reports its findings, reasoning, and the validated remediation suggestions.

How we built it

CodeGuardian is built entirely on AWS using a serverless architecture:

  • Agent Intelligence: The core reasoning engine is the Amazon Nova Lite model accessed via Amazon Bedrock.
  • Autonomous Orchestration: Bedrock AgentCore manages the agent's ability to autonomously select and execute a defined set of tools based on its analysis.
  • Backend Execution: An AWS Lambda function hosts the entire agent logic, including the Bedrock client and tool implementations. An API Gateway provides the HTTP endpoint.
  • Tooling: Custom Python code implements the tools AgentCore orchestrates: a Bandit security scanner wrapper, a file reader, an AST-based code analyzer, and a syntax validator.
  • Frontend Demonstration: A static HTML/CSS/JavaScript dashboard hosted on AWS S3 provides a live interface to interact with the agent and visualize its process.

Challenges we ran into

The most significant challenge was interacting with the LLM while analyzing potentially sensitive code. Initial prompts and tool descriptions using standard cybersecurity terms ("vulnerability," "exploit," "security fix") consistently triggered Amazon Bedrock's content filters (guardrails). This resulted in content_filtered errors that stopped the agent mid-task. A substantial amount of time was spent iteratively rewriting all prompts (user, system, and tool descriptions) to use neutral language focused on "code quality," "modernization," and "best practices." This required carefully balancing the need for the agent to understand the task with the need to avoid triggering safety mechanisms when processing real (but potentially "toxic"-looking) code snippets.

Accomplishments that we're proud of

  • Successfully Implemented Autonomous Behavior: The agent demonstrably chains multiple, distinct tool calls (reading files, analyzing context, validating syntax) in a single run, making decisions based on prior results without human guidance.
  • Overcame Content Filtering: Developed effective prompt engineering strategies to allow the agent to analyze and discuss code related to security issues without being blocked by safety guardrails.
  • Full Serverless Deployment: Built and deployed the entire system using AWS serverless components (Bedrock, Lambda, API Gateway, S3), demonstrating a scalable and maintainable architecture.
  • End-to-End Functionality: Created a working system from frontend interaction to backend analysis and result presentation, showcasing the complete autonomous remediation loop.

What we learned

This project provided deep insights into building agentic AI systems on AWS:

  • Bedrock & AgentCore: Gained practical experience defining tools, orchestrating agent workflows, and interacting with Bedrock models (Nova Lite) via the converse API.
  • Prompt Engineering is Crucial: Learned that crafting effective and safe prompts is non-trivial, especially for sensitive domains, requiring significant iteration and careful framing.
  • Serverless Architecture: Acquired hands-on experience deploying a multi-component serverless application, including managing dependencies, IAM permissions, and API configurations.
  • Agent Potential: Saw firsthand how autonomous agents can tackle complex, multi-step tasks that go far beyond simple prompt-response interactions.

What's next for CodeGuardian

  • Multi-Language Support: Extend analysis capabilities beyond Python to include JavaScript, Java, Go, etc., by integrating relevant scanners and parsers.
  • Git Integration: Add tools for the agent to automatically create new branches, commit validated fixes, and potentially open pull requests.
  • CI/CD Integration: Package CodeGuardian as a container or GitHub Action to enable automated security checks and remediation within development pipelines.
  • Enhanced Validation: Move beyond syntactic validation to include basic functional or unit testing for generated fixes (potentially by integrating with existing test suites).

Built With

Share this project:

Updates