CommitDNA: Personalized sec&compliance tutor on your commits

• 

  Homepage

• 

  Analyzing Last 100 Commits (1/2)

• 

  Analyzing Last 100 Commits (2/2)

• 

  Analysis Results & Scoring (1/4)

• 

  Analysis Results & Scoring (2/4)

• 

  Analysis Results & Scoring (3/4)

• 

  Analysis Results & Scoring (4/4)

• 

  Personalized Duolingo / Tinder Style Flashcards (1/4)

• 

  Personalized Duolingo / Tinder Style Flashcards (2/4)

• 

  Personalized Duolingo / Tinder Style Flashcards (3/4)

• 

  Personalized Duolingo / Tinder Style Flashcards (4/4)

Inspiration

Demo video: https://cln.sh/kwd5YrFm

We were inspired by a universal pain point for developers: mandatory security training is broken. It's generic, boring, and developers forget it within a week. This leads to a massive waste of resources and, more dangerously, a false sense of security where the same vulnerabilities are repeatedly introduced into production. We wanted to make learning security as personal and addictive as Duolingo by turning a developer's own code into their textbook, coach, and "security Duolingo completely customized to your own failures"

What it does

CommitDNA is an AI-powered security tutor that analyzes the unique "DNA" of your commits to create a hyper-personalized path to mastery. It operates in two phases:

1. Diagnose: A multi-agent AI system on AWS Bedrock analyzes your code with Semgrep and Vanta, creating a "Security DNA" profile that pinpoints your specific vulnerabilities, coding habits, and compliance gaps.
2. Train: It then generates an endless stream of gamified, swipe-based coding challenges derived from your own code, allowing you to learn by fixing your personal blind spots in a hands-on, engaging way.

How we built it

We built CommitDNA on a robust, cloud-native architecture. The backend is a multi-agent system built with the Claude Agent SDK on AWS Bedrock, where four specialized agents collaborate to perform a comprehensive security audit. These agents use tools like Semgrep and Vanta via the Model Context Protocol (MCP) for deep code intelligence and business context. The frontend is a polished Next.js and TypeScript application designed for a stellar developer experience, with a focus on data visualization and interactivity.

Challenges we ran into

Our primary challenge was orchestrating the parallel workflow of the Pattern Analyst and Compliance Mapper agents. Ensuring the main Audit Coordinator could handle timeouts, gracefully manage partial failures, and synthesize disparate JSON outputs into a single, cohesive report required meticulous prompt engineering. We iteratively refined each agent's system prompt to be highly specific about its role, tools, and output format, turning them into reliable "experts" that the coordinator could trust and manage effectively.

Accomplishments that we're proud of

We're most proud of our "Vulnerability Factory," a novel, generative AI feedback loop. We successfully engineered a system where our AI uses Semgrep not just to find bugs, but to learn a user's unique "gold standard" coding style. It then uses Claude on Bedrock to reverse-engineer Semgrep rules to generate new, vulnerable code snippets that look identical to how the user writes. Finally, it uses Semgrep again to automatically verify the vulnerability, ensuring 100% accuracy in our training challenges. This goes far beyond simple scanning and represents a truly adaptive and intelligent system.

What we learned

Our biggest takeaway was the power of novel tool use. Initially, we saw our tools through a conventional lens. The breakthrough came when we stopped asking "What does this tool do?" and started asking "How can we use this tool in an unexpected way?" This mindset shift is what led us from simply finding vulnerabilities with Semgrep to using it as a core component in a generative AI loop for personalized content creation. It taught us that true innovation often lies in creatively combining existing, powerful tools.

What's next for CommitDNA: Personalized sec&compliance tutor on your commits

Our vision is to build CommitDNA into an indispensable part of the software development lifecycle. The next steps include:

1. CI/CD Integration: Provide real-time feedback directly within pull requests.
2. Automated Fix Suggestions: Use Claude to generate suggested code fixes in the user's style.
3. Team Dashboards: Offer managers an aggregated, anonymized view of their team's security skills and progress, enabling targeted group training.
4. Enterprise-Ready Features: Evolve into a full-fledged platform with SSO, role-based access control, and deeper compliance reporting to help entire organizations build a culture of security from the code up.

Built With

• claude-agent-sdk
• semgrep-mcp
• typescript
• vanta-mcp