DepGuardAI

Inspiration

Modern software relies heavily on open-source dependencies, but most security scanners generate huge numbers of alerts without determining whether a vulnerability is actually a risk in the context of a specific codebase. Developers often waste time shuffling through false positives or miss real risks buried in noisy reports.

We wanted to build a system that goes beyond simple scanning. Our goal was to create an AI-powered investigation pipeline that analyzes vulnerabilities the way a security engineer would, by looking at how dependencies are actually used in the codebase.

What it does

DepGuard is a memory-backed multi-agent AI system for dependency security analysis. Instead of just listing vulnerabilities, it investigates them.

When a dependency vulnerability is detected, DepGuard launches a pipeline of AI agents that:

Scan Agent – Identifies vulnerable dependencies using OSV.dev.

Code Agent – Searches the repository to determine where the dependency is used.

Context Agent – Analyzes surrounding code to understand how the vulnerable functionality is actually used.

Risk Agent – Determines whether the vulnerability is realistically exploitable in the codebase.

Fix Agent – Suggests targeted remediation strategies or patches.

The system also maintains memory of past vulnerabilities and fixes, allowing the agents to improve future remediation suggestions based on previously validated solutions.

How we built it

We built DepGuard as a full-stack system with an AI investigation layer:

Frontend

React

Vite

TypeScript

TailwindCSS

The frontend provides a dashboard where developers can submit repositories, view vulnerability investigations, and see AI-generated risk analyses.

Backend

Python

FastAPI

SQLAlchemy

SQLite

The backend manages repository scans, orchestrates agent pipelines, and stores results.

AI Layer

Backboard AI multi-agent orchestration

Claude Sonnet models for analysis and reasoning

Each agent is responsible for a different stage of vulnerability investigation, allowing the system to simulate a structured security review process.

Data Sources

OSV.dev vulnerability database

Challenges we ran into

Determining real exploitability Security scanners typically stop at identifying vulnerable packages. Determining whether a vulnerability is actually exploitable requires analyzing how code interacts with the dependency, which required building agents that can understand context within a repository.
Coordinating multiple AI agents Designing a pipeline where agents pass information to each other reliably required careful schema design and orchestration logic.
Dealing with trust issues Security tools must be trustworthy, especially when they analyze private codebases. To address this, we designed DepGuard with a zero-trust architecture. The system runs inside an isolated virtual machine environment, ensuring that repository code is processed in a contained and secure runtime.

This design helps build confidence that the tool is secure, isolated, and enterprise-ready.

Reducing false positives One of the main goals was ensuring the AI produces meaningful risk analysis rather than just repeating vulnerability descriptions.

Accomplishments that we're proud of

Building a full multi-agent AI pipeline in a short time In a limited hackathon timeframe, we successfully designed and implemented a complete multi-agent architecture where different AI agents collaborate to investigate vulnerabilities instead of just reporting them.

Moving beyond traditional vulnerability scanners Most security tools stop at detecting vulnerable dependencies. We built a system that actually analyzes how the dependency is used in the codebase to determine whether the vulnerability is realistically exploitable.

End-to-end full-stack implementation We developed a complete working system with a React frontend dashboard, FastAPI backend, AI agent pipeline, and vulnerability data integration, allowing users to scan repositories and receive contextual risk analysis.

Designing a memory-backed AI system Our architecture allows the system to learn from previous investigations and remediation solutions, enabling better recommendations for similar vulnerabilities in the future.

Security-focused architecture We designed the platform with zero-trust principles and isolated VM execution, helping ensure that private codebases can be analyzed securely.

What we learned

Through building DepGuard we learned:

How multi-agent AI systems can break down complex tasks like security investigation.

How to design structured AI pipelines instead of relying on a single prompt.

How to integrate AI reasoning into traditional backend architectures.

The importance of context-aware security analysis for modern software supply chains.

What's next for DepGuardAI

Scaling the platform Our next step is to evolve DepGuard from a prototype into a scalable security platform. This includes improving the agent orchestration layer so it can analyze thousands of repositories concurrently. By containerizing the investigation pipeline and running agents in isolated compute environments, the system can scale horizontally across cloud infrastructure while maintaining security boundaries.

Enterprise adoption for tech companies For technology companies, DepGuard can integrate directly into existing development workflows. Future development will focus on CI/CD integrations (GitHub, GitLab, Jenkins), automated pull-request fixes, and continuous monitoring of dependency risks. This would allow engineering teams to detect and investigate vulnerabilities automatically as part of their development pipeline, reducing manual triage and accelerating secure software delivery.

Government and critical infrastructure use cases DepGuard is particularly relevant for government agencies and organizations managing critical infrastructure, where software supply chain security is a growing national priority. The platform can be deployed in air-gapped or private environments using its zero-trust VM architecture, enabling agencies to analyze sensitive codebases without exposing them externally.

By scaling the investigation engine and strengthening compliance features, DepGuard could support security initiatives around software supply chain integrity, vulnerability triage, and secure code auditing for government systems.

Expanding the AI investigation capabilities We also plan to expand the system’s capabilities beyond dependency vulnerabilities. Future agents could investigate:

-Misconfigurations and insecure coding patterns

-API misuse or unsafe library usage

-Infrastructure-as-code vulnerabilities

-Real exploit path analysis across services

This would transform DepGuardAI from a dependency scanner into a full AI-powered security investigation platform for modern software systems.

Finally, we aim to strengthen the system’s memory and learning capabilities, allowing it to continuously improve remediation strategies based on past investigations and verified fixes. Over time, this creates a growing knowledge base of real-world vulnerability solutions that makes the platform smarter and more reliable.

Built With

antigravity
backboard.io
fastapi
ovs.dev
python
react
sqlalchemy
sqlite
vultr

Updates

Mohammad Salman Ghouse Shaheda started this project — Mar 08, 2026 09:59 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.