DevSecOps Sentinel

DevSecOps Sentinel: Your automated guardian for secure code.

Inspiration

Our inspiration for DevSecOps Sentinel came from a common pain point in modern software development: the friction between moving fast and staying secure. Security is often seen as a roadblock, a separate step that happens late in the cycle. We wanted to build a tool that makes security a seamless, automated part of the development process itself. The goal was to create a "guardian" that empowers developers by providing immediate, easy-to-understand feedback directly in their workflow (the pull request), turning security from a chore into a collaborative effort. We were inspired by the "shift-left" philosophy and wanted to build a practical, serverless solution that embodies it.

What it does

DevSecOps Sentinel is an automated, AI-powered security assistant that integrates directly into the GitHub workflow. When a developer opens a pull request, Sentinel automatically triggers a series of security and quality scans on the code changes using real-world tools. It features a multi-layer secret detection engine using TruffleHog and custom patterns, real-time dependency analysis against the OSV database, and intelligent code review using Amazon Bedrock with Claude Sonnet 4. It then consolidates all findings into a single, easy-to-read report and posts it as a comment on the pull request, providing immediate, actionable feedback.

How we built it

We built DevSecOps Sentinel using a pure, event-driven, serverless architecture on AWS, with all infrastructure defined as code using the AWS SAM framework.

The workflow is as follows:

A GitHub Webhook fires on a pull request event and sends a payload to our Amazon API Gateway endpoint.
The API Gateway triggers a WebhookHandlerFunction Lambda that securely validates the webhook's signature using a shared secret stored in AWS Secrets Manager. It then posts an immediate "Analysis in Progress" comment to the PR.
Upon successful validation, this Lambda starts an AWS Step Functions state machine execution.
The state machine uses a "fan-out/fan-in" pattern. A Map state invokes three scanner Lambda functions in parallel for secret, vulnerability, and AI analysis.
After the parallel scans complete, a final AggregatorFunction Lambda "fans-in" the results. It formats a professional Markdown report and updates the original progress comment using the GitHub REST API.
A summary of every scan is logged to an Amazon DynamoDB table for a persistent audit trail.

This architecture showcases the power of AWS Lambda for event-driven compute, orchestrated by the resilience and scalability of AWS Step Functions.

Challenges we ran into

Throughout the development process, we navigated several real-world technical challenges:

Webhook Security: Initially, we struggled with webhook signature validation, leading us to simplify our architecture by integrating the validation logic directly into our primary handler function for a more robust and testable solution.
Production Tooling in Lambda: Packaging binary tools like trufflehog and git required creating a multi-step build process using Docker to compile them in a Lambda-compatible environment and deploying them via a custom Lambda Layer.
Real-World False Negatives: We discovered that our primary secret scanner, TruffleHog, was intentionally ignoring common test secrets (like AWS example keys). This forced us to architect a more resilient, multi-layer detection engine with custom pattern matching to ensure comprehensive coverage.

Accomplishments that we're proud of

We are incredibly proud of successfully building a complete, production-ready, end-to-end serverless application that solves a real-world problem. Specifically:

A Truly Complete Feedback Loop: Seeing our application automatically post a formatted comment back to a live GitHub pull request—and then update it with results—was a huge accomplishment. It proved our entire architectural vision was sound and functional.
A Resilient, Multi-Layer Detection Engine: We didn't just integrate a single tool; we orchestrated multiple detection layers (TruffleHog, custom patterns, AI) to create a hybrid system that is more accurate and robust than a single scanner.
Professional-Grade Implementation: We are proud of building security in from the start, from validating every webhook request to securely managing all secrets in AWS Secrets Manager and achieving a high level of code quality with a comprehensive suite of over 40 unit tests.

What we learned

This project was a deep dive into practical, production-grade serverless application development. Our key learnings were:

The Power of Orchestration: AWS Step Functions is an indispensable tool for managing complex, multi-step serverless workflows. It provided the resilience, error handling, and parallel processing capabilities that would have been very difficult to build manually.
Infrastructure as Code is Non-Negotiable: Using AWS SAM to define our entire stack was critical. It allowed us to iterate quickly, maintain consistency, and have a single source of truth for our architecture.
Real-World Security is Nuanced: A single tool is never enough. Building a truly effective security tool requires a defense-in-depth approach, combining different methodologies to cover blind spots and handle edge cases gracefully.

What's next for DevSecOps Sentinel

The core product is fully functional and production-ready. The next exciting steps focus on expanding its accessibility and enterprise capabilities:

Create a Public GitHub App: To make Sentinel accessible to everyone, our top priority is to package the application as a public GitHub App. This will allow any user or organization to install it with one click, bringing automated security scanning to their repositories seamlessly.
Enhance the Detection Engines: We will continue to improve the scanners by integrating more advanced Static Application Security Testing (SAST) tools and refining our custom detection algorithms for even greater accuracy and a wider range of languages.
Launch an Analytics Dashboard: We plan to develop a web-based dashboard that provides users with historical data, security trends, and organization-wide vulnerability metrics, offering deeper insights into their security posture.