Dispatch

Dispatch is the essential AI agent for DevSecOps, delivering autonomous security and instant compliance. It eliminates manual toil, allowing your team to scale expertise, not remediation.

Comment

Inspiration

The core inspiration for Dispatch was the realization that the traditional security process is overwhelmed by 3 critical, costly failures:

  1. Remediation Bottleneck: Manual patching requires developers to spend significant time writing simple fixes, leading to prolonged risk. According to IBM, The average Mean Time to Remediate (MTTR) for critical vulnerabilities often stretches into 57-74 days across industries (2024).
  2. Fragile Tool Orchestration: Integrating security tools requires fragmented, custom scripting and scattered credential management. This maintenance overhead consumes valuable developer time with some studies suggesting developers spend over 10 hours a week on bug-fixing and other related tasks.
  3. No Contextual Expertise: Existing tools identify problems but rarely provide compliant, production-ready code. The failure to apply patches promptly results in severe financial risk, with the average cost of a data breach reaching $4.44 million globally (IBM, 2025).

We envisioned Dispatch as the solution: an autonomous system that could eliminate much of this manual work by generating and proposing standards-compliant fixes.

What it does

Dispatch operates as a highly specialized, self-orchestrating agent. The core of our system is Amazon Bedrock AgentCore, which serves as the brain for the entire DevSecOps workflow. The FastAPI server receives the user's repository request and delegates all complex reasoning and action to AgentCore, which autonomously chooses and chains specialized AWS Lambda functions, our tools, to execute the end-to-end process.

  • Scanner: This tool executes Semgrep to perform a full Static Application Security Test (SAST) on the current codebase, providing the foundational vulnerability data.
  • Analyzer: This tool receives the scan results and utilizes the underlying Claude 3.5 Sonnet LLM for complex security reasoning. It processes the findings and generates precise, compliant code remediations.
  • Deployer: The final tool takes the corrected code, commits it with the necessary bot identity, and pushes the new branch to the target repository, culminating in the creation of an automated Pull Request for final approval.

How we built it

We built our architecture on the principle of autonomous and secure tool use, ensuring every step of the agent's decision-making process is grounded in security expertise.

Agent Orchestration

We rely on Amazon Bedrock AgentCore to automatically determine the correct execution sequence of the tools. This eliminates the need for brittle, custom orchestration scripts.

Security Grounding (RAG)

To ensure the Analyzer generates authoritative, standards-based patches, we established Bedrock Knowledge Bases. We indexed critical security standards (CWE, OWASP Top 10, etc.) stored in S3, ensuring the LLM's output is contextually validated against industry best practices.

Secure Integration

We use AWS Secrets Manager to dynamically and securely retrieve necessary credentials, specifically the GitHub Personal Access Token (PAT), ensuring no sensitive data is ever hardcoded or stored in the elsewhere.

Challenges we ran into

The primary challenge was achieving reliable, multi-step orchestration within Amazon Bedrock AgentCore. Agentic workflows are inherently complex, and getting the LLM to successfully chain three distinct, specialized Lambda functions, from receiving raw vulnerability data to pushing a branch, required extensive prompt engineering.

Ensuring the LLM adhered strictly to security best practices was difficult. Without proper grounding, the LLM sometimes fixed the syntax error but used an insecure alternative (e.g., using an outdated hashing function). This reinforced the necessity of our integrated RAG system.

Accomplishments that we're proud of

We are most proud of establishing an end-to-end autonomous agent that solves all three major failures of traditional DevSecOps, resulting in:

  • Autonomous Workflow Orchestration: Successfully building and demonstrating a unified, secure toolchain managed entirely by Amazon Bedrock AgentCore.
  • Contextually Grounded Patches: We successfully integrated Bedrock Knowledge Bases (indexing CWE, OWASP, etc.) with the Analyzer. This RAG mechanism ensures that every code fix generated by Claude is not only functional but is contextually validated against authoritative security standards.
  • Demonstrable Speed and Accuracy: We proved the agent can find vulnerabilities and successfully generate, validate, and propose fixes much faster than a human developer. This drastically reduces the Mean Time to Remediate (MTTR) from months to mere minutes.

What we learned

An LLM is Only as Good as its Context

The LLM's security expertise was directly proportional to the quality and authority of the data provided by the Bedrock Knowledge Bases. Relying solely on the base model's training data led to inconsistent and sometimes insecure patches. Grounding with specific standards is non-negotiable for security agents.

Tool Boundaries Must Be Strict

Defining the exact inputs and outputs for each Lambda tool was the most critical step in minimizing agent hallucinations and achieving a stable workflow.

What's next for Dispatch

Our immediate plans for Dispatch focus on expanding its capabilities and further enhancing the security governance loop with Automated Manual Triaging. We plan to integrate a sophisticated system to automatically generate tickets and assign the three non-auto-fixable issues to the appropriate development team based on code ownership.

Built With

  • amazon-api-gateway
  • amazon-bedrock-agentcore
  • amazon-simple-storage-service
  • amazon-web-services
  • aws-lambda
  • aws-secrets-manager
  • fastapi
  • react
  • semgrep
  • tailwind-css
Share this project:

Updates