NOVA Security Agent

AI-powered code security scanner with Auth0 authentication and compliance mapping

Comment

Inspiration

Most security scanning tools are either enterprise-gated or require complex CI/CD setup just to get basic vulnerability feedback. We wanted to build something a developer could log into with GitHub, pick a repo, and get actionable security findings in seconds — no setup, no config files, no pipeline integration. The Auth0 hackathon was the perfect excuse to build it with proper token management instead of asking users to paste personal access tokens.

What it does

NOVA Security Agent lets you sign in with GitHub via Auth0, select any of your repositories, and scan the codebase for security vulnerabilities. It runs 30+ pattern detections across 10 categories — SQL injection, XSS, hardcoded secrets, JWT misconfiguration, command injection, weak crypto, SSRF, path traversal, and more. Every finding is mapped to compliance frameworks (SOC2, GDPR, PCI-DSS, OWASP). An optional AI Deep Analysis toggle sends the highest-risk files to Claude for contextual review, producing fix suggestions that understand the surrounding code — not just regex matches.

How we built it

  • Auth0 handles GitHub OAuth and secure token management — users authenticate once and we retrieve their GitHub access token via the Auth0 Management API to fetch repos and file contents
  • Next.js (App Router) for the frontend dashboard and API routes
  • Custom regex engine with 30+ patterns ported and expanded from prior security tooling
  • Claude API for the optional AI deep analysis layer — top 5 highest-risk files get sent for contextual vulnerability assessment
  • Vercel for deployment

The scanning happens entirely server-side. File contents are fetched from GitHub's API using the Auth0-managed token, scanned in memory, and results are returned — nothing is stored.

Challenges we ran into

Auth0 Token Vault was our first approach for managing the GitHub token, but GitHub's OAuth implementation doesn't issue refresh tokens, which Token Vault requires. We pivoted to the Auth0 Management API to retrieve the identity provider token directly. This actually taught us more about how Auth0 stores and manages federated identity tokens under the hood.

We also hit a deployment issue where environment variables on Vercel had trailing newline characters appended, causing Auth0 to reject the client ID silently with a generic error page. Took some digging to trace it back to a shell piping issue during env var setup.

Accomplishments that we're proud of

  • Zero-config experience — sign in and scan in under 10 seconds
  • Every finding maps to four compliance frameworks automatically
  • The AI analysis layer is optional, not a crutch — the deterministic scanner works on its own and the AI adds contextual depth when you want it
  • Clean separation between auth (Auth0), scanning (custom engine), and AI analysis (Claude) — each layer works independently

What we learned

  • Auth0's Management API is more flexible than Token Vault for providers that don't support refresh tokens
  • Regex-based scanning is surprisingly effective when you have enough patterns and good severity classification — AI doesn't need to touch every file
  • Compliance mapping at scan time (rather than as a post-process) makes findings immediately actionable for teams that need to report against SOC2 or PCI

What's next for NOVA Security Agent

  • PR-level scanning — run on pull requests and comment findings inline
  • Historical trending — track a repo's security score over time
  • Custom rule authoring — let teams add their own patterns for internal standards
  • CI/CD integration — GitHub Action that runs NOVA Security Agent on every push
  • Integration into the broader NOVA ecosystem where security is one of 12 advisory pillars that analyze decisions from different perspectives

Bonus Blog Post

When I started building NOVA Security Agent, the plan was straightforward: use Auth0 Token Vault to grab a GitHub OAuth token and scan repos with it. That plan lasted about two hours.

GitHub's OAuth doesn't issue refresh tokens, which Token Vault needs to manage the token lifecycle. Instead of forcing a workaround, I pivoted to Auth0's Management API — calling /api/v2/users/{userId} with read:users and read:user_idp_tokens scopes to retrieve the GitHub token directly from the user's identity profile. This ended up being cleaner than Token Vault would have been, since I only need the token at scan time, not persistently.

The bigger lesson was about layering AI on top of deterministic scanning. I built 30+ regex patterns for vulnerability detection first, covering SQL injection, hardcoded secrets, XSS, JWT misconfigs, and more. Each pattern maps to four compliance frameworks. That layer is fast and reliable. Then I added an optional Claude AI deep analysis toggle that sends only the highest-risk files for contextual review. The AI doesn't replace the regex engine — it adds depth. It can say "this eval() is in a route handler that processes user input from req.body, making it exploitable" instead of just "eval detected."

The Auth0 integration is what ties it together. Users authenticate once, Auth0 manages the GitHub identity, and the scanner gets secure access to private repos without ever asking for a personal access token. That's the flow that makes it feel like a real tool instead of a hackathon project and that's what I'm most proud of.

Built With

Share this project:

Updates