security-goons

Turning your security team's expertise into AI agents that ship secure code at commit time—not after the vulnerability lands in production.

Comment 2

Inspiration

I kept seeing the same problem at work: security reviews always happen too late. Code gets written, then right before shipping, security finds 50+ vulnerabilities. Everyone scrambles under deadline pressure, security becomes the bottleneck, and we ship late.

I thought—what if I could turn security expertise into AI agents that work during development, not after? Agents that explore, plan, code, and commit fixes just like a senior security engineer would.

What it does

security-goons uses specialized AI agents following an Explore-Plan-Code-Commit (EPCC) workflow to catch and fix security issues before they reach code review:

  • Explore: Multiple agents run in parallel—@security-scanner checks code vulnerabilities, @semgrep-supply-chain-scanner analyzes dependencies, @semgrep-findings-fetcher pulls historical issues. All findings go into a single report.

  • Plan: The @security-fix-generator agent prioritizes everything (Critical → High → Medium → Low) and creates a fix strategy following OWASP guidelines.

  • Code: It generates actual production-ready fixes—not just "fix this SQL injection" but the actual parameterized query code with proper error handling.

  • Commit: Final security scan to verify nothing was missed, then commits with full documentation.

Instead of weeks of back-and-forth, you get secure code in minutes.

How I built it

I built this around parallel agent orchestration:

  1. Custom AI Agents: Each agent has a specific job—one fetches Semgrep findings, another scans code, another fixes vulnerabilities. They work simultaneously, not sequentially.

  2. EPCC Commands: Created custom Claude commands (/epcc-explore, /epcc-plan, etc.) that orchestrate the agents and generate structured markdown reports for traceability.

  3. Integrations:

    • Semgrep MCP Server for static analysis and supply chain scanning
    • IDE MCP tools for diagnostics
    • AWS Lambda for screenshot documentation

  4. Enforcement Loop: The system won't let you proceed until all vulnerabilities are fixed. It rescans after each fix to catch regressions.

Challenges I ran into

Getting agents to work together: When multiple agents analyze the same code simultaneously, they can generate duplicate findings or conflict. I solved this with structured outputs and a deduplication step in the fix-generator.

Context limits: Large security reports with hundreds of findings broke the AI's context window. I implemented hierarchical summarization—executive summary first, then drill into details only for high-priority items.

Fix quality: Fast automated fixes can break things. I added a multi-stage verification: generate fix → rescan for new issues → validate → commit. Quality gates at each phase.

Developer experience: Security tooling usually adds friction. I made it conversational—just type /epcc-explore and get production-ready fixes with explanations, not just error messages.

Accomplishments that I'm proud of

  • Built a parallel agent system where 4+ specialized agents work simultaneously—analysis that took hours now takes minutes

  • It doesn't just find bugs; it writes the actual secure code with explanations so developers learn

  • Complete audit trail in structured markdown files (EPCC_EXPLORE.md, EPCC_PLAN.md, etc.) for compliance

  • Automated enforcement—won't let code proceed until vulnerabilities are eliminated

  • Made security actually helpful instead of being "that thing that blocks my PR"

What I learned

Technical: Specialized agents beat general-purpose ones. An agent with one specific tool and clear mission (@semgrep-findings-fetcher only fetches findings) performs way better than a do-everything agent.

Security: Context matters for fixes. The same SQL injection needs different solutions in Django vs Spring Boot. Agents need to understand your codebase patterns first (that's why the Explore phase matters).

AI collaboration: When agents explain why a fix works (not just what to change), developers actually learn secure coding. The documentation becomes teaching material.

What's next for security-goons

Near-term:

  • Real-time IDE integration—security warnings as you type
  • Multi-language support (currently Java-focused)
  • Security regression prevention using project history

Dream features:

  • @security-reviewer agent that participates in PR reviews
  • Automated threat modeling during the Explore phase
  • Self-healing security—detect production issues and auto-generate fixes

The vision: Make security invisible. Developers write code, AI ensures it's secure, teams ship faster. Security at machine speed.

Phase 1: EXPLORE (Scan & Discover) → @security-scanner → @semgrep-supply-chain-scanner
→ @semgrep-findings-fetcher

Phase 2: PLAN (Analyze & Notify) → @security-findings-dispatcher

Phase 3: CODE (Implement Fixes) → @security-fix-generator

Phase 4: COMMIT (Validate & Verify) → @security-scanner (rescan) → @semgrep-supply-chain-scanner (rescan)

Built With

Share this project:

Updates