Watchman: Autonomous Security Scanner

Inspiration

Security often slips to “later.” Watchman was born from the idea that security should be automatic, intelligent, and developer-friendly—turning noisy scanner output into prioritized, actionable fixes.

What it does

• Runs Semgrep on each push/PR and triages with AWS Bedrock (Claude 3.5)
  
• Adds context-aware severity and recommends code fixes with explanations
  
• Creates GitHub issues (or PR suggestions) with clear repro + remediation
  
• Sends summaries to stakeholders and shows a real-time dashboard of findings, trends, and progress

How we built it

• Stack: FastAPI, SQLite, Semgrep, AWS Bedrock (Boto3), Next.js, Tailwind
  
• Orchestrator coordinates scans → AI analysis → GitHub issue creation → notifications
  
• Webhooks + async processing for fast responses and resilient retries
  
• Loop-prevention to avoid re-scanning fix branches; idempotency for duplicate webhooks
  
• Docker Compose for one-command local deploy

Challenges we ran into

• AI cost/latency & rate limits: solved with Bedrock + batching
  
• Webhook reliability: solved with idempotency keys + background jobs
  
• Scanner noise: reduced via curated Semgrep rules + AI filtering
  
• Autonomy pitfalls: branch/commit guards to prevent infinite loops

What we learned

• Context turns noise into signal for AI
  
• Async everything for webhook flows
  
• Great DX (clear issues, one-click paths) beats raw features

What’s next for Watchman

• Slack/Teams notifications
  
• SOC2/ISO compliance reporting
  
• K8s deployment profiles & enterprise SSO

Security that’s autonomous, intelligent, and actually pleasant to use.

Built With

• fastapi
• nextjs
• python