Security Agents
security-audit
Category: security
Scans the codebase for OWASP Top 10 vulnerabilities and fixes them.
What it finds and fixes:
- SQL injection (unparameterized queries)
- XSS (unescaped output)
- Insecure deserialization
- Broken authentication patterns
- Security misconfiguration (debug mode, exposed credentials in code)
- Hardcoded secrets
- Insecure direct object references
- Missing authorization checks
Verification: runs the test suite after fixing to confirm no regressions.
nimbus run --agent security-audit
secret-scanner
Category: security
Finds hardcoded credentials and moves them to environment variables.
What it detects:
- API keys, tokens, and passwords hardcoded in source files
- Private keys and certificates committed to the repo
- Database connection strings with embedded credentials
- Any string matching patterns for common credential formats (AWS keys, Stripe keys, etc.)
What it does:
- Identifies all hardcoded secrets
- Replaces each with an
os.environ.get('VARIABLE_NAME')call (or equivalent for your language) - Updates all references throughout the codebase
- Generates a
.env.exampleshowing which variables need to be set
nimbus run --agent secret-scanner
dependency-cve
Category: security
Audits all dependencies for known CVEs and patches them to safe versions.
What it does:
- Reads your dependency files (
requirements.txt,package.json,Cargo.toml,Gemfile, etc.) - Queries the NVD (National Vulnerability Database) for CVEs in each dependency
- For each CVE found, identifies the minimum safe version
- Updates the dependency file and lockfile
- Runs the test suite to verify compatibility
Patching strategy: always upgrades to the minimum version that resolves the CVE. Avoids major version bumps unless no minor/patch fix is available.
nimbus run --agent dependency-cve