Security vulnerabilities slip into codebases every day. Overworked engineers miss subtle injection flaws, leaked credentials, and insecure configurations during code review. An AI security agent catches these issues before they reach production, reviewing every pull request with the consistency and depth of a dedicated security engineer.
This guide walks you through configuring the agent.ceo CSO (Chief Security Officer) agent to run automated security audits on your codebase.
What the Security Agent Reviews
The CSO agent performs comprehensive security analysis including:
- Vulnerability detection: SQL injection, XSS, CSRF, SSRF, path traversal
- Secrets scanning: API keys, passwords, tokens, certificates in code
- Dependency auditing: Known CVEs in third-party packages
- Configuration review: Insecure defaults, overly permissive settings
- Authentication analysis: Weak auth patterns, session management issues
- Access control: Broken authorization, privilege escalation paths
- Cryptography review: Weak algorithms, improper key management
- Compliance checks: OWASP Top 10, SOC2, HIPAA relevant patterns
Prerequisites
- agent.ceo account with GitHub connected (see Connecting to GitHub)
- At least one repository you want to secure
- Understanding of your application's security requirements
Step 1: Deploy the CSO Agent
Navigate to Agents > Deploy New Agent and select the Security Analyst template:
# Deploy CSO agent via CLI
agentceo agent deploy \
--template security-analyst \
--name "CSO-Agent" \
--team "Security Team"
Or use the detailed configuration:
# cso-agent-config.yaml
agent:
name: "CSO-Agent"
role: "chief-security-officer"
template: "security-analyst"
team: "Security Team"
repositories:
scan_all: true # Scan all connected repositories
priority_repos:
- org/api-service # High priority: public-facing API
- org/auth-service # High priority: authentication system
- org/payment-service # High priority: payment processing
capabilities:
- vulnerability-scanning
- secrets-detection
- dependency-auditing
- compliance-checking
- security-code-review
- threat-modeling
[Screenshot: Agent deployment wizard showing Security Analyst template selection with configuration options]
Step 2: Configure Scan Policies
Define what the security agent should check and how it should respond:
# security-policies.yaml
scan_policies:
# Critical: Block PR immediately
critical:
- secrets-in-code
- sql-injection
- remote-code-execution
- authentication-bypass
action: block-pr
notify:
- slack: "#security-alerts"
- email: "security-team@company.com"
# High: Request changes on PR
high:
- xss-vulnerability
- insecure-deserialization
- ssrf-vulnerability
- broken-access-control
- hardcoded-credentials
action: request-changes
notify:
- slack: "#security-alerts"
# Medium: Comment on PR
medium:
- weak-cryptography
- missing-input-validation
- insecure-configuration
- overly-permissive-cors
action: comment
notify:
- slack: "#code-review"
# Low: Informational comment
low:
- outdated-dependency
- missing-security-headers
- verbose-error-messages
action: suggest
notify: none
# Apply scan policies
agentceo agent configure CSO-Agent \
--policy-file security-policies.yaml
Step 3: Set Up Scheduled Full Scans
In addition to PR-triggered reviews, configure periodic full-repository scans:
# scheduled-scans.yaml
scheduled_scans:
daily:
time: "02:00 UTC"
scope: "all-repositories"
checks:
- dependency-vulnerabilities
- secrets-scan
- license-compliance
report_to:
- slack: "#security-daily"
- dashboard: true
weekly:
day: "Monday"
time: "06:00 UTC"
scope: "priority-repositories"
checks:
- full-security-audit
- threat-model-review
- compliance-check
report_to:
- slack: "#security-weekly"
- email: "cto@company.com"
- dashboard: true
monthly:
day: 1
time: "06:00 UTC"
scope: "all-repositories"
checks:
- comprehensive-audit
- penetration-test-review
- access-control-review
- infrastructure-security
report_to:
- slack: "#security-monthly"
- email: "leadership@company.com"
- dashboard: true
# Enable scheduled scans
agentceo agent configure CSO-Agent \
--schedule-file scheduled-scans.yaml
[Screenshot: Security scan schedule calendar showing daily, weekly, and monthly scan markers]
Step 4: Configure Secrets Detection
Set up comprehensive secrets scanning with custom patterns:
# secrets-config.yaml
secrets_detection:
# Built-in patterns (always active)
builtin:
- aws-access-key
- aws-secret-key
- github-token
- google-api-key
- stripe-key
- jwt-secret
- database-url
- private-key
# Custom patterns for your organization
custom_patterns:
- name: "internal-api-key"
pattern: "ACME-[A-Z0-9]{32}"
severity: critical
- name: "staging-credentials"
pattern: "staging_(user|pass|key)\\s*=\\s*.+"
severity: high
- name: "internal-url"
pattern: "https?://internal\\.[a-z]+\\.company\\.com"
severity: medium
# Allowlist (known safe patterns)
allowlist:
- pattern: "EXAMPLE_KEY_DO_NOT_USE"
reason: "Documentation placeholder"
- file: "test/fixtures/mock-credentials.json"
reason: "Test fixtures with fake credentials"
# What to do when secrets are found
response:
in_pr:
action: "block-merge"
comment: "Secret detected. Please remove and rotate the credential."
in_main:
action: "alert-immediately"
auto_create_issue: true
notify: "#security-critical"
# Apply secrets configuration
agentceo agent configure CSO-Agent \
--secrets-config secrets-config.yaml
Step 5: Set Up Dependency Auditing
Configure automated dependency vulnerability checks:
# dependency-audit-config.yaml
dependency_auditing:
package_managers:
- npm # package.json, package-lock.json
- pip # requirements.txt, Pipfile
- go # go.mod, go.sum
- maven # pom.xml
- gradle # build.gradle
- cargo # Cargo.toml
vulnerability_databases:
- nvd # National Vulnerability Database
- ghsa # GitHub Security Advisories
- osv # Open Source Vulnerabilities
policies:
block_on:
- severity: critical
max_age: "0 days" # Block immediately for critical
- severity: high
max_age: "7 days" # Allow 7 days for high
warn_on:
- severity: medium
max_age: "30 days"
- severity: low
max_age: "90 days"
auto_remediation:
enabled: true
create_pr: true
# Auto-create PRs for safe version bumps
safe_updates:
- patch_versions: true
- minor_versions_if_tests_pass: true
# Require human approval for major versions
require_approval:
- major_versions: true
- breaking_changes: true
# Enable dependency auditing
agentceo agent configure CSO-Agent \
--dependency-audit dependency-audit-config.yaml
Step 6: Configure Compliance Frameworks
If your organization follows specific compliance frameworks, configure the agent to check against them:
# compliance-config.yaml
compliance:
frameworks:
- name: "OWASP Top 10 2021"
enabled: true
checks:
- A01-Broken-Access-Control
- A02-Cryptographic-Failures
- A03-Injection
- A04-Insecure-Design
- A05-Security-Misconfiguration
- A06-Vulnerable-Components
- A07-Auth-Failures
- A08-Data-Integrity-Failures
- A09-Logging-Failures
- A10-SSRF
- name: "SOC2"
enabled: true
checks:
- access-control-logging
- encryption-at-rest
- encryption-in-transit
- audit-trail
- change-management
- name: "Internal Standards"
enabled: true
checks:
- input-validation-required
- output-encoding-required
- authentication-on-all-endpoints
- rate-limiting-required
- logging-pii-prohibited
Step 7: Review Security Reports
After the agent runs its first scan, review findings in the security dashboard:
# View latest security report
agentceo security report --latest
# Get summary of all findings
agentceo security summary --period 7d
# Export findings for external tools
agentceo security export --format sarif --output security-report.sarif
[Screenshot: Security dashboard showing vulnerability breakdown by severity - 2 Critical, 5 High, 12 Medium, 28 Low with trend graph]
The dashboard shows:
- Vulnerability count by severity over time
- Mean time to remediation for each severity level
- Top vulnerability categories across your repos
- Dependency health score per repository
- Compliance status against configured frameworks
Step 8: Integrate with Existing Security Tools
Connect the CSO agent with your existing security infrastructure:
# integrations.yaml
security_integrations:
# Import findings from external scanners
import_from:
- snyk:
api_token_ref: "secrets/snyk-token"
sync_interval: "6h"
- sonarqube:
url: "https://sonar.company.com"
token_ref: "secrets/sonar-token"
sync_interval: "1h"
# Export findings to external systems
export_to:
- jira:
project: "SEC"
issue_type: "Security Bug"
auto_create: true
severity_mapping:
critical: "Blocker"
high: "Critical"
medium: "Major"
low: "Minor"
- splunk:
hec_url: "https://splunk.company.com:8088"
token_ref: "secrets/splunk-hec-token"
index: "security-findings"
This ensures the CSO agent works alongside your existing security auditing tools rather than replacing them.
Real-World Example
Here is what happens when a developer opens a PR with a security issue:
- Developer pushes code with an unsanitized database query
- GitHub webhook fires
pull_request.opened - CSO agent activates and clones the repository
- Agent analyzes the diff and identifies SQL injection risk
- Agent comments on the specific line with the vulnerability
- Agent requests changes on the PR with severity and remediation guidance
- Agent posts alert to #security-alerts Slack channel
- Developer fixes the issue, pushes update
- Agent re-reviews and approves the PR
The entire cycle takes under 2 minutes, compared to waiting hours or days for a human security review.
Configuring MFA for Agent Access
For organizations requiring multi-factor authentication on all accounts, including bots, see our guide on 2FA/MFA for AI platforms to properly configure agent authentication.
agent.ceo is a GenAI-first autonomous agent orchestration platform built by GenBrain AI.
Try agent.ceo
SaaS — Get started with 1 free agent-week at agent.ceo.
Enterprise — For private installation on your own infrastructure, contact enterprise@agent.ceo.
agent.ceo is built by GenBrain AI — a GenAI-first autonomous agent orchestration platform. General inquiries: hello@agent.ceo | Security: security@agent.ceo