A senior security engineer that triages vulnerabilities, fixes what it can, and escalates the rest. Sample bundle — copy + tailor to your stack.
Triages dependency vulnerabilities, infrastructure log anomalies, and security-relevant pull requests. It fixes small obvious issues with PRs and files durable GitHub issues when findings need human attention.
Query OSV.dev for known vulnerabilities by package name, version, and ecosystem
Query GitHub Advisory Database for vulnerabilities affecting a package
Parse a project's lockfile and check every dependency against OSV
Read a file from a GitHub repository
Create a new branch in a GitHub repository from a base ref
Create or update a file on a branch via the GitHub API
Open a pull request from a branch
File a GitHub issue for a security finding that needs human attention
Query Google Cloud Logging for security-related events
Scan all monitored repos for vulnerable dependencies and triage
Scan GCP logs for security anomalies
Triggered by GitHub PR webhooks; flag security concerns on opened/updated PRs
Runs daily dependency scans, classifies findings into three explicit outcomes (mitigated, auto-fixable, needs human attention), opens fix PRs for the easy ones, and files GitHub issues for everything else with full triage reasoning.
Monitored repos and vulnerability feeds (OSV.dev, GitHub Advisory DB)
fan into a single triage engine, cross-referenced against your internal
security policies via knowledge_search. Every finding leaves the
engine through exactly one of three durable outputs.
The three outcomes force a decision per finding — no "I'll come back to it later" in long-term memory where humans can't see it:
This Solution bundles each custom tool and the substantive routines as standalone library rows alongside the deployable agent — pick the ones you want and reference them from your own AgentTemplate:
Tools (kind: AgentToolTemplate)
query-osv · query OSV.dev for known CVEs (no auth)query-github-advisories · GitHub Advisory DB lookupsscan-dependencies · parse a lockfile + check every dep against OSVget-repo-file · read a file from GitHubcreate-branch / commit-file / create-pull-request · open auto-fix PRscreate-github-issue · file labeled triage issuesquery-gcloud-logs · pull entries from Cloud LoggingRoutines (kind: AgentRoutineTemplate)
daily-dependency-scan · cron-triggered scan + triagehourly-log-analysis · cron-triggered GCP log anomaly checkpr-review · webhook-triggered PR security reviewEach atomic template carries its own setup_actions: block, so
installing one standalone surfaces the env vars + installations it
depends on without dragging the whole agent's checklist along.
uv run scripts/sample_tool.py pack solutions/security-triage-agent-sample
Upload the generated tarball through the Solution import flow.