Share
## https://sploitus.com/exploit?id=944D2639-DFA3-5D5A-AB2E-39F444BFB4CC
# ๐ Agentic Security Code Review
[](https://claude.ai/code)
[](https://owasp.org/Top10/)
[]()
[](LICENSE)
**A structured, multi-agent approach to AI-assisted application security reviews - moving beyond generic scans to depth-first vulnerability analysis.**
---
## ๐ Project Overview
This project demonstrates how to use **Claude Code as an agentic security review system** - not as a simple chatbot, but as a coordinated team of specialized security analysts.
Instead of asking AI to "do a security review" (which produces vague, generic output), this approach breaks the problem into **8 specialized sub-agents**, each responsible for a specific phase of the assessment. The result is a structured, high-confidence security report with real file paths, line numbers and exploitation scenarios.
> **The problem I solved:** Most AI-assisted security reviews fail because they treat complex analysis as a single prompt. This project applies the same methodology used by professional AppSec teams - decomposing the review into architecture analysis, attack surface mapping, data flow tracing and adversarial simulation.
8 specialized agents working in sequence: Architecture โ Attack Surface โ Data Flow โ Vulnerabilities โ Risk โ Remediation โ Validation โ Exploitation
---
## ๐ฏ Why I Built This
As a security professional, I noticed a pattern:
- **Generic AI prompts** produce generic security advice - no file references, no line numbers, no proof of exploitability
- **Real security reviews** follow a structured methodology - threat modeling, attack surface analysis, code path tracing
- **The gap** is in how we prompt AI systems - treating them as chatbots instead of orchestrated analysis tools
This project bridges that gap by applying **agentic AI principles** to application security:
| Traditional AI Prompt | Agentic Approach |
|-----------------------|------------------|
| "Review this code for security issues" | 8 specialized agents with defined roles |
| Generic OWASP checklist output | Specific findings with file/line/function |
| No validation of findings | Built-in false positive elimination |
| Theoretical risks | Step-by-step exploitation scenarios |
---
## ๐๏ธ The 8-Agent Pipeline
Each agent has a specialized role and each agent's output feeds the next:
```mermaid
flowchart LR
subgraph Phase1["๐ Discovery"]
A1[ARCHITECTThreat Model]
A2[MAPPERAttack Surface]
A3[ANALYSTData Flow]
end
subgraph Phase2["๐ฏ Analysis"]
A4[HUNTERVulnerabilities]
A5[RISK ANALYSTCVSS Scoring]
end
subgraph Phase3["๐ ๏ธ Resolution"]
A6[FIXERRemediation]
A7[VALIDATORFalse Positive Check]
end
subgraph Phase4["โ๏ธ Verification"]
A8[ATTACKERExploitation]
end
A1 --> A2 --> A3 --> A4 --> A5 --> A6 --> A7 --> A8
style Phase1 fill:#E6F3FF,stroke:#0066CC
style Phase2 fill:#FFF3E6,stroke:#CC6600
style Phase3 fill:#E6FFE6,stroke:#00CC00
style Phase4 fill:#FFE6E6,stroke:#CC0000
```
### Agent Responsibilities
| Agent | Role | Output |
|-------|------|--------|
| **ARCHITECT** | Architecture & threat model | Trust boundaries, security assumptions, sensitive assets |
| **MAPPER** | Attack surface mapping | Entry point inventory with endpoints, parameters, handlers |
| **ANALYST** | Data flow & code path analysis | Step-by-step traces with security observations |
| **HUNTER** | Vulnerability identification | Exploitable findings with file/line/function references |
| **RISK ANALYST** | Severity & impact assessment | CVSS v3.1 scoring table with business impact |
| **FIXER** | Remediation guidance | Vulnerable code โ secure replacement |
| **VALIDATOR** | False positive elimination | High-confidence findings only |
| **ATTACKER** | Adversarial simulation | Step-by-step exploitation with payloads |
---
## โก Quick Start
### 1. Clone a target repository
```bash
git clone https://github.com/juice-shop/juice-shop.git
cd juice-shop
```
### 2. Launch Claude Code
```bash
claude
```
### 3. Run the security review prompt
Copy the contents of [`prompts/security-review.md`](prompts/security-review.md) and paste into Claude Code.
### 4. Review the generated report
The system will produce a structured security assessment covering all 8 phases.
---
## ๐ Sample Output
When run against [OWASP Juice Shop](https://github.com/juice-shop/juice-shop), the agent pipeline produces:
๐๏ธ Architecture Overview (click to expand)
```
High-Level Architecture:
โโโ Frontend: Angular SPA (TypeScript)
โโโ Backend: Express.js REST API (Node.js)
โโโ Database: SQLite (sequelize ORM)
โโโ Authentication: JWT-based sessions
โโโ External: Payment gateway integration
Trust Boundaries:
1. Browser โ API (untrusted input crosses here)
2. API โ Database (SQL queries constructed here)
3. API โ File System (uploads, logs)
Sensitive Assets:
- User credentials (hashed passwords)
- JWT signing secrets
- Payment information
- Admin functionality
```
๐ฏ Attack Surface (click to expand)
| Endpoint | Method | Parameters | Handler | Risk |
|----------|--------|------------|---------|------|
| `/rest/user/login` | POST | email, password | `routes/login.js:23` | Auth bypass |
| `/api/Users` | GET/POST | * | `routes/users.js:15` | IDOR |
| `/rest/products/search` | GET | q | `routes/search.js:8` | SQL injection |
| `/file-upload` | POST | file | `routes/fileUpload.js:12` | RCE |
| `/api/Feedbacks` | POST | comment, rating | `routes/feedback.js:5` | XSS |
๐ด Critical Vulnerabilities (click to expand)
**Finding 1: SQL Injection in Product Search**
- **File:** `routes/search.js`
- **Line:** 8-12
- **CVSS:** 9.8 (Critical)
- **Root Cause:** User input concatenated directly into SQL query
- **Exploit:** `GET /rest/products/search?q='; DROP TABLE Users;--`
**Finding 2: Broken Access Control (IDOR)**
- **File:** `routes/users.js`
- **Line:** 34
- **CVSS:** 8.1 (High)
- **Root Cause:** No authorization check on user ID parameter
- **Exploit:** `GET /api/Users/2` returns other user's data
---
## ๐ Generic Prompt vs. Agentic Approach
| Aspect | Generic: "Review this code" | Agentic: 8-Agent Pipeline |
|--------|----------------------------|---------------------------|
| **Architecture Understanding** | โ Skipped | โ
Full threat model |
| **Attack Surface** | โ Incomplete | โ
Comprehensive inventory |
| **Specificity** | โ "May have SQL injection" | โ
File, line, function, payload |
| **Validation** | โ Many false positives | โ
Validated findings only |
| **Exploitation Proof** | โ Theoretical | โ
Working payloads |
| **Remediation** | โ Generic advice | โ
Code-level fixes |
---
## ๐ Repository Structure
```
Agentic-Security-Code-Review/
โโโ README.md
โโโ LICENSE
โโโ prompts/
โ โโโ security-review.md # Full 8-agent prompt
โ โโโ quick-review.md # Lightweight 3-agent version
โโโ examples/
โ โโโ juice-shop-report.md # Sample output from OWASP Juice Shop
โโโ docs/
โโโ methodology.md # Detailed methodology explanation
โโโ customization.md # How to adapt for different codebases
```
---
## ๐ก What I Built & Learned
- **Agentic AI Architecture** - Designing multi-agent systems with specialized roles
- **Application Security Methodology** - Structured approach to code review (threat modeling, attack surface analysis, data flow tracing)
- **Prompt Engineering** - Breaking complex tasks into agent-specific instructions
- **OWASP Top 10** - Practical identification of injection, broken access control, security misconfiguration
- **CVSS Scoring** - Risk assessment using industry-standard severity ratings
- **Adversarial Thinking** - Simulating attacker behavior for exploitation validation
---
## ๐ฎ Future Enhancements
| Enhancement | Description |
|-------------|-------------|
| **CI/CD Integration** | Run security review on every pull request |
| **Custom Rule Sets** | Domain-specific security checks (healthcare, finance) |
| **Diff-Based Review** | Analyze only changed files for faster iteration |
| **Multi-Language Support** | Specialized prompts for Python, Java, Go, etc. |
| **Report Export** | Generate PDF/HTML reports for stakeholders |
---
**franciscovfonseca** ยท [GitHub](https://github.com/franciscovfonseca) ยท [LinkedIn](https://www.linkedin.com/in/franciscovfonseca/)
[](LICENSE)