/api/searchHigh
A context layer purpose-built for secure AI-assisted remediation.
Exact scope
Recipes map to one finding and define the exact change boundary.
02Read-only context
Agents get the right context without write access.
03Proof by default
Required evidence and validation steps prevent guesswork.
04Human in the loop
Nothing merges without human review and approval.
Adopt secure AI at the pace your organization can govern
The AI Adoption Blueprint gives small teams a short path to one reviewed fix and enterprises a staged path with scoped MCP context, evidence, and promotion gates.
Open the adoption blueprint
Choose a rollout lane, define the review model, and expand only when the workflow produces repeatable evidence.
Small teams
Start with one repository, one finding class, the agent you already use, and mandatory review for every change.
Enterprise teams
Scale through scoped identities, an MCP gateway, named reviewers, audit evidence, and measurable stage gates.
One finding, one recipe, one reviewed output
The useful loop is small on purpose: attach a recipe, constrain the agent, require proof, and review the result.
Pick the matching recipe
Start with a dependency, SAST, sensitive-data, container, or CVE recipe that matches the finding.
Load rules into the agent
Use `AGENTS.md`, `CLAUDE.md`, `.cursor/rules`, Copilot instructions, Codex guidance, or Devin Knowledge.
Add scoped context
Expose only the MCP servers and files needed for the finding. Keep context read-only by default.
Review the output
The agent should produce a PR, test result, or triage note. Humans approve the change.
# Agent task Remediate one security finding using the matching security-recipes.ai recipe. Rules: - Fix only the finding named in the task. - Read the recipe and repo instructions before editing. - Use MCP context as read-only evidence unless explicitly approved. - Run the existing tests that cover the touched area. - Open a PR with the finding ID, files changed, tests run, and residual risk. - If the fix requires broad refactoring or unclear ownership, stop with a triage note.
MCP is context, not authority
Security agents get better when they can read the right data. They get risky when every connector becomes an action surface.
Advisory intelligence
Connect public vulnerability and package data such as OSV, GitHub Advisories, deps.dev, NVD-backed mirrors, and package registries.
Repository evidence
Use GitHub, GitLab, Azure DevOps, SARIF, SBOM, Semgrep, CodeQL, and dependency metadata as scoped read-only context.
Security system context
Bring in approved SCA, SAST, SIEM, SOAR, ticketing, documentation, and cloud-security MCP servers with narrow tokens and audit logs.
Bring recipes to the tools teams already trust.
security-recipes.ai should not ask teams to adopt a custom scanner, ticketing system, SOAR platform, or deployment tool before they can use a recipe. Existing systems should produce the findings; recipes help agents use the right context, return the right proof, and stop at the right time.