Python Remediation Suite

The Python remediation suite turns each remediation section into a concrete tool command. It does not replace scanners, ticketing systems, source control, or human reviewers. It creates the bounded packet an agent or orchestrator needs before work starts:

  • the selected remediation domain,
  • imported recipes from this site,
  • enterprise tooling compatibility notes,
  • allowed actions,
  • stop conditions,
  • evidence requirements,
  • an agent handoff prompt,
  • optional LLM-assist configuration.
Flow from finding to a domain-specific Python remediation tool, imported recipes and optional LLM help, then a PR handoff, triage note, evidence packet, or audit record.
The suite keeps one finding, one domain tool, one recipe-informed output, and human review.

Dashboard container and UI

The suite now ships with a browser workbench that sits on top of the same Python planner. The UI lets an operator:

  • choose a remediation domain;
  • paste free-text, JSON, or SARIF findings;
  • configure recipe source, tooling hints, ecosystem, and LLM mode;
  • save non-secret access and context notes inside a mounted state directory;
  • generate a remediation packet and inspect the JSON plus agent handoff prompt;
  • download the latest packet for CI, SOAR, ticketing, or agent handoff.

Build the dashboard image from this repo:

docker build -f Dockerfile.remediation-suite-ui -t security-recipes-suite-ui .

Run it:

docker run --rm -p 8787:8787 \
  -v "$(pwd)/tmp/remediation-suite-ui:/data" \
  -e OPENAI_API_KEY="$OPENAI_API_KEY" \
  security-recipes-suite-ui

Open http://localhost:8787. The container starts:

python scripts/security_recipes_remediation_suite.py serve-dashboard \
  --host 0.0.0.0 \
  --port 8787 \
  --state-dir /data

Useful runtime environment variables:

Variable Purpose
SECURITY_RECIPES_DASHBOARD_HOST Bind host for the web server.
SECURITY_RECIPES_DASHBOARD_PORT Port exposed by the UI, default 8787.
SECURITY_RECIPES_DASHBOARD_STATE_DIR Directory for persisted non-secret dashboard configuration.
OPENAI_API_KEY Example API key used when the UI is set to llm-mode call with OPENAI_API_KEY as the configured env var.

Health endpoint:

GET /api/health

Install from this repo

The suite uses the Python standard library. From a checkout of security-recipes.ai:

python scripts/security_recipes_remediation_suite.py list-domains

Start the local dashboard without Docker:

python scripts/security_recipes_remediation_suite.py serve-dashboard

Run a domain-specific tool:

python scripts/security_recipes_remediation_suite.py deps \
  --finding dependabot-alert.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira \
  --ecosystem npm \
  --llm-mode prompt \
  --output out/deps-packet.json

The same suite works from CI, SOAR, a ticket webhook, a scheduled scanner job, or an agent handoff. The command writes a JSON remediation packet by default. Use --finding - to read a free-text, generic JSON, or SARIF finding from standard input.

Tool commands

Section Command Best input
Sensitive Data Element Remediation sde DLP, secret scanning, SDE JSON
Vulnerable Dependency Remediation deps CVE, GHSA, OSV, Dependabot, SCA, SBOM
SAST Finding Remediation sast SARIF, CodeQL, Semgrep, SonarQube, Snyk Code
Base Image and Container Layer Remediation base-image Trivy, Grype, container scanner, Dockerfile evidence
Artifact Cache and Mirror Quarantine cache-purge registry, mirror, cache, or malicious-artifact advisory
Recipe Recommender recommend any messy finding that needs routing first
Gatekeeping Patterns gate workflow, agent identity, policy, approval data
Runtime Controls runtime session, tool-call, proxy, egress, and telemetry data
Classic Vulnerable Defaults defaults unsafe parser, deserialization, XML, JWT, shell, TLS patterns
Crypto Payments Security crypto-payments wallet, address, settlement, custody, or payment-flow findings
DeFi and Blockchain Security defi smart contract, oracle, bridge, governance, or multisig findings
Program Metrics and KPIs metrics run records, PR data, scanner backlog, review metadata
Reviewer Playbook review PR diff, recipe id, run receipt, tests, scans
Rollout and Maturity Model rollout pilot state, controls, reviewer capacity, metrics
Compliance and Audit audit run receipt, approvals, control framework, evidence request

You can also use the generic command:

python scripts/security_recipes_remediation_suite.py plan \
  --domain auto \
  --finding finding.sarif \
  --recipes-source https://security-recipes.ai/api/recipes.json

--domain auto scores the first finding against the domain registry and chooses the strongest match. For production dispatch, prefer an explicit command when the scanner already knows the finding class.

Import recipes from the site

Every domain can import recipes from the built site or the public endpoint:

--recipes-source public/api/recipes.json
--recipes-source https://security-recipes.ai/api/recipes.json

Agents can also use the MCP server tools when the site is deployed with MCP:

  • recipes_search
  • recipes_get
  • recipes_match_finding

The Python suite does not need MCP to run. It imports the same recipe corpus through JSON so enterprise schedulers and security platforms can use it without embedding a browser or a site-specific client.

Optional LLM assist

LLM assist is opt-in and has three modes:

Mode Behavior
off No model prompt or call is attached.
prompt The packet includes the domain-specific prompt for another agent to use.
call The suite calls an OpenAI-compatible chat completions endpoint using an API key from the configured environment variable.

Example config:

{
  "endpoint": "https://api.openai.com/v1/chat/completions",
  "model": "gpt-5.5",
  "api_key_env": "OPENAI_API_KEY",
  "temperature": 0.2,
  "timeout": 30
}

Run with:

python scripts/security_recipes_remediation_suite.py sast \
  --finding codeql.sarif \
  --recipes-source public/api/recipes.json \
  --llm-config llm.json \
  --llm-mode call

Use prompt mode first in regulated environments. It produces the model prompt without transmitting data, which makes review and redaction easier.

Packet anatomy

A remediation packet containing classification, imported recipes, enterprise tooling, workflow rules, optional LLM assist, and human-review output.
The JSON packet is the handoff contract between scanners, agents, reviewers, and audit systems.

Each packet contains:

  • classification - domain score and routing rationale.
  • findings - normalized finding identity, source, severity, asset, location, and raw evidence.
  • recipe_import - recipes matched from /api/recipes.json.
  • enterprise_tooling - compatible source control, scanner, ticketing, registry, GRC, SIEM, or platform categories.
  • workflow - inputs, allowed actions, stop conditions, evidence, and outputs.
  • agent_handoff - a domain-specific prompt with guardrails.
  • llm_assist - disabled, prompt-only, or configured model-call metadata.

Enterprise integration pattern

flowchart LR
    A[Scanner or ticket] --> B[Python domain tool]
    B --> C[Import recipes JSON]
    B --> D[Normalize enterprise tooling]
    B --> E{Optional LLM?}
    E -->|off or prompt| F[Packet only]
    E -->|call| G[Configured LLM endpoint]
    F --> H[Agent runner]
    G --> H
    H --> I[PR handoff or TRIAGE.md]
    I --> J[Human review]
    J --> K[Audit evidence]

    classDef source fill:#0a2540,stroke:#00e5ff,color:#f5f7fb;
    classDef gate fill:#2a1040,stroke:#ff4ecb,color:#f5f7fb;
    classDef output fill:#1a2a1a,stroke:#86efac,color:#f5f7fb;
    class A,B,C,D source
    class E,G,J gate
    class F,H,I,K output

The integrations are intentionally broad:

  • source control: GitHub, GitLab, Azure DevOps, Bitbucket;
  • scanners: CodeQL, Semgrep, SonarQube, Snyk, Wiz, Trivy, Grype, OSV, Gitleaks, TruffleHog, Veracode, Checkmarx, Fortify;
  • registries and artifact systems: Artifactory, Nexus, Harbor, ECR, ACR, GAR, Quay, npm, PyPI, Maven, NuGet;
  • ticketing and response: Jira, Linear, ServiceNow, PagerDuty, SOAR;
  • evidence and audit: Drata, Vanta, Secureframe, ServiceNow GRC, Archer, AuditBoard, SIEM and data warehouse exports.

The suite only shapes the packet. Connector credentials, write access, approval policies, and production actions stay in the enterprise control plane.

Domain reference

Python remediation tool

Sensitive Data Element Remediation

Plan a scoped remediation for secrets, tokens, PII, PCI, PHI, or internal identifiers found in current source, logs, configs, schemas, fixtures, and IaC.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py sde

Inputs

  • secret scanning, DLP, or SDE finding payload
  • file path and line hint
  • data class and exposure state
  • approved secret store or redaction helper

Allowed actions

  • replace a literal with an approved secret-store reference
  • redact or hash a field through an existing helper
  • drop an accidental field from a log or fixture
  • write a rotation and disclosure triage note for exposed material

Stop conditions

  • finding is already exposed in history, public logs, or released artifacts
  • fix requires database, public API, or privacy-design changes
  • no approved secret store, redaction helper, or scanner replay exists

Evidence output

  • scanner result before and after
  • files touched and data class
  • rotation ticket or pre-exposure rationale
  • test and lint command output
Enterprise adapters and example command
Source ControlGitHub secret scanning, GitLab secret detection, Bitbucket code insights, Azure DevOps repos
SecurityGitleaks, TruffleHog, detect-secrets, Wiz, Snyk IaC, Microsoft Purview DLP
TicketingJira, Linear, ServiceNow Security Incident Response
SecretsHashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, 1Password SCIM
python scripts/security_recipes_remediation_suite.py sde \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/sde-packet.json

Python remediation tool

Vulnerable Dependency Remediation

Convert SCA, CVE, OSV, Dependabot, or SBOM dependency findings into one lockfile-safe remediation run or a bounded triage note.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py deps

Inputs

  • CVE, GHSA, OSV, or vendor advisory
  • dependency manifest and lockfile evidence
  • package ecosystem and current resolved version
  • project test command

Allowed actions

  • select the lowest safe patched version
  • plan package-manager-native lockfile updates
  • separate direct and transitive remediation paths
  • route major-version or no-fix advisories to triage

Stop conditions

  • patched version crosses a direct dependency major boundary
  • affected package is not present in the lockfile
  • advisory is malicious-package rollback rather than forward bump
  • tests or package-manager resolution cannot be reproduced

Evidence output

  • advisory URL and affected range
  • current and target resolved versions
  • lockfile path
  • test command and result
Enterprise adapters and example command
Source ControlGitHub Dependabot, GitLab Dependency Scanning, Azure DevOps Advanced Security, Bitbucket pipes
SecuritySnyk Open Source, Mend, Black Duck, OSV-Scanner, JFrog Xray, Sonatype Nexus IQ
Registriesnpm, PyPI, Maven Central, Go proxy, RubyGems, NuGet, private artifact registries
TicketingJira, ServiceNow Vulnerability Response, Linear
python scripts/security_recipes_remediation_suite.py deps \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/deps-packet.json

Python remediation tool

SAST Finding Remediation

Plan a narrow, testable fix for first-party code findings where source, sink, rule, and safe pattern are known.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py sast

Inputs

  • SARIF or scanner JSON result
  • rule id, source, sink, path, and line
  • language and framework
  • safe pattern or approved helper

Allowed actions

  • apply one approved sanitizer, validator, encoder, authorization, or parser-hardening pattern
  • add a regression test that fails before the fix
  • write a triage note when data flow is ambiguous

Stop conditions

  • finding spans multiple services or trust boundaries
  • fix requires architecture, auth model, schema, or product behavior changes
  • scanner result lacks source, sink, rule, or reproducible path

Evidence output

  • rule id and SARIF location
  • before and after scanner result
  • test proving the vulnerable path is closed
  • files touched
Enterprise adapters and example command
Source ControlGitHub code scanning, GitLab SAST, Azure DevOps Advanced Security, Bitbucket code insights
SecurityCodeQL, Semgrep, SonarQube, Snyk Code, Veracode, Checkmarx, Fortify
TicketingJira, ServiceNow Application Vulnerability Response, Azure Boards
Testingunit tests, integration tests, framework security tests
python scripts/security_recipes_remediation_suite.py sast \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/sast-packet.json

Python remediation tool

Base Image and Container Layer Remediation

Plan updates for vulnerable base images, OS packages, Dockerfiles, and derived image rebuilds without broad deployment changes.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py base-image

Inputs

  • container scanner finding
  • image reference, digest, Dockerfile, or SBOM
  • base image policy
  • rebuild and smoke-test command

Allowed actions

  • select patched tag or digest from approved base-image policy
  • plan a Dockerfile or lockstep manifest update
  • require image rebuild, rescan, and startup smoke test
  • split curated-base and downstream-refresh work

Stop conditions

  • image is built outside the repo
  • base image is not on the approved publisher list
  • fix requires production rollout, migration, or runtime privilege changes
  • scanner cannot rescan the rebuilt image

Evidence output

  • old and new image digest
  • scanner result before and after
  • Dockerfile and deployment manifests touched
  • smoke-test result
Enterprise adapters and example command
RegistriesAmazon ECR, Google Artifact Registry, Azure Container Registry, Harbor, Artifactory, Quay
SecurityTrivy, Grype, Snyk Container, Prisma Cloud, Aqua, Wiz, Microsoft Defender for Cloud
OrchestrationKubernetes, OpenShift, ECS, Nomad, Helm, Kustomize
Source ControlGitHub, GitLab, Azure DevOps, Bitbucket
python scripts/security_recipes_remediation_suite.py base-image \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/base-image-packet.json

Python remediation tool

Artifact Cache and Mirror Quarantine

Plan quarantine, deny-listing, and cache purge activity for compromised packages, images, mirrors, build caches, and CI artifacts.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py cache-purge

Inputs

  • compromised artifact identity
  • registry, mirror, or cache location
  • artifact digest or exact version
  • consumer inventory

Allowed actions

  • identify exact artifact coordinates
  • plan deny-list, mirror removal, and cache invalidation
  • produce consumer impact list
  • separate purge from dependency or image remediation

Stop conditions

  • artifact identity is range-based or ambiguous
  • registry operation would delete audit evidence
  • consumer inventory is missing
  • purge requires production outage or customer-impacting action

Evidence output

  • artifact name, version, digest, and source advisory
  • affected registries and caches
  • consumer inventory
  • post-purge query result
Enterprise adapters and example command
RegistriesArtifactory, Nexus, Harbor, ECR, ACR, GAR, npm Enterprise
SecurityJFrog Xray, Sonatype Nexus IQ, Snyk, Mend, Sigstore, Cosign
CiGitHub Actions cache, GitLab CI cache, Azure Pipelines cache, Jenkins, Buildkite
TicketingServiceNow, Jira, PagerDuty
python scripts/security_recipes_remediation_suite.py cache-purge \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/cache-purge-packet.json

Python remediation tool

Recipe Recommender

Classify one finding, pick one safest recipe, and write the handoff contract before a remediation agent starts.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py recommend

Inputs

  • scanner alert, ticket, advisory, or SARIF snippet
  • affected asset metadata
  • repository and owner context
  • available recipe index

Allowed actions

  • normalize a finding into routing fields
  • score candidate recipes
  • select one recipe or triage
  • write a downstream agent handoff

Stop conditions

  • top recipe score is weak
  • finding spans multiple repos, owners, or services
  • required evidence would change the route but is missing

Evidence output

  • candidate scores
  • selected recipe URL
  • routing rationale
  • missing evidence if triaged
Enterprise adapters and example command
Source ControlGitHub, GitLab, Azure DevOps, Bitbucket
SecurityCodeQL, Semgrep, Snyk, Wiz, OSV, Trivy, SonarQube
TicketingJira, Linear, ServiceNow
Contextsecurity-recipes.ai MCP, internal runbooks, ownership registry, CMDB
python scripts/security_recipes_remediation_suite.py recommend \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/recommend-packet.json

Python remediation tool

Gatekeeping Patterns

Evaluate whether a remediation run should be admitted, held mid-run, allowed to open a PR, or blocked before merge.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py gate

Inputs

  • workflow id
  • finding and route
  • agent identity and tool allowlist
  • policy and reviewer requirements

Allowed actions

  • evaluate admission, mid-run, pre-merge, and post-merge gates
  • produce allow, hold, deny, or triage decision
  • attach reviewer and evidence requirements

Stop conditions

  • workflow id is unknown
  • agent identity or authorization is missing
  • requested action exceeds the recipe scope
  • required reviewer gate is not configured

Evidence output

  • policy version
  • decision and reason
  • required reviewers
  • tool and file scopes
Enterprise adapters and example command
PolicyOPA, Conftest, Open Policy Agent, Cedar, custom admission services
Source ControlGitHub branch protection, GitLab approval rules, Azure DevOps policies, Bitbucket merge checks
SecuritySOAR, SIEM, code scanning, artifact scanning
TicketingJira, ServiceNow, Linear
python scripts/security_recipes_remediation_suite.py gate \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/gate-packet.json

Python remediation tool

Runtime Controls

Plan scoped runtime controls for agent sessions, tool calls, telemetry, disablement, and active remediation boundaries.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py runtime

Inputs

  • agent session metadata
  • tool call inventory
  • network and file scopes
  • telemetry stream or run receipt

Allowed actions

  • define session scope and tool allowlist
  • plan telemetry and kill-switch checks
  • recommend hold conditions for abnormal tool use
  • produce runtime evidence requirements

Stop conditions

  • write-capable tool lacks explicit scope
  • telemetry cannot identify agent, workflow, and run
  • egress or identity boundary is unowned
  • runtime action would impact production without approval

Evidence output

  • agent id and workflow id
  • tool call and egress policy
  • telemetry fields
  • disablement decision
Enterprise adapters and example command
RuntimeMCP gateways, egress proxies, workload identity, Kubernetes admission, service mesh
SecuritySIEM, SOAR, EDR, DLP, cloud audit logs
ObservabilityOpenTelemetry, Datadog, Splunk, Elastic, Grafana
IdentityOkta, Entra ID, AWS IAM, GCP IAM, Vault
python scripts/security_recipes_remediation_suite.py runtime \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/runtime-packet.json

Python remediation tool

Classic Vulnerable Defaults

Plan repeatable fixes for unsafe parser, deserialization, crypto, JWT, XML, HTTP client, shell, or framework defaults.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py defaults

Inputs

  • vulnerable default pattern
  • language and framework
  • affected file and callsite
  • approved safer replacement

Allowed actions

  • map pattern to an approved safe default
  • add regression tests for unsafe input
  • preserve behavior for legitimate inputs
  • stop when compatibility risk is broad

Stop conditions

  • no approved safe replacement exists
  • fix changes public behavior without owner approval
  • callsite is generated, vendored, or shared across unrelated flows

Evidence output

  • pattern match
  • safe replacement selected
  • negative and compatibility tests
  • scanner rerun
Enterprise adapters and example command
Source ControlGitHub, GitLab, Azure DevOps, Bitbucket
SecurityCodeQL, Semgrep, SonarQube, Snyk Code, custom pattern scanners
Testingunit tests, property tests, negative security fixtures
Knowledgeapproved secure coding standards, internal platform helpers, security-recipes.ai recipes
python scripts/security_recipes_remediation_suite.py defaults \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/defaults-packet.json

Python remediation tool

Crypto Payments Security

Plan remediation for wallet, address integrity, settlement, custody, payment finality, nonce, and irreversible transaction workflows.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py crypto-payments

Inputs

  • payment finding or incident note
  • asset, chain, wallet, or processor context
  • transaction and authorization boundary
  • testnet or sandbox validation path

Allowed actions

  • plan validation for address, chain, amount, and replay controls
  • separate code fix from treasury or custody operations
  • require sandbox or testnet proof
  • route key or funds movement to human incident response

Stop conditions

  • fix requires moving funds, rotating custody keys, or touching production wallets
  • chain, asset, or processor ownership is unclear
  • no sandbox or testnet verification path exists

Evidence output

  • affected flow and asset
  • authorization and signing boundary
  • testnet or sandbox proof
  • operator actions excluded from agent scope
Enterprise adapters and example command
PaymentCoinbase Commerce, Fireblocks, BitGo, Stripe crypto rails, internal treasury tools
SecurityChainalysis, TRM Labs, Elliptic, SIEM, transaction monitoring
Source ControlGitHub, GitLab, Azure DevOps
TicketingJira, ServiceNow, incident response platforms
python scripts/security_recipes_remediation_suite.py crypto-payments \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/crypto-payments-packet.json

Python remediation tool

DeFi and Blockchain Protocol Security

Plan remediation for smart contracts, protocol upgrades, bridges, oracles, governance, multisig, and blockchain-specific controls.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py defi

Inputs

  • contract finding or audit note
  • chain, contract, bridge, oracle, or governance context
  • test suite and simulation path
  • upgrade and timelock policy

Allowed actions

  • plan code-level contract remediation and invariant tests
  • require simulation before upgrade
  • separate governance proposal from code patch
  • document timelock and signer requirements

Stop conditions

  • remediation requires emergency pause, upgrade execution, or signer action
  • economic assumptions are disputed
  • contract ownership or upgradeability is unclear
  • simulation path is missing

Evidence output

  • contract address or source path
  • audit rule and exploit class
  • unit, fuzz, invariant, or fork simulation result
  • governance and timelock notes
Enterprise adapters and example command
BlockchainFoundry, Hardhat, Tenderly, OpenZeppelin Defender, Chainlink, The Graph
SecuritySlither, Mythril, Echidna, Scribble, Certora, Halmos
GovernanceSafe, Tally, Snapshot, timelock controllers
TicketingJira, Linear, incident response platforms
python scripts/security_recipes_remediation_suite.py defi \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/defi-packet.json

Python remediation tool

Program Metrics and KPIs

Build a measurement packet for agent-assisted remediation quality, speed, reviewer load, false positives, and automation ROI.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py metrics

Inputs

  • remediation run records
  • PR and review metadata
  • scanner backlog data
  • incident, exception, or regression records

Allowed actions

  • normalize run, PR, scanner, and review facts
  • compute queue, quality, and reviewer metrics
  • separate automation wins from hidden human work
  • produce dashboard-ready JSON

Stop conditions

  • run id cannot be joined to PR or finding id
  • metric would encourage unsafe auto-merge behavior
  • data source omits failed or triaged runs

Evidence output

  • metric definitions
  • source systems and joins
  • sample records
  • known blind spots
Enterprise adapters and example command
Source ControlGitHub GraphQL, GitLab API, Azure DevOps Analytics, Bitbucket API
SecuritySnyk, Wiz, SonarQube, CodeQL, Semgrep, DefectDojo
AnalyticsBigQuery, Snowflake, Databricks, Looker, Power BI, Tableau
TicketingJira, ServiceNow, Linear
python scripts/security_recipes_remediation_suite.py metrics \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/metrics-packet.json

Python remediation tool

Reviewer Playbook

Prepare a reviewer checklist and evidence packet for a security PR or triage note produced by an agent.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py review

Inputs

  • PR diff or triage note
  • selected recipe and finding id
  • tests and scanner reruns
  • run receipt and tool history

Allowed actions

  • check recipe scope against diff
  • summarize evidence and missing proof
  • list reviewer questions
  • recommend approve, request changes, or triage

Stop conditions

  • diff touches files outside recipe scope
  • tests, scanner rerun, or run receipt is missing
  • agent made hidden infrastructure, credential, or production changes

Evidence output

  • recipe used
  • files touched
  • tests and scans run
  • approval and ownership requirements
Enterprise adapters and example command
Source ControlGitHub pull requests, GitLab merge requests, Azure DevOps pull requests, Bitbucket pull requests
Securitycode scanning, secret scanning, dependency scanning, container scanning
QualityCI, coverage, test reports, artifact attestations
TicketingJira, ServiceNow, Linear
python scripts/security_recipes_remediation_suite.py review \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/review-packet.json

Python remediation tool

Rollout and Maturity Model

Plan crawl, walk, run adoption for agent-assisted remediation with promotion criteria, controls, and stop signals.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py rollout

Inputs

  • current remediation workflows
  • agent capabilities and tool access
  • risk appetite and approval model
  • pilot metrics

Allowed actions

  • score readiness by domain
  • recommend next maturity stage
  • define promotion and rollback criteria
  • attach control gaps and owner actions

Stop conditions

  • no reviewer capacity for the proposed stage
  • tool access is broader than workflow scope
  • metrics do not include failed and triaged runs

Evidence output

  • current stage
  • eligible domains
  • control gaps
  • promotion metrics
Enterprise adapters and example command
Programroadmap tools, service catalog, ownership registry, security champions
Source ControlGitHub, GitLab, Azure DevOps, Bitbucket
Securityscanner portfolio, SOAR, SIEM, GRC
AnalyticsLooker, Power BI, Tableau, Datadog
python scripts/security_recipes_remediation_suite.py rollout \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/rollout-packet.json

Python remediation tool

Compliance and Audit

Map remediation runs to audit-ready evidence for SOC 2, ISO 27001, PCI DSS, NIST SSDF, internal controls, and customer diligence.

Suite docs
Custom commandpython scripts/security_recipes_remediation_suite.py audit

Inputs

  • run receipt
  • recipe and finding id
  • review and approval evidence
  • control framework or customer request

Allowed actions

  • map a run to controls and evidence
  • produce auditor-facing narrative
  • separate proof from model transcript
  • identify missing retention or approval artifacts

Stop conditions

  • run receipt is missing identity, tool, or approval data
  • control mapping would expose sensitive source or secrets
  • evidence is unverifiable or retained only in ephemeral chat

Evidence output

  • control mapping
  • run identity and tool history
  • reviewer approval
  • retention location
Enterprise adapters and example command
GrcDrata, Vanta, Secureframe, ServiceNow GRC, Archer, AuditBoard
Source ControlGitHub, GitLab, Azure DevOps, Bitbucket
SecuritySIEM, SOAR, scanner exports, artifact attestations
DocumentsGoogle Drive, SharePoint, Confluence, customer trust centers
python scripts/security_recipes_remediation_suite.py audit \
  --finding finding.json \
  --recipes-source public/api/recipes.json \
  --tooling github,snyk,jira,servicenow \
  --llm-mode prompt \
  --output out/audit-packet.json

Guardrails

  • One finding goes into one domain tool.
  • A packet can produce a plan, PR handoff, audit packet, or triage note.
  • The suite never auto-merges.
  • The suite does not mutate cloud, registry, ticketing, source-control, GRC, or payment systems by itself.
  • LLM calls are off by default.
  • Secrets, private findings, customer data, and source snippets should stay out of --llm-mode call unless your approved boundary permits that transmission.