Vulnerability Pilot

VulnPilot: AI-powered security scanning and automated workflows to identify, understand, and remediate vulnerabilities in your code and infrastructure.

Comment

Vulnerability Pilot: The Future of AI-Driven Security

Inspiration

Security vulnerability scanning often feels like a "black box" for developers. Traditional tools generate massive, intimidating reports that lack context, leaving teams overwhelmed by raw data without a clear path to resolution.

Vulnerability Pilot was inspired by the need to bridge the gap between discovery and remediation. We wanted to create a tool that doesn't just scan code but acts as an intelligent co-pilot, helping developers understand security risks in real-time and providing the automated workflows necessary to fix them before they reach production.

What it does

Vulnerability Pilot is an AI-powered security orchestration platform. It integrates industry-standard scanning tools (like Nmap, Nikto, and Gobuster) with advanced Large Language Models (Gemini)to provide:

  • Intelligent Code Analysis: Deep scans of GitHub repositories for patterns like SQL injection, XSS, and insecure credentials.
  • Visual Workflow Builder: A node-based interface to automate complex security pipelines.
  • AI-Sidekick: A security-expert chatbot that explains vulnerabilities and generates deterministic fixes.
  • Real-time Notifications: Integrated Slack and Email alerts for critical findings.

How we built it

We built Vulnerability Pilot using a high-performance, asynchronous architecture:

  • Backend: Go for high-concurrency tool execution and API management.
  • Frontend: React 19 + Vite with React Flow for the visual builder.
  • Styling: Tailwind CSS 4.0 for a sleek, modern, and responsive UI.
  • Security Intelligence: Integration with Nmap, Nikto, and Gobuster, orchestrated through a Go-based worker pool.
  • AI Layer: Google Gemini Pro (Llama-3) for lightning-fast analysis.

Challenges we ran into

  • Tool Output Standardization: Converting inconsistent CLI outputs from various security tools into a single, structured JSON schema proved difficult. We built custom parsers in Go to handle these variations reliably.
  • State Management in Workflows: Managing the real-time execution state of a node-based graph while ensuring UI responsiveness required a deep dive into React Flow's event hooks and asynchronous state updates.
  • Prompt Reliability: Ensuring the AI provides deterministic, safe, and accurate remediation steps required rigorous prompt engineering and an automated verification layer to filter out potential "hallucinations."

Accomplishments that we're proud of

  • The Visual Builder: Creating a seamless bridge between a visual graph and backend security execution.
  • Sub-second AI Insights: Leveraging Groq to provide near-instant security guidance that feels conversational.
  • Enterprise-Ready Foundation: Implementing robust rate-limiting (Redis-backed) and AES-256-GCM encryption for all sensitive user data.

What we learned

We learned that Developer Experience (DX) is critical for Security. If a security tool is hard to navigate, it won't be used. By prioritizing a "Design-First" approach, we realized that visual automation (workflows) makes complex security concepts more approachable. We also gained deep experience in orchestrating concurrent background processes in Go to maintain a high-performance web application.

What's next for Vulnerability Pilot

Our roadmap is focused on "Shift-Left" security:

  • CI/CD Integration: Automatic PR scanning that blocks vulnerable code from merging.
  • Self-Healing Workflows: Automated PR creation using AI to fix vulnerabilities as they are detected.
  • Enhanced Tooling: Adding DAST (Dynamic Application Security Testing) and container vulnerability scanning.

Vulnerability Pilot is turning security reports into security conversations.

Built With

Share this project:

Updates