Inspiration
Every year, cloud misconfigurations cause billions in security breaches and wasted spend. Teams push Terraform with privileged: true, Dockerfiles running as root, and overly permissive security groups — not because they don't care, but because manual reviews can't keep up with the pace of modern DevOps.
We asked: What if an AI agent could review every infrastructure change like a Senior SRE — instantly, on every pull request?
That's Nova Guardian — an autonomous, multi-agent security pipeline powered by Amazon Nova 2 Lite.
What It Does
Nova Guardian is a GitHub App that automatically scans every PR containing infrastructure-as-code files and provides:
- Multi-format static analysis across Terraform (HCL), Kubernetes YAML, Dockerfiles, GitHub Actions, and SAM templates
- AI-powered reasoning via Amazon Nova 2 Lite that explains each finding, estimates cost impact, maps to compliance frameworks (CIS, SOC2), and generates line-by-line code fixes
- Inline PR reviews with GitHub suggestion blocks that developers can accept with one click
- A real-time dashboard showing scan history, severity breakdowns, grades, and an interactive AI chat assistant with full scan context memory
The Agentic Pipeline
Nova Guardian operates as a 4-agent orchestration chain:
| Agent | Role | Tools |
|---|---|---|
| Planner | Receives webhooks, identifies infra files | github_api.get_pr_files, scanner.detect_file_type |
| Scanner | Multi-engine static analysis | scanner.scan_file, scanner.run_rules |
| Evaluator | Nova 2 Lite reasons about severity, generates fixes | nova_2_lite.converse, cost_estimator.predict, compliance.map |
| Reporter | Compiles report, posts PR review | github_api.post_review, github_api.set_commit_status |
Each scan executes 8 tool calls across the pipeline in ~3.4 seconds, and the entire flow is visualized in our dashboard's Agent Execution Trace panel.
How We Built It
Backend: Python (Flask) with a custom static analysis engine supporting 6 file types. Each file type has a dedicated rule set with pattern matching against known security and cost anti-patterns. The scanner produces structured findings with severity, category, line numbers, and suggested fixes.
AI Integration: Amazon Nova 2 Lite via the AWS Bedrock Converse API with extended thinking enabled. Each finding is sent to Nova with the surrounding code context, and Nova generates a human-readable explanation + a GitHub suggestion block for the fix.
GitHub Integration: A full GitHub App with webhook server, JWT authentication, and the ability to fetch PR files, post multi-comment reviews, and set commit statuses. CRITICALs block the merge.
Frontend: Next.js 15 with a Neo-Brutalism design system. Features a live Agent Pipeline Visualizer that animates each step (Parse → Scan → Reason → Cost → Compliance → Report), an Agent Execution Trace on every scan, and an AI chat assistant with full findings memory.
Infrastructure: AWS Lambda + Step Functions for serverless execution, SQLite for scan persistence, ngrok for local webhook tunneling during development.
Challenges
- Prompt engineering for code fixes: Getting Nova to consistently produce valid GitHub suggestion blocks in the exact format required was the hardest challenge. We iterated heavily on the prompt template.
- GitHub API complexity: Posting multi-file reviews with inline comments at specific line numbers required careful mapping between our scanner's line numbers and GitHub's diff positions.
- Real-time pipeline visualization: Synchronizing the frontend animation with the actual backend processing time required careful timing logic to ensure steps don't complete before the API returns.
What We Learned
- Amazon Nova 2 Lite is exceptionally good at infrastructure reasoning — it understands Terraform semantics, Docker security best practices, and Kubernetes privilege escalation patterns out of the box
- The Converse API's extended thinking mode significantly improves the quality of code fix suggestions
- Visualizing the agentic pipeline is as important as building it — judges and users need to see the AI working
What's Next
- Nova Act integration for automated remediation directly in the AWS Console
- Multi-repo scanning with organization-wide security dashboards
- Custom policy authoring so teams can define their own security rules
- Slack/Teams notifications for real-time alert routing
Built With
- amazon-nova-2-lite
- aws-bedrock
- aws-lambda
- aws-step-functions
- flask
- github-api
- next.js
- python
- react
- sqlite
- tailwind
- typescript
Log in or sign up for Devpost to join the conversation.