Skip to main content
Dependency security, from alert to evidence

Find, fix, and prove which dependency alerts matter.

Security Agent turns GitHub Dependabot alerts into actionable Security Findings, identifies reachable risk, opens remediation PRs, sends deadline notifications, and preserves audit-ready activity history.

Open Security AgentRead the docs
Security Agent dashboard with SLA compliance, overdue findings, codebase risk, and the highest priority finding

One operational record

Turn alert volume into defensible action

Dependabot provides the source alert. Security Agent creates the Security Finding your team uses to analyze risk, coordinate remediation, meet deadlines, and retain evidence.

Dependabot sync

Continuously bring GitHub Dependabot alert data into the repository scope you configure.

Dedicated triage model

Use a fast, configurable model to assess advisory context and decide which findings need deeper investigation.

Dedicated analysis model

Run sandbox analysis against repository code to find usage locations, reachable paths, evidence, and suggested fixes.

Dedicated remediation model

Choose a separate model to prepare manual or automatic remediation attempts for eligible findings.

Auto Remediation

Automatically open remediation PRs at your chosen severity threshold, with controls for existing findings.

Auto-dismiss

Dismiss findings automatically when your configured analysis policy establishes that they do not require action.

Security Agent Notifications

Send new-finding, SLA warning, and SLA breach emails based on severity thresholds and warning lead time.

SLA tracking

Set deadlines by severity and keep approaching or breached findings visible to the teams responsible.

Audit reports

Report recorded Security Finding activity for selected periods, repositories, severities, and states. Reports do not reconstruct activity that predates recorded history.

Risk analysis

Triage quickly. Analyze deeply when it matters.

Separate models keep each job focused. AI triage evaluates alert context first; sandbox analysis adds codebase evidence only when the finding needs it.

Stage 1

AI triage

Evaluate package, advisory, severity, and dependency context without opening the repository sandbox. Route the finding to dismiss, review, or deeper analysis.

Stage 2

Sandbox analysis

Inspect actual repository usage, identify relevant files and code paths, capture evidence, and recommend a concrete next action or fix.

Security Finding analysis tab showing no reachable risk, supporting evidence, urgency, and recommended update

End-to-end workflow

From GitHub alert to verified outcome

Every decision stays attached to the Security Finding, including analysis, remediation attempts, state changes, deadlines, and notifications.

  1. 1

    Dependabot alert

    Security Agent syncs GitHub source data from the repositories you select.

  2. 2

    Security Finding

    Kilo creates a working record with state, severity, ownership, and SLA history.

  3. 3

    AI triage

    A dedicated triage model evaluates advisory and dependency context quickly.

  4. 4

    Sandbox analysis

    When needed, an analysis model inspects repository usage and reachable code paths.

  5. 5

    Decide and act

    Dismiss, review, or remediate manually or automatically with an AI-generated PR.

  6. 6

    Verify the fix

    A PR alone does not close a finding. Dependabot must report it fixed, or a user must dismiss it.

  7. 7

    Notify and report

    Deadline notifications and audit reports preserve evidence of what happened and when.

A remediation PR is an attempt, not proof of resolution. The Security Finding remains open until Dependabot reports the alert fixed or a user explicitly dismisses the finding.

Security Finding remediation tab ready to start a Cloud Agent fix and open a reviewed pull request

Configuration

Match your security policy

Configure Security Agent across General, Automation, Notifications, and SLA settings instead of forcing every repository through one workflow.

Security Agent general settings with repository selection, dedicated AI models, and analysis mode options

Operational posture

Know where attention is due

Filter by repository, severity, analysis outcome, and SLA due date. Move directly from the queue to review, fix, retry, or dismiss the finding.

Security Agent findings queue with filters, analysis outcomes, SLA deadlines, and remediation actions

Audit-ready history

Keep every decision attached to recorded evidence

Generate period-based reports by repository, severity, and recorded state. Expand any finding to review its timeline, source alert, package, manifest, SLA status, and activity history.

Security Agent audit report with period filters, summary metrics, chronological activity, and finding record details

Make every dependency decision traceable.

Find reachable risk, remediate eligible findings, keep teams ahead of deadlines, and preserve the activity history auditors need.

Open Security AgentExplore the documentation