Security Scanning

Security Audit

Run comprehensive security audits on your AI agents to detect credential leaks, vulnerable dependencies, code pattern violations, and license issues. Audits can be triggered on-demand or scheduled for continuous protection.

Triggering Audits

Start a security audit by specifying the target agents and scan types. Each scan type focuses on a different class of security vulnerabilities.

Credential Scan

Detect exposed API keys, tokens, passwords, and secrets in agent configurations and outputs.

Dependency Scan

Identify vulnerable or outdated packages, libraries, and model dependencies.

Code Pattern Scan

Detect unsafe coding patterns, injection vulnerabilities, and insecure data handling.

POST /api/security-audits

{
  "name": "Q1 Agent Security Review",
  "agentIds": ["agent_abc123", "agent_def456"],
  "scanTypes": ["credential", "dependency", "code_pattern"],
  "config": {
    "credential": {
      "scanOutputs": true,
      "scanConfigs": true,
      "scanEnvironment": true
    },
    "dependency": {
      "checkCVEs": true,
      "minSeverity": "medium",
      "includeTransitive": true
    },
    "code_pattern": {
      "rules": ["injection", "xss", "insecure_crypto", "hardcoded_secrets"]
    }
  }
}

// Response
{
  "auditId": "audit_sec_abc123",
  "name": "Q1 Agent Security Review",
  "status": "running",
  "scanTypes": ["credential", "dependency", "code_pattern"],
  "agentCount": 2,
  "startedAt": "2026-02-12T10:00:00Z",
  "estimatedDuration": "3m"
}

trigger-audit.ts

import { DRD } from '@drd/sdk';

const drd = new DRD({ apiKey: process.env.DRD_API_KEY });

// Trigger a security audit
const audit = await drd.securityAudit.create({
  name: 'Pre-deployment scan',
  agentIds: ['agent_abc123'],
  scanTypes: ['credential', 'dependency', 'code_pattern'],
});

// Wait for completion
const result = await drd.securityAudit.waitForCompletion(audit.auditId);
console.log(result.status);          // 'completed'
console.log(result.findingsCount);   // 7
console.log(result.criticalCount);   // 1

Audit Findings

Each audit produces findings categorized by type and severity. Review findings to understand your security posture and prioritize remediation.

credential_leakcritical

Exposed secrets, API keys, or authentication tokens

vulnerable_dependencyhigh

Known CVEs or security advisories in dependencies

code_patternmedium

Unsafe code patterns such as SQL injection or XSS vectors

license_violationlow

Non-compliant license usage in agent dependencies

Severity Levels

critical

Immediate action required — active data exposure risk

high

Exploitable vulnerability with known attack vectors

medium

Potential risk that should be addressed in current sprint

low

Minor issue or informational finding

GET /api/security-audits/{auditId}/findings

// Response
{
  "findings": [
    {
      "findingId": "finding_001",
      "type": "credential_leak",
      "severity": "critical",
      "title": "Exposed OpenAI API key in agent output",
      "description": "Agent agent_abc123 included an API key in its response payload",
      "location": {
        "agentId": "agent_abc123",
        "context": "output_log",
        "line": 42
      },
      "detectedAt": "2026-02-12T10:01:30Z",
      "status": "open"
    },
    {
      "findingId": "finding_002",
      "type": "vulnerable_dependency",
      "severity": "high",
      "title": "CVE-2026-1234 in lodash@4.17.20",
      "description": "Prototype pollution vulnerability with known exploit",
      "cve": "CVE-2026-1234",
      "fixVersion": "4.17.22",
      "status": "open"
    }
  ],
  "total": 7,
  "bySeverity": { "critical": 1, "high": 2, "medium": 3, "low": 1 }
}

Detailed Audit Categories

Each audit category targets a specific class of security vulnerabilities with specialized detection techniques and supported ecosystems.

Credential Leak Detection

Severity: Critical

Scans source code, configuration files, environment variables, and log outputs for exposed credentials, API keys, tokens, and secrets.

•API keys (AWS, GCP, Azure, Stripe, etc. -- 200+ providers)
•Database connection strings with embedded passwords
•JWT tokens and session secrets
•SSH private keys and certificates
•Environment files committed to version control
•Secrets in CI/CD pipeline logs and build artifacts

Vulnerable Dependencies

Severity: High

Analyzes dependency manifests and lockfiles against known vulnerability databases (CVE, GHSA, OSV) to identify packages with security issues.

•npm / yarn / pnpm (package.json, lockfiles)
•pip / poetry / conda (requirements.txt, pyproject.toml)
•Go modules (go.sum)
•Cargo (Cargo.lock)
•Maven / Gradle (pom.xml, build.gradle)
•Docker images (base image vulnerabilities)

Code Pattern Violations

Severity: Medium - High

Identifies unsafe coding patterns specific to AI/ML systems that could lead to security vulnerabilities or data exposure.

•Prompt injection vulnerability patterns
•Unsafe deserialization of model outputs
•Unvalidated user input in AI prompts
•PII exposure in logging or error messages
•Insecure model loading (pickle, eval, exec)
•Missing input sanitization on agent actions

License Compliance

Severity: Medium

Scans all dependencies and their transitive trees for license compatibility issues, copyleft obligations, and commercial usage restrictions.

•GPL/AGPL copyleft infection detection
•Non-commercial license violations (CC-BY-NC, etc.)
•Training data license verification
•Model license compatibility (Apache, MIT, proprietary)
•SBOM (Software Bill of Materials) generation

Audit Rules

Create custom audit rules to detect organization-specific security patterns. Rules support regex matching, AST-based analysis, and custom severity mappings.

audit-rules.ts

// Create a custom audit rule
const rule = await drd.securityAudit.createRule({
  name: 'Internal API endpoint exposure',
  description: 'Detect references to internal API endpoints in agent outputs',
  type: 'code_pattern',
  pattern: {
    regex: 'https?:\/\/internal\.[a-z]+\.corp\.acme\.com',
    scope: ['output', 'config', 'logs'],
  },
  severity: 'high',
  enabled: true,
});

// List all rules
const rules = await drd.securityAudit.listRules();
for (const r of rules.items) {
  console.log(r.name);         // 'Internal API endpoint exposure'
  console.log(r.enabled);      // true
  console.log(r.matchCount);   // 0 (no matches yet)
}

// Disable a rule
await drd.securityAudit.updateRule(rule.ruleId, {
  enabled: false,
});

Resolving Findings

Mark findings as resolved once the underlying issue has been addressed. Bulk resolution is supported for efficiently closing multiple findings.

resolve-findings.ts

// Resolve a single finding
await drd.securityAudit.resolveFinding('finding_001', {
  resolution: 'fixed',
  notes: 'Rotated API key and added output sanitization filter',
});

// Bulk resolve findings
await drd.securityAudit.bulkResolve({
  findingIds: ['finding_003', 'finding_004', 'finding_005'],
  resolution: 'accepted_risk',
  notes: 'Low severity license findings accepted per policy',
  approvedBy: 'security-team@acme.com',
});

// Get resolution history for an audit
const history = await drd.securityAudit.getResolutionHistory('audit_sec_abc123');
for (const entry of history.items) {
  console.log(entry.findingId);     // 'finding_001'
  console.log(entry.resolution);    // 'fixed'
  console.log(entry.resolvedAt);    // '2026-02-12T11:00:00Z'
  console.log(entry.resolvedBy);    // 'jane@acme.com'
}

Scheduled Audits

Configure recurring audits to continuously monitor your repositories for new vulnerabilities.

schedule-audit.ts

// Schedule a recurring security audit
await drd.securityAudit.schedule({
  name: 'Nightly security scan',
  agentIds: ['agent_abc123'],
  scanTypes: ['credential', 'dependency'],
  schedule: '0 2 * * *',       // Every day at 2 AM
  timezone: 'America/New_York',
  notifications: {
    onComplete: 'on_findings',  // 'always' | 'on_findings' | 'on_critical'
    channels: ['email', 'slack'],
    recipients: ['security@acme.com'],
  },
});

CI/CD Integration: Use the DRD CLI in your CI/CD pipeline to automatically audit every commit. Install with npm install -g @drd/cli and run drd audit --fail-on critical to block deployments with critical findings.

Auto-Fix PRs: Enable autoFix: true to have DRD automatically create pull requests that fix vulnerable dependencies and simple credential exposure patterns. Auto-fix PRs include a detailed description of the vulnerability and the applied remediation.

API Endpoints

Complete list of security audit API endpoints.

POST

/api/security-audits

Trigger a new security audit

GET

/api/security-audits

List all security audits

GET

/api/security-audits/{id}

Get audit status and summary

GET

/api/security-audits/{id}/findings

List findings for an audit

PATCH

/api/security-audits/{id}/findings/{findingId}

Resolve a finding

POST

/api/security-audits/bulk-resolve

Bulk resolve findings

POST

/api/security-audits/rules

Create a custom audit rule

GET

/api/security-audits/rules

List audit rules

PATCH

/api/security-audits/rules/{id}

Update or toggle a rule

Next Steps

Compliance

Regulatory compliance management

Learn more →

Monitoring

Real-time agent monitoring rules

Learn more →

Trust Alerts

Configure security notifications

Learn more →

Bug Bounty

Vulnerability disclosure and bounty programs

Learn more →

Security Scanning

Security Audit

Triggering Audits

Start a security audit by specifying the target agents and scan types. Each scan type focuses on a different class of security vulnerabilities.

Credential Scan

Detect exposed API keys, tokens, passwords, and secrets in agent configurations and outputs.

Dependency Scan

Identify vulnerable or outdated packages, libraries, and model dependencies.

Code Pattern Scan

Detect unsafe coding patterns, injection vulnerabilities, and insecure data handling.

POST /api/security-audits

{
  "name": "Q1 Agent Security Review",
  "agentIds": ["agent_abc123", "agent_def456"],
  "scanTypes": ["credential", "dependency", "code_pattern"],
  "config": {
    "credential": {
      "scanOutputs": true,
      "scanConfigs": true,
      "scanEnvironment": true
    },
    "dependency": {
      "checkCVEs": true,
      "minSeverity": "medium",
      "includeTransitive": true
    },
    "code_pattern": {
      "rules": ["injection", "xss", "insecure_crypto", "hardcoded_secrets"]
    }
  }
}

// Response
{
  "auditId": "audit_sec_abc123",
  "name": "Q1 Agent Security Review",
  "status": "running",
  "scanTypes": ["credential", "dependency", "code_pattern"],
  "agentCount": 2,
  "startedAt": "2026-02-12T10:00:00Z",
  "estimatedDuration": "3m"
}

trigger-audit.ts

import { DRD } from '@drd/sdk';

const drd = new DRD({ apiKey: process.env.DRD_API_KEY });

// Trigger a security audit
const audit = await drd.securityAudit.create({
  name: 'Pre-deployment scan',
  agentIds: ['agent_abc123'],
  scanTypes: ['credential', 'dependency', 'code_pattern'],
});

// Wait for completion
const result = await drd.securityAudit.waitForCompletion(audit.auditId);
console.log(result.status);          // 'completed'
console.log(result.findingsCount);   // 7
console.log(result.criticalCount);   // 1

Audit Findings

Each audit produces findings categorized by type and severity. Review findings to understand your security posture and prioritize remediation.

credential_leakcritical

Exposed secrets, API keys, or authentication tokens

vulnerable_dependencyhigh

Known CVEs or security advisories in dependencies

code_patternmedium

Unsafe code patterns such as SQL injection or XSS vectors

license_violationlow

Non-compliant license usage in agent dependencies

Severity Levels

critical

Immediate action required — active data exposure risk

high

Exploitable vulnerability with known attack vectors

medium

Potential risk that should be addressed in current sprint

low

Minor issue or informational finding

GET /api/security-audits/{auditId}/findings

// Response
{
  "findings": [
    {
      "findingId": "finding_001",
      "type": "credential_leak",
      "severity": "critical",
      "title": "Exposed OpenAI API key in agent output",
      "description": "Agent agent_abc123 included an API key in its response payload",
      "location": {
        "agentId": "agent_abc123",
        "context": "output_log",
        "line": 42
      },
      "detectedAt": "2026-02-12T10:01:30Z",
      "status": "open"
    },
    {
      "findingId": "finding_002",
      "type": "vulnerable_dependency",
      "severity": "high",
      "title": "CVE-2026-1234 in lodash@4.17.20",
      "description": "Prototype pollution vulnerability with known exploit",
      "cve": "CVE-2026-1234",
      "fixVersion": "4.17.22",
      "status": "open"
    }
  ],
  "total": 7,
  "bySeverity": { "critical": 1, "high": 2, "medium": 3, "low": 1 }
}

Detailed Audit Categories

Each audit category targets a specific class of security vulnerabilities with specialized detection techniques and supported ecosystems.

Credential Leak Detection

Severity: Critical

Scans source code, configuration files, environment variables, and log outputs for exposed credentials, API keys, tokens, and secrets.

•API keys (AWS, GCP, Azure, Stripe, etc. -- 200+ providers)
•Database connection strings with embedded passwords
•JWT tokens and session secrets
•SSH private keys and certificates
•Environment files committed to version control
•Secrets in CI/CD pipeline logs and build artifacts

Vulnerable Dependencies

Severity: High

Analyzes dependency manifests and lockfiles against known vulnerability databases (CVE, GHSA, OSV) to identify packages with security issues.

•npm / yarn / pnpm (package.json, lockfiles)
•pip / poetry / conda (requirements.txt, pyproject.toml)
•Go modules (go.sum)
•Cargo (Cargo.lock)
•Maven / Gradle (pom.xml, build.gradle)
•Docker images (base image vulnerabilities)

Code Pattern Violations

Severity: Medium - High

Identifies unsafe coding patterns specific to AI/ML systems that could lead to security vulnerabilities or data exposure.

•Prompt injection vulnerability patterns
•Unsafe deserialization of model outputs
•Unvalidated user input in AI prompts
•PII exposure in logging or error messages
•Insecure model loading (pickle, eval, exec)
•Missing input sanitization on agent actions

License Compliance

Severity: Medium

Scans all dependencies and their transitive trees for license compatibility issues, copyleft obligations, and commercial usage restrictions.

•GPL/AGPL copyleft infection detection
•Non-commercial license violations (CC-BY-NC, etc.)
•Training data license verification
•Model license compatibility (Apache, MIT, proprietary)
•SBOM (Software Bill of Materials) generation

Audit Rules

Create custom audit rules to detect organization-specific security patterns. Rules support regex matching, AST-based analysis, and custom severity mappings.

audit-rules.ts

// Create a custom audit rule
const rule = await drd.securityAudit.createRule({
  name: 'Internal API endpoint exposure',
  description: 'Detect references to internal API endpoints in agent outputs',
  type: 'code_pattern',
  pattern: {
    regex: 'https?:\/\/internal\.[a-z]+\.corp\.acme\.com',
    scope: ['output', 'config', 'logs'],
  },
  severity: 'high',
  enabled: true,
});

// List all rules
const rules = await drd.securityAudit.listRules();
for (const r of rules.items) {
  console.log(r.name);         // 'Internal API endpoint exposure'
  console.log(r.enabled);      // true
  console.log(r.matchCount);   // 0 (no matches yet)
}

// Disable a rule
await drd.securityAudit.updateRule(rule.ruleId, {
  enabled: false,
});

Resolving Findings

Mark findings as resolved once the underlying issue has been addressed. Bulk resolution is supported for efficiently closing multiple findings.

resolve-findings.ts

// Resolve a single finding
await drd.securityAudit.resolveFinding('finding_001', {
  resolution: 'fixed',
  notes: 'Rotated API key and added output sanitization filter',
});

// Bulk resolve findings
await drd.securityAudit.bulkResolve({
  findingIds: ['finding_003', 'finding_004', 'finding_005'],
  resolution: 'accepted_risk',
  notes: 'Low severity license findings accepted per policy',
  approvedBy: 'security-team@acme.com',
});

// Get resolution history for an audit
const history = await drd.securityAudit.getResolutionHistory('audit_sec_abc123');
for (const entry of history.items) {
  console.log(entry.findingId);     // 'finding_001'
  console.log(entry.resolution);    // 'fixed'
  console.log(entry.resolvedAt);    // '2026-02-12T11:00:00Z'
  console.log(entry.resolvedBy);    // 'jane@acme.com'
}

Scheduled Audits

Configure recurring audits to continuously monitor your repositories for new vulnerabilities.

schedule-audit.ts

// Schedule a recurring security audit
await drd.securityAudit.schedule({
  name: 'Nightly security scan',
  agentIds: ['agent_abc123'],
  scanTypes: ['credential', 'dependency'],
  schedule: '0 2 * * *',       // Every day at 2 AM
  timezone: 'America/New_York',
  notifications: {
    onComplete: 'on_findings',  // 'always' | 'on_findings' | 'on_critical'
    channels: ['email', 'slack'],
    recipients: ['security@acme.com'],
  },
});

API Endpoints

Complete list of security audit API endpoints.

POST

/api/security-audits

Trigger a new security audit

GET

/api/security-audits

List all security audits

GET

/api/security-audits/{id}

Get audit status and summary

GET

/api/security-audits/{id}/findings

List findings for an audit

PATCH

/api/security-audits/{id}/findings/{findingId}

Resolve a finding

POST

/api/security-audits/bulk-resolve

Bulk resolve findings

POST

/api/security-audits/rules

Create a custom audit rule

GET

/api/security-audits/rules

List audit rules

PATCH

/api/security-audits/rules/{id}

Update or toggle a rule

Next Steps

Compliance

Regulatory compliance management

Learn more →

Monitoring

Real-time agent monitoring rules

Learn more →

Trust Alerts

Configure security notifications

Learn more →

Bug Bounty

Vulnerability disclosure and bounty programs

Learn more →