Security Loop · v0.4 · Shipped

AI finds the bug. Conduct closes the loop.

Connect Claude Code, Codex, Cursor, or Windsurf once. Every vulnerability they surface gets automatically captured, triaged, fixed on a branch, and shipped as a PR — with a full audit trail.

Open Security console →See how it works →

Claude CodeCodexCursorWindsurf

The problem

The gap no one closes.

AI coding tools are getting better at finding vulnerabilities. But there's still no standard way to route those findings into a fix pipeline. They fall through the cracks.

🔍

Findings disappear

Claude Code prints to terminal. Codex surfaces inline. Cursor shows suggestions. None of them route findings anywhere. A vulnerability found Thursday afternoon may never become a ticket.

🧩

No standard pipeline

Every tool has its own output format. Your team stitches together findings manually — if at all. There's no consistent triage, no severity tracking, no audit trail.

⏱️

Detection ≠ remediation

Finding a bug is 10% of the work. The other 90% — issue creation, triage, fix, PR, review — still happens manually. Mean time to fix stays in days.

How it works

From finding to PR — automatically.

◈

Step 1

Finding captured

Passive hook or BugHunter Active Scan surfaces a vulnerability

≋

Step 2

Classify

Severity, type, file, and line number recorded automatically

◉

Step 3

Slack alert

Instant notification to your #security channel with full context

◎

Step 4

GitHub issue

Issue created with severity label, structured body, and suggested fix

⊙

Step 5

Validate

Security scanner confirms the finding before any fix runs

⟁

Step 6

Fix on branch

Agent forks the repo and applies the fix on a dedicated branch

◭

Step 7

PR opened

Pull request opened back to the repo, ready for your review

⬡

Step 8

Audit trail

Tool → finding → fix → PR → cost → duration, all recorded

Three ways to feed it

One feed, three entry points.

However your team surfaces findings — passively via hooks, actively via BugHunter, or manually from the CLI — everything lands in the same security feed with the same audit trail.

Always on

Passive hook

Guard's PostToolUse hook classifies every AI tool response in the background. Secrets, path traversal, injection patterns, OWASP keywords — caught automatically with zero developer action.

# Enable once in Guard settings

Security Emit → ON

Every tool call classified automatically

sk-* keysAKIA* keyseval(verify=FalseSQL injectionXSS

On demand

BugHunter Active Scan

Install the BugHunter playbook from Marketplace and point it at any repo. 8 targeted hunt skills run — LLM injection, JWT confusion, SSRF, supply chain, race conditions, and more. Findings flow straight into the security feed.

# Run from CLI or canvas

conduct run "BugHunter Active Scan" \

--input target_repo=owner/repo

hunt-llm-injectionhunt-jwt-confusionhunt-ssrf-cloudhunt-supply-chain

Power user

CLI emit

Pipe any tool output through the fast-path classifier directly from your terminal. Useful for custom scripts, CI pipelines, or one-off scans outside the normal flow.

# Pipe output from any source

cat scan-output.json | \

conduct emit finding --from-stdin

Works with any tool output. Normalised before storage.

Get started

Three steps to full coverage.

Works with your existing Conduct + ConductGuard setup. No new tools to install.

Install the Conduct CLI and log in

Wires Guard hooks into Claude Code and Codex automatically. Token tracking, policy enforcement, and the security classifier all start running immediately.

pip install conduct-cli

conduct login

Enable Security Emit in Guard settings

Turns on the passive classifier. Every tool call response is scanned in the background — findings POST to /security-findings automatically.

Guard settings → Security → Security Emit → ON

Security Slack Alerts → ON (optional)

Install BugHunter from Marketplace (optional)

Adds on-demand deep scanning on top of the always-on passive hook. Run it against any repo whenever you want a full sweep.

Marketplace → Agent Templates → BugHunter Active Scan → Install

What makes it different

Built to close the loop, not just find the bug.

Other tools surface findings. Security Loop routes them through a full remediation pipeline — automatically, with a complete audit trail at every step.

◎

Zero-drop coverage

Every finding from every AI tool enters the same pipeline. Nothing gets lost in terminal output.

⬡

Tool-agnostic

Claude Code, Codex, Cursor, and Windsurf. One workspace, one audit trail, regardless of which tool found it.

⟁

Finding → PR in minutes

The fix pipeline runs automatically. You review a PR, not a backlog. Mean time to fix drops from days to minutes.

⊙

Compliance-ready

Every finding has a traceable run with timestamps, approver identity, PR link, and cost. Exportable for SOC 2 and internal audits.

Human control

Humans stay in control.

Security Loop never merges code. Every finding surfaces as a draft agent — you review before anything runs. The agent opens the PR. Your team decides when to merge. Worst case is a PR that gets rejected. Nothing ships to main without a human.

Pipeline

Finding captured→Draft agent created→You click Run→Fix applied→PR opened→You merge

🔐

The agent acts on your behalf only when you explicitly click Run. No autonomous code changes happen without your confirmation. Every action is logged.

Compliance

Compliance evidence, built in.

Every finding. Every fix. Every approver. Exportable for SOC 2.

Agent

Severity

Repo

Date

Approver

Status

SL-001

claude-bughunter

HIGH

org/api

Jun 5 2026

sudhi@

PR #15

Merged

SL-002

passive-hook

CRITICAL

org/web

Jun 7 2026

alex@

PR #22

Open

SL-003

bughunter-scan

HIGH

org/api

Jun 8 2026

—

Triaging

Sample audit rows — exported as CSV or JSON for SOC 2 review.

Get started

Security Loop is live.

Install the CLI, enable Security Emit in Guard settings, and your team's findings start flowing in automatically. No new tools. No new process.

Open Security console →Install BugHunter →All tools →