Security · Multi-Agent System · 2025
DevGuard
A multi-agent security monitoring system built for developers who build fast with AI tools — and need something watching their back. DevGuard scans repositories, detects leaked credentials, monitors account activity, and delivers clear alerts before a mistake becomes a breach.
Why It Exists
I came to software development from a different direction, design, philosophy, creative research. I started building real projects early, moving fast with AI tools, learning as I went. But moving fast means making mistakes. And some mistakes in development aren't just bugs — they're security vulnerabilities you don't even know exist.
I didn't always know what I was exposing. A .env file accidentally committed. An API key left in a repository's history. A token that should never have been pushed. I wasn't being careless, I simply didn't have the experience yet to know where the edges were. And I had no system to tell me when I crossed them.
That's when the idea came to me: instead of trying to remember every rule myself, what if I built something that watched for me? A multi-agent system where each agent is responsible for one part of the problem, scanning commits, monitoring account activity, sending alerts. Something that runs in the background and catches what I miss.
I built it through trial and error. The first version was slow, scanning every commit in every repository from scratch, taking over twenty minutes per run. I added state memory so it only looks at new commits. I tuned the pattern detection to stop flagging library files as threats. I connected email alerts so the report reaches me directly, not buried in a terminal.
During its first real scan, DevGuard found an actual Anthropic API key that had been sitting in a repository's commit history for months, exposed, publicly accessible. The key had already been rotated, but the vulnerability had been real. The system caught what I had completely missed.
It now runs as a local CLI tool, scanning my GitHub repositories every 24 hours and sending a structured security report by email. The goal going forward is to make this accessible to other developers who are in the same position I was, building fast with AI, learning in public, and needing a safety net that doesn't require deep security expertise to use.
Agent Architecture
GitHub Scanner Agent
Scans every repository across the full commit history, searching for leaked API keys, passwords, database URLs, and sensitive tokens using pattern recognition. Skips library and dependency files to eliminate false positives.
Activity Monitor Agent
Checks for unauthorized collaborators, suspicious deploy keys, and unexpected account activity. Flags any access that doesn't belong to the account owner.
Alert Agent
Receives findings from all agents, composes a clear and human-readable security report in Turkish, and delivers it via email. Critical issues are flagged immediately; clean reports confirm safety.
What It Does
- —Full commit history scanning, not just recent activity
- —Smart state memory, remembers where it left off, only scans new commits
- —Pattern detection for 10+ secret types: API keys, JWTs, private keys, DB URLs
- —Library file exclusion to eliminate false positives
- —Collaborator and deploy key monitoring
- —Email alerts with structured security report
- —Continuous watch mode, runs automatically every N hours
- —Extensible, Vercel and Railway monitoring ready to connect
Stack
Status
Currently running as a local CLI tool. Next steps include a web dashboard, Vercel and Railway integration, and multi-user support, so any developer can connect their accounts and get the same safety net without writing a line of code.