Secure Coding for the AI Era
Sentoru is the AI agent that embeds an entire security team—an analyst, a fixer, and a pen-tester—directly into your pull request workflow.
Our Inspiration
A Universal Safety Net for Modern Development
The rise of "vibe coding" and AI-assisted development highlighted a major security gap, but it also revealed a universal truth about modern software engineering: speed often comes at the expense of security. The pressure to ship quickly means that vulnerabilities can slip through, regardless of whether the code is written by a human, generated by an AI, or a mix of both.
We were inspired to build a universal safety net for this new era of development. We envisioned an intelligent agent that could act as a tireless security partner, scrutinizing every pull request with the same rigor. Sentoru was born from this vision—to secure all code, for every developer, in every PR.
A Multi-Agent System for Security
Sentoru operates as a sequence of specialized AI agents, each with a distinct role in the security workflow, triggered on every pull request.
Analyze
Analyzes code changes for vulnerabilities using a custom RAG knowledge base of security best practices.
Generate Fixes
Generates and proposes fixes in a developer-friendly, native patch format for one-click approval.
Validate & Test
Generates `pytest` penetration tests to validate that the suggested fixes are effective against the original attack vector.
How We Built It
Built on a modern, serverless Google Cloud stack, orchestrating specialized agents with Vertex AI.
Sequential Agents
We orchestrated three specialized agents (Analyst, Fixer, Pentester) using a sequential model to ensure a logical, end-to-end security workflow.
Vertex AI RAG Engine
A powerful RAG engine using Vertex AI Search, Gemini 2.5 Flash, and `text-embedding-005` to create vectors for high-quality semantic search.
Cloud Run & Probot
A serverless function runs our bot (built with Probot), which listens for PR webhooks from git providers to trigger the agent's security review.
GitHub Actions for CI/CD
A full DevOps pipeline on GitHub automates the deployment of our agent to Google Cloud, making our process repeatable and reliable.
How Sentoru Stands Out
Combining the best of security tools into a single, developer-centric agent.
| Tool/Agent | Multi-Agent | Static Analysis | Suggests Fixes | Generates Pentests | PR Integration | Open Source |
|---|---|---|---|---|---|---|
| Sentoru | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Snyk Code + AI Fix | ❌ | ✅ | ✅ | ❌ | ✅ | ❌ |
| GitHub CodeQL | ❌ | ✅ | ❌ | ❌ | ✅ | ✅ |
| Argusee (Google Research) | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ |
| Generic LLMs (ChatGPT, etc.) | ❌ | ⚠️ | ✅ | ❌ | ❌ | ✅ |
What's Next for Sentoru
Evolving into an indispensable, autonomous security partner.
True Autonomy
Implement a "closed-loop" agent with a secure execution environment for pentests, enabling a recursive, self-healing cycle until code is verifiably secure.
Universal Tool
Expand support to other major languages like JavaScript, Java, and Go, making Sentoru a versatile tool for all developers.
Trusted Enterprise Adoption
Enable deployment within a company's own cloud environment, allowing enterprises to use Sentoru with their own models and infrastructure.
Get Started with Sentoru
Follow these steps to set up and run the agent locally for development and testing.
1. Prerequisites
Ensure you have uv and the Google Cloud SDK installed.
2. Sync Python Dependencies
Install the required Python packages.
uv sync3. Set Up Environment Variables
Create a .env file in the project root with your credentials.
GOOGLE_CLOUD_PROJECT=<your-gcp-project-id>
GOOGLE_GENAI_USE_VERTEXAI=True
GOOGLE_CLOUD_LOCATION=us-central1
LLM_DEPLOYMENT=gemini-2.0-flash
SAFETY_API_KEY=<your-safety-mcp-apikey>4. Run the Agent
The best way to try out the agent is by using the notebooks/adk_app_testing.ipynb notebook. This allows you to run the agent flow locally or connect to a cloud resource, providing git diffs and inspecting the JSON responses.