Loading...
Loading...
Run an AWS Security Agent scan on the workspace — uploads the source to AWS, scans it with the managed Security Agent service, and returns ranked, verified findings with code locations and remediations. Use when the user asks to scan code, find vulnerabilities, run a security scan or review, check security issues, check scan status, show findings, list recent scans, or stop a scan.
npx skill4agent add aws/agent-toolkit-for-aws scanning-with-aws-security-agentsetup-security-agent.security-agent/config.json| User intent | Workflow |
|---|---|
| Direct scan request ("scan my code", "find vulnerabilities") | Full Scan |
| Scan status check ("how's the scan", "progress") | Status workflow |
| View findings ("what did it find", "show results") | Findings workflow |
| List scans ("recent scans", "show my scans") | Read |
| Stop a scan | |
.security-agent/config.jsonagent_space_idregionconfig.jsonsetup-security-agent.security-agent/scans.jsonconfig.json → code_reviews[<abs_path>]| Placeholder | How to resolve |
|---|---|
| |
| |
| |
| |
| |
| |
| |
| |
config.jsonsetup-security-agentaws securityagent batch-get-agent-spaces --agent-space-ids <id>agent_space_idconfig.jsonsetup-security-agentWORKSPACE_ID=$(printf '%s' "$(pwd)" | md5sum | cut -c1-12)diff-scanning-with-aws-security-agentthreat-modeling-with-aws-security-agent.gitignorecd <absolute-workspace-path>
zip -r /tmp/source.zip . \
-x ".git/*" \
-x ".security-agent/*" \
-x "node_modules/*" \
-x "__pycache__/*" \
-x ".venv/*" -x "venv/*" \
-x "dist/*" -x "build/*" -x "target/*" \
-x ".mypy_cache/*" -x ".pytest_cache/*" -x ".tox/*" \
-x ".next/*" -x "cdk.out/*" \
-x ".DS_Store" -x "Thumbs.db" \
-x "*.pyc" -x "*.pyo"
ZIP_BYTES=$(stat -f%z /tmp/source.zip 2>/dev/null || stat -c%s /tmp/source.zip)
if [ "$ZIP_BYTES" -gt 2147483648 ]; then echo "Zip too large (>2GB)"; exit 1; fiaws s3 cp /tmp/source.zip s3://<bucket>/security-scans/source/<WORKSPACE_ID>/source.zipconfig.json → code_reviews[<abs_path>]code_review_idaws securityagent create-code-review --agent-space-id <id> --title <title> \
--service-role <role-arn> \
--assets sourceCode=[{s3Location=s3://<bucket>/security-scans/source/<WORKSPACE_ID>/source.zip}]codeReviewIdconfig.json → code_reviews[<abs_path>]pre-cr-<git-branch>git rev-parse --abbrev-ref HEADaws securityagent start-code-review-job --agent-space-id <id> --code-review-id <cr-id>ResourceNotFoundExceptioncodeReviewJobIdscan_idscan-<8-hex>scans.json{
"scan_id": "scan-...",
"code_review_id": "cr-...",
"job_id": "cj-...",
"agent_space_id": "as-...",
"scan_type": "FULL",
"title": "pre-cr-main",
"path": "/abs/path",
"started_at": "2026-06-01T20:00:00Z",
"status": "IN_PROGRESS"
}sleep 300sleep 300aws securityagent batch-get-code-review-jobs --agent-space-id <id> --code-review-job-ids <job_id>statusIN_PROGRESSCOMPLETEDCOMPLETEDFAILEDSTOPPEDCOMPLETEDFAILEDstatusReason.security-agent/findings-{scan_id}.mdscan_idscans.jsonbatch-get-code-review-jobsscans.jsonaws securityagent list-findings --agent-space-id <id> --code-review-job-id <job-id>nextToken--next-token <token>aws securityagent batch-get-findings --agent-space-id <id> --finding-ids <id1> <id2> ...🟣 CRITICAL: {name}
File: {filePath}:{lineStart}
{description}
🔴 HIGH: {name}
File: {filePath}:{lineStart}
{description}
🟡 MEDIUM: {name}
File: {filePath}:{lineStart}
{description}
🟢 LOW: {name}
File: {filePath}:{lineStart}
{description}.security-agent/findings-{scan_id}.md# Security Scan Report — {scan_id}
**Scan type**: FULL
**Title**: {title}
**Started**: {started_at}
**Total findings**: {count}
## Summary
| Severity | Count |
|----------|-------|
| CRITICAL | N |
| HIGH | N |
| MEDIUM | N |
| LOW | N |
## Findings
### 🟣 CRITICAL: {name}
- **ID**: {findingId}
- **Risk type**: {riskType}
- **Confidence**: {confidence}
- **Status**: {status}
- **Location**: `{filePath}:{lineStart}-{lineEnd}`
**Description**: {description}
**Remediation**:
{remediationCode or remediation guidance from description}
(repeat for every finding).security-agent/findings-{scan_id}.mdaws securityagent stop-code-review-job --agent-space-id <id> --code-review-job-id <job_id>scans.jsonSTOPPED.security-agent/scans.json| scan_id | type | title | status | started |
|---|---|---|---|---|
| scan-abc | FULL | pre-cr-main | COMPLETED | 2h ago |
| scan-def | FULL | pre-cr-feature-x | FAILED | 1d ago |
scans.jsonResourceNotFoundExceptionstart-code-review-jobconfig.jsonsetup-security-agentAccessDenieds3 cpResourceNotFoundExceptionbatch-get-code-review-jobs