Skip to the content.

Agents guide

Each role is a specialized security workflow. Pass the role name with -r / --role.

← Back to README · Examples · Configuration


Quick reference

Role One-line summary Typical input
simple_query_agent Ask AppSec questions Your question (+ optional -s)
code_reviewer Scan a repo for vulnerabilities -s source dir
pr_reviewer Review only PR/diff changes --diff-context JSON
pr_adversary Filter weak PR findings (2nd pass) --adversarial-context JSON
fp_adversary Confirm/dismiss full-repo findings --adversarial-context JSON
code_fixer Produce a minimal code fix --fix-context JSON
qa_verifier Run tests after a fix --qa-context JSON
finding_validator Re-check if a finding still applies --retest-context JSON
threat_modeler STRIDE threat model + risks -s source dir, -f json
threat_adversary Filter weak threats (2nd pass) --adversarial-context JSON
context_extractor Extract repo metadata --extract-context JSON
learned_guidance_synthesizer Build dismissal guidance rules --inputs JSON

List roles anytime: npx agent-run -l


Core agents

simple_query_agent

Use when: You want a conversational AppSec assistant.

npx agent-run -r simple_query_agent -s ./my-project

code_reviewer

Use when: You need a security report for an entire repository or folder.

npx agent-run -r code_reviewer -s ./src -f json -o report.json

pr_reviewer

Use when: You are reviewing a Pull Request and only want changed files analyzed.

npx agent-run -r pr_reviewer --diff-context pr-diff.json -s ./repo -f json

Works with Claude (default) and Codex (--provider codex).


pr_adversary

Use when: A first-pass PR review produced too many findings and you want a skeptical second pass.

npx agent-run -r pr_adversary --adversarial-context candidates.json -s ./repo -f json -o filtered.json

Works with Claude and Codex.


fp_adversary

Use when: You ran a full-repo code_reviewer scan and need per-finding confirm/dismiss verdicts (Lane-2 false-positive filter).


Fix and verify pipeline

code_fixer

Use when: You have one finding and need a minimal patch.

qa_verifier

Use when: A fix was applied and you need to run the test suite.

finding_validator

Use when: You need to retest whether an existing finding still reproduces.


Threat modeling

threat_modeler

Use when: You need a formal STRIDE threat model with DFD and risk registry.

npx agent-run -r threat_modeler -s ./api -f json -o threat_model_report.json

threat_adversary

Use when: The first threat model has generic or ungrounded threats.


Supporting roles

context_extractor

Extracts repository metadata and file summaries for downstream automation (--extract-context).

learned_guidance_synthesizer

Synthesizes class-level dismissal guidance from bucketed signals (--inputs). Used by integrators building learned false-positive rules.


Two-pass patterns

Many production pipelines run two passes:

pr_reviewer  →  pr_adversary
threat_modeler  →  threat_adversary
code_reviewer  →  fp_adversary   (full-repo FP filter)

The first pass finds issues; the second pass removes findings that cannot be grounded in real attack paths.


Model providers

All roles support:

Details: Configuration — Model providers