Agentic Architecture

Nova Guardian uses a multi-agent pipeline powered by Amazon Nova 2 Lite to scan, reason about, and auto-fix infrastructure security issues.

Agent Roles

πŸ—ΊοΈ

Planner

Receives webhook events, identifies infra files, and orchestrates the full scan pipeline.

Tools Used

github_api.get_pr_filesscanner.detect_file_type
πŸ”

Scanner

Multi-engine static analysis across Terraform, K8s YAML, Dockerfiles, and GitHub Actions.

Tools Used

scanner.scan_filescanner.run_rules
🧠

Evaluator

Amazon Nova 2 Lite reasons about each finding β€” explains the risk, writes a code fix, and estimates impact.

Tools Used

nova_2_lite.conversecost_estimator.predictcompliance.map
πŸ“

Reporter

Compiles the structured report, posts inline PR review comments, and sets the commit status.

Tools Used

github_api.post_reviewgithub_api.set_commit_statusdb.save_scan

Tool Registry

ToolTypeDescription
scanner.scan_fileStatic AnalysisPattern-match rules against infrastructure AST
nova_2_lite.converseAI ReasoningAWS Bedrock Converse API with extended thinking
github_api.*GitHub IntegrationPR files, reviews, commit status, inline comments
cost_estimator.predictFinOpsEstimate monthly cost impact per resource
compliance.mapComplianceMap findings to CIS AWS 1.2, SOC2, FinOps frameworks
db.save_scanPersistenceSQLite storage for scan history and dashboard

Execution Pipeline

πŸ€–

PR Scan Pipeline

Webhook β†’ Planner β†’ Scanner β†’ Evaluator β†’ Reporter

πŸ”—
Step 1Webhook Received

GitHub sends a PR event to the Guardian webhook server.

πŸ“„
Step 2File Discovery

The Planner agent fetches changed files and filters to supported infra types.

πŸ”
Step 3Static Scan

The Scanner agent runs rule engines across all detected file types in parallel.

🧠
Step 4Nova Reasoning

Each finding is sent to Nova 2 Lite for severity analysis, explanation, and code fix generation.

πŸ’°
Step 5Cost & Compliance

Financial impact is estimated and findings are mapped to compliance frameworks.

πŸ“
Step 6PR Review

The Reporter posts inline comments with fixes and sets the commit status (pass/fail).

End-to-end: ~3.4 seconds averagePowered by Amazon Nova 2 Lite

Technology Stack

AI Engine

  • β–ΈAmazon Nova 2 Lite (Bedrock)
  • β–ΈConverse API + Extended Thinking
  • β–ΈPrompt-chained reasoning

Infrastructure

  • β–ΈAWS Lambda + Step Functions
  • β–ΈSQLite persistence
  • β–ΈGitHub App (webhooks)

Frontend

  • β–ΈNext.js 15 (App Router)
  • β–ΈNeo-Brutalism design system
  • β–ΈReal-time pipeline visualization

Built for the Amazon Nova AI Hackathon 2026

Run Manual Scan β†’