Securing our codebase with autonomous agents
Summary
Cursor has significantly enhanced its codebase security by deploying a fleet of autonomous security agents, increasing PR velocity 5x over nine months while catching over 200 vulnerabilities weekly across 3,000+ internal PRs. This system, built using Cursor Automations, leverages out-of-the-box integrations for webhooks and GitHub PRs, alongside a rich agent harness powered by cloud agents. A custom security MCP (Master Control Program) tool, deployed as a serverless Lambda function, provides persistent data storage for tracking impact, deduplication of LLM-generated findings using Gemini Flash 2.5, and consistent output formatting. Four key automation templates have been released: Agentic Security Review for new code, Vuln Hunter for existing codebases, Anybump for automated dependency patching, and Invariant Sentinel for daily monitoring of security and compliance invariants.
Key takeaway
For MLOps Engineers or Security Engineers managing large, rapidly evolving codebases, adopting agentic security solutions like Cursor Automations can dramatically improve security posture and operational efficiency. You should explore integrating autonomous agents into your CI/CD pipeline to automate PR reviews, dependency patching, and compliance monitoring, freeing up human security teams for more complex tasks and ensuring consistent coverage at scale.
Key insights
Autonomous agents can significantly scale codebase security by automating vulnerability identification and remediation.
Principles
- Combine LLM findings with semantic deduplication.
- Integrate agents directly into PR workflows.
- Automate dependency patching with reachability analysis.
Method
The system uses a security MCP for persistent data, finding deduplication via Gemini Flash 2.5, and consistent output. Agents are deployed as serverless Lambda functions, triggered by webhooks and GitHub PRs, and manage specific security tasks.
In practice
- Use Agentic Security Review for new code vulnerability detection.
- Deploy Anybump to automate dependency vulnerability patching.
- Implement Invariant Sentinel for continuous compliance monitoring.
Topics
- Autonomous Agents
- Code Security Automation
- Vulnerability Management
- Dependency Patching Automation
- LLM Applications
Code references
Best for: AI Security Engineer, Security Engineer, MLOps Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Cursor Blog.