Skip to content

Dvalin Security Workspace

Dvalin is DvalinCode's white-box security engineering workspace. It combines scanner orchestration, SARIF normalization, source-aware triage, isolated remediation, test verification, and explicit draft-PR publication in one flow.

Scanner Fleet

The built-in engine is always available and checks high-signal patterns such as hardcoded secrets, AWS keys, SQL concatenation, unsafe HTML sinks, dynamic code execution, and shell injection. Dvalin also detects these optional open-source CLIs from PATH:

EngineCoverageInstall example
Semgrep Community EditionMulti-language semantic SASTpython3 -m pip install semgrep
TrivyDependency vulnerabilities, secrets, and IaC misconfigurationbrew install trivy
OSV-ScannerOpen-source dependency vulnerability matchingbrew install osv-scanner

Each external engine emits SARIF 2.1. Dvalin normalizes and de-duplicates the reports, rejects absolute result paths outside the selected workspace, and persists findings as local remediation cases. Missing optional engines are shown as missing; they do not prevent installed engines from completing.

Scan → Fix → Verify → PR

  • Scan: select engines, run the suite, inspect per-engine status, and use the risk grade to prioritize triage. Imported SARIF follows the same case workflow.
  • Fix: validate each finding against source before editing. Use a minimal patch in the current workspace or a dedicated remediation worktree.
  • Verify: run focused tests, project checks, and a fresh Dvalin scan; inspect the diff for test weakening, suppressions, secrets, and unrelated edits.
  • PR: an explicit user click asks the agent to re-check evidence, create a focused branch and commit, push, and open a draft PR/MR. It never merges.

Policy and Network Behavior

Scanner commands pass through the same org command policy as other governed processes. A deny rule or default-deny policy can block an engine. Semgrep, Trivy, and OSV-Scanner may need network access to download rules or vulnerability databases; network: off or endpoint-only can prevent that access. Use cached databases or only the built-in scanner for an offline workflow.

The dashboard score is a deterministic triage heuristic based on finding severity. It is not a compliance certification and a clean result is not proof that the codebase is vulnerability-free. Scanner findings can be false positives or omit business-logic flaws, so source validation and human review remain part of the workflow.

Agent Tool

run_security_suite is available to Code and Dvalin agents. It accepts an optional scanners list (builtin, semgrep, trivy, osv-scanner), returns per-engine status and normalized metrics, and persists remediation cases by default. Organization policy can deny the tool or its underlying commands.

Released under the MIT License. Not affiliated with any AI vendor.