Aigon runs security scans at the merge gate — when you close or submit a feature, scanners check for secrets and vulnerabilities before the merge proceeds.
How it works
When you run aigon feature-close or aigon agent-status implementation-complete (or revision-complete), Aigon executes configured scanners against your changed files:
- gitleaks — detects hardcoded secrets (API keys, tokens, passwords)
- Semgrep — static analysis for security vulnerabilities (OWASP patterns, injection risks)
Both scanners run in diff-aware mode, scanning only files changed in the feature branch.
Scanner behaviour
| Scanner | Blocks on | Warns on | Not installed |
|---|---|---|---|
| gitleaks | Any finding | — | Skipped with warning |
| Semgrep | High severity | Medium severity | Skipped with warning |
If a scanner binary is not installed, Aigon skips it gracefully and logs a warning. Install them for full protection:
brew install gitleaks
brew install semgrep # or: pip install semgrepConfiguration
Security scanning is enabled by default. Configure via ~/.aigon/config.json:
{
"security": {
"enabled": true,
"mergeGateStages": {
"featureClose": ["gitleaks", "semgrep"],
"featureSubmit": ["gitleaks", "semgrep"],
"researchClose": ["gitleaks"]
}
}
}Disabling a scanner
Remove it from the stage array:
aigon config set --global security.mergeGateStages.featureClose '["gitleaks"]'ESLint security plugin
For web and api profiles, the first-run bootstrap of aigon apply recommends installing eslint-plugin-security for additional static analysis during development.
On-demand scanning
The merge gate runs scoped, branch-level scans. For a broader repo-wide scan — across all commits since the last scan — use the on-demand command:
aigon security-scanThis runs all configured scanners plus an LLM analysis via the /security-review skill, deduplicates findings using fingerprints from previous scans, and auto-creates feedback items for any new HIGH-severity findings. See the security-scan reference for full options.
Weekly automated scan
Automated recurring templates (including a security-scan-weekly style job that runs aigon security-scan on a cadence) require Aigon Pro and the recurring-features engine. Without Pro, run aigon security-scan on demand whenever you want a full-repo pass.
With Pro installed, aigon recurring-list shows whether a weekly scan is due; see the recurring-features guide for how cadence batches work.