Cybersecurity Scanner

BugSlayer
Setup Guide

Get your automated security scanning pipeline running in minutes on Azure DevOps or GitHub Actions.

01

Download the Pipeline File

Download the pre-configured pipeline YML and place it in your repository.

bugslayer-pipeline.yml

azure-pipelines.yml · ~40 lines · Last updated today

02

Configure Your Pipeline

  1. In your Azure DevOps project, go to Pipelines → New Pipeline.
  2. Select your repository and choose "Existing Azure Pipelines YAML file".
  3. Point it to the bugslayer-pipeline.yml file you added to your repo root.
  4. Before running, navigate to Pipelines → Edit → Variables and add each variable listed below as a pipeline variable. Mark sensitive values as secret.
  5. Note: GITHUB_TOKEN is not needed for Azure DevOps — skip it.
  6. Save and run your pipeline. BugSlayer will scan on every push and pull request.

Pipeline Variables — Azure DevOps

0 / 0 configured
  1. Rename the downloaded file to a .yml name of your choice and place it in .github/workflows/ in your repository.
  2. You'll need to adapt the trigger syntax slightly for GitHub Actions — replace trigger / pr keys with GitHub's on: push / pull_request format.
  3. Go to your repo on GitHub → Settings → Secrets and variables → Actions.
  4. Add each variable below as a Repository Secret. Reference them in the YML as ${{ secrets.VAR_NAME }}.
  5. Note: AZURE_DEVOPS_TOKEN is not needed for GitHub Actions — skip it.
  6. Commit and push. BugSlayer will scan on every push and pull request automatically.

Repository Secrets — GitHub Actions

0 / 0 configured
AI Vulnerability Pipeline

BugSlayer 2
Setup Guide

Provision a GCP VM that autonomously triages a target repo, generates patches, and opens GitHub PRs — powered by Claude Code and gitnexus.

01

Prerequisites

  1. Install Python 3.11+ and confirm git is on your PATH.
  2. You'll need a Google Cloud project with the Compute Engine API enabled and credentials configured locally (gcloud auth application-default login).
  3. You'll need an Anthropic API key — BugSlayer 2 installs Claude Code on the VM and uses it to run the triage agent.
  4. Optionally, set up a Discord webhook URL to receive analysis results as a zip file when the run completes.
02

Clone the Repo & Install Dependencies

  1. Clone the BugSlayer 2 repository:
    git clone https://github.com/bardownncelly13/BugSlayer2.git
    cd BugSlayer2
  2. Install Python dependencies:
    pip install -r requirements.txt

    Installs python-dotenv and google-cloud-compute.

03

Configure Environment Variables

Create a .env file in the repo root (or export these in your shell). BugSlayer 2 loads them automatically at runtime via python-dotenv.

# .env — BugSlayer 2 configuration

# ── GCP ──────────────────────────────
PROJECT_ID=your-gcp-project-id
ZONE=us-central1-a
INSTANCE_NAME=nexus-api-lab

# ── Claude Code ──────────────────────
ANTHROPIC_API_KEY=sk-ant-...

# ── SSH / VM user ─────────────────────
SSH_USER=ubuntu

# ── Triage task spec ─────────────────
GOALS_PATH=GOALS.md

# ── Notifications (optional) ─────────
DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/...

Variable Checklist

0 / 0 configured
04

Run a Triage Scan

Point BugSlayer 2 at any public Git repo. It will spin up a GCP VM, clone the target, run the Claude Code triage agent, and send you the results.

  1. Run the scanner against any public repo URL:
    python runGCP.py https://github.com/owner/target-repo
  2. To replace an existing VM of the same name automatically:
    python runGCP.py https://github.com/owner/target-repo --replace
  3. To set a custom runtime limit (default is 15 minutes):
    python runGCP.py https://github.com/owner/target-repo --runtime-minutes 20
What happens next: The VM boots, installs Claude Code and the gitnexus MCP server, clones the target repo, and runs the triage agent. When complete, four output files are written to /opt/orchestrator/ on the VM: ENTRYPOINTS.md, VULN_REPORT.md, POC.md, and PATCH.md. If a Discord webhook is configured, a zip of all outputs is posted automatically.
05

Publish Patch PRs (Optional)

After a triage run, use the PR publisher to automatically open one GitHub pull request per patch section in PATCH.md.

  1. Set a GitHub token with repo scope in your environment:
    export GITHUB_TOKEN=ghp_...
  2. Run the publisher against the output PATCH.md and a local clone of the target repo:
    python publish_patch_prs.py \
      --patch-md /opt/orchestrator/PATCH.md \
      --local-repo-path /path/to/target-repo \
      --base-branch main \
      --title-prefix "security: "
One PR per patch: Each ## Patch N section in PATCH.md becomes a bugslayer/<slug>-<timestamp> branch and a scoped pull request. The local repo must be a clean clone of the same target repo the triage ran against.