Tip: Run the security audit before you ship, not after

Run attune workflow run security-audit --path "src/" as a pre-release gate, not a one-off check.

Why: SecurityAuditWorkflow coordinates four subagents — vuln-scanner, secret-detector, auth-reviewer, and remediation-planner — in parallel. Catching a hardcoded secret or an unvalidated file path costs seconds at audit time and hours in an incident.

How: The workflow's execute() method returns findings grouped by severity (CRITICAL, HIGH, MEDIUM, LOW) with file paths, line numbers, and prioritized remediation steps. Treat any CRITICAL finding as a release blocker.

Tradeoff: A full multi-pass audit takes roughly five minutes. If you run it only on changed paths rather than the whole codebase, you may miss vulnerabilities introduced by transitive effects — a utility function used in a new, riskier context, for example.

Tags: security, audit, owasp, scanning, cve