scan target/home/runner/work/oh-pen-testing/oh-pen-testing/packages/websetup in progress: scan target will lock in once you finish the wizard

1. Install 2. Setup 3. First Scan 4. Agents 5. Reports

La Guida · 04

Agents & Remediation

Four specialist agents draft pull requests for your issues. You control how much autonomy they have.

Next: Reports →

The team

Marinara

injection · secrets · input-validation

Handles SQL injection, command injection, XSS, hardcoded secrets, and input-validation failures. First responder for the most exploitable classes.

Carbonara

crypto · secrets · TLS

Fixes weak hashing, insecure randomness, deprecated TLS versions, and cryptographic misconfigurations. Also handles secrets rotation when detected.

Alfredo

auth · access-control · session

Remediates missing authorisation checks, CORS wildcards, insecure password storage, weak policies, and session management issues.

Pesto

dependencies · supply-chain

Upgrades vulnerable packages, patches SCA findings from npm-audit / pip-audit / bundler-audit, and fixes IaC misconfigurations.

Running remediation

The right agent is assigned automatically based on the issue type. Run a single issue or hand the whole backlog to the agent pool.

# Fix one issue (agent auto-assigned)
opt remediate --issue ISSUE-003

# Fix everything at medium severity or above
opt remediate --all --severity medium

# Specify an agent explicitly
opt remediate --issue ISSUE-003 --agent alfredo

Agents run in parallel with a work-stealing queue; critical issues are picked up first regardless of discovery order.

Autonomy modes

Careful

Every PR needs your explicit opt approve before it’s opened. Nothing lands without a human sign-off.

Recommendeddefault

Auto-opens PRs for low/medium non-critical fixes. Pauses for: auth changes, secrets rotation, schema migrations, diffs over 200 lines.

YOLO

Auto-opens everything except the hard-coded safety triggers (auth system rewrites, credential exposure). For teams with strong CI gates.

Approving gated PRs

When an agent pauses on an issue (autonomy gate or Careful mode), it appears in the Reviews queue. Approve from the UI or the terminal:

# Approve a specific issue (unblocks the agent to open the PR)
opt approve --issue ISSUE-007

# Verify a fix landed after the PR was merged
opt verify --issue ISSUE-007

Nonna, the quality gate

Before any PR is opened, Nonna (the head-chef review agent) reads the diff and checks for regressions, test coverage, and correctness. If Nonna flags a problem the PR is held until the agent revises. This gate is on by default and can be disabled in .ohpentesting/config.yml under agents.review.enabled.

← First Scan Next: Reports →