Back to Details

aegisops-ai

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

/aegisops-ai — Autonomous Governance Orchestrator

/aegisops-ai — 自治治理协调器

AegisOps-AI is a professional-grade "Living Pipeline" that integrates advanced AI reasoning directly into the SDLC. It acts as an intelligent gatekeeper for systems-level security, cloud infrastructure costs, and Kubernetes compliance.
AegisOps-AI是一款专业级的“动态流水线”,将先进的AI推理直接集成到SDLC(软件开发生命周期)中。它充当系统级安全、云基础设施成本以及Kubernetes合规性的智能守护者。

Goal

目标

To automate high-stakes security and financial audits by:
  1. Identifying logic-based vulnerabilities (UAF, Stale State) in Linux Kernel patches.
  2. Detecting massive "Silent Disaster" cost drifts in Terraform plans.
  3. Translating natural language security intent into hardened K8s manifests.
通过以下方式自动化高风险安全与财务审计:
  1. 识别Linux Kernel补丁中基于逻辑的漏洞(UAF、Stale State)。
  2. 检测Terraform计划中大规模的“隐性灾难”成本漂移。
  3. 将自然语言描述的安全意图转换为加固后的K8s清单。

When to Use

适用场景

  • Kernel Patch Review: Auditing raw C-based Git diffs for memory safety.
  • Pre-Apply IaC Audit: Analyzing 
    terraform plan
    outputs to prevent bill spikes.
  • Cluster Hardening: Generating "Least Privilege" securityContexts for deployments.
  • CI/CD Quality Gating: Blocking non-compliant merges via GitHub Actions.
  • 内核补丁审核:针对基于C语言的Git diffs审核内存安全性。
  • IaC预应用审核:分析
    terraform plan
    输出以防止账单激增。
  • 集群加固:为部署生成“最小权限”securityContexts。
  • CI/CD质量门禁:通过GitHub Actions阻止不合规的合并。

When Not to Use

不适用场景

  • Web App Logic: Do not use for standard web vulnerabilities (XSS, SQLi); use dedicated SAST scanners.
  • Non-C Memory Analysis: The patch analyzer is optimized for C-logic; avoid using it for high-level languages like Python or JS.
  • Direct Resource Mutation: This is an auditor, not a deployment tool. It does not execute 
    terraform apply
    or 
    kubectl apply
    .
  • Post-Mortem Analysis: For analyzing why a previous AI session failed, use 
    /analyze-project
    instead.
  • Web应用逻辑:请勿用于标准Web漏洞(XSS、SQLi);请使用专用SAST扫描器。
  • 非C语言内存分析:补丁分析器针对C语言逻辑优化;避免用于Python或JS等高级语言。
  • 直接资源变更:这是一个审计工具,而非部署工具。它不会执行
    terraform apply
    kubectl apply
  • 事后分析:若要分析之前AI会话失败的原因,请使用
    /analyze-project

🤖 Generative AI Integration

🤖 生成式AI集成

AegisOps-AI leverages the Google GenAI SDK to implement a "Reasoning Path" for autonomous security and financial audits:
  • Neural Patch Analysis: Performs semantic code reviews of Linux Kernel patches, moving beyond simple pattern matching to understand complex memory state logic.
  • Intelligent Cost Synthesis: Processes raw Terraform plan diffs through a financial reasoning model to detect high-risk resource escalations and "silent" fiscal drifts.
  • Natural Language Policy Mapping: Translates human security intent into syntactically correct, hardened Kubernetes 
    securityContext
    configurations.
AegisOps-AI利用Google GenAI SDK实现了用于自治安全与财务审计的“推理路径”:
  • 神经补丁分析:对Linux Kernel补丁进行语义代码审查,超越简单的模式匹配,理解复杂的内存状态逻辑。
  • 智能成本合成:通过财务推理模型处理原始Terraform计划差异,检测高风险资源升级和“隐性”财务漂移。
  • 自然语言策略映射:将人类安全意图转换为语法正确、经过加固的Kubernetes 
    securityContext
    配置。

🧭 Core Modules

🧭 核心模块

1. 🐧 Kernel Patch Reviewer (
patch_analyzer.py
)

1. 🐧 内核补丁审核器 (
patch_analyzer.py
)

  • Problem: Manual review of Linux Kernel memory safety is time-consuming and prone to human error.
  • Solution: Gemini 3 performs a "Deep Reasoning" audit on raw Git diffs to detect critical memory corruption vulnerabilities (UAF, Stale State) in seconds.
  • Key Output: 
    analysis_results.json
  • 问题:手动审核Linux Kernel内存安全性耗时且容易出现人为错误。
  • 解决方案:Gemini 3对原始Git diffs执行“深度推理”审计,在数秒内检测关键内存损坏漏洞(UAF、Stale State)。
  • 关键输出
    analysis_results.json

2. 💰 FinOps & Cloud Auditor (
cost_auditor.py
)

2. 💰 FinOps与云审计器 (
cost_auditor.py
)

  • Problem: Infrastructure-as-Code (IaC) changes can lead to accidental "Silent Disasters" and massive cloud bill spikes.
  • Solution: Analyzes 
    terraform plan
    output to identify cost anomalies—such as accidental upgrades from 
    t3.micro
    to high-performance GPU instances.
  • Key Output: 
    infrastructure_audit_report.json
  • 问题:基础设施即代码(IaC)变更可能导致意外的“隐性灾难”和巨额云账单激增。
  • 解决方案:分析
    terraform plan
    输出以识别成本异常——例如意外从
    t3.micro
    升级到高性能GPU实例。
  • 关键输出
    infrastructure_audit_report.json

3. ☸️ K8s Policy Hardener (
k8s_policy_generator.py
)

3. ☸️ K8s策略加固器 (
k8s_policy_generator.py
)

  • Problem: Implementing "Least Privilege" security contexts in Kubernetes is complex and often neglected.
  • Solution: Translates natural language security requirements into production-ready, hardened YAML manifests (Read-only root FS, Non-root enforcement, etc.).
  • Key Output: 
    hardened_deployment.yaml
  • 问题:在Kubernetes中实现“最小权限”安全上下文复杂且常被忽视。
  • 解决方案:将自然语言描述的安全需求转换为生产就绪、经过加固的YAML清单(只读根文件系统、非root用户强制等)。
  • 关键输出
    hardened_deployment.yaml

🛠️ Setup & Environment

🛠️ 安装与环境配置

1. Clone the Repository

1. 克隆仓库

bash
git clone https://github.com/Champbreed/AegisOps-AI.git
cd AegisOps-AI
bash
git clone https://github.com/Champbreed/AegisOps-AI.git
cd AegisOps-AI

2. Setup

2. 环境搭建

bash
python3 -m venv venv
source venv/bin/activate
pip install google-genai python-dotenv
bash
python3 -m venv venv
source venv/bin/activate
pip install google-genai python-dotenv

3. API Configuration

3. API配置

Create a 
.env
file in the root directory to securely store your credentials:
bash
echo "GEMINI_API_KEY='your_api_key_here'" > .env
在根目录创建
.env
文件以安全存储您的凭据:
bash
echo "GEMINI_API_KEY='your_api_key_here'" > .env

🏁 Operational Dashboard

🏁 操作仪表盘

To execute the full suite of agents in sequence and generate all security reports:
bash
python3 main.py
要按顺序执行全套代理并生成所有安全报告:
bash
python3 main.py

Pattern: Over-Privileged Container

模式:权限过度的容器

  • Indicators: 
    allowPrivilegeEscalation: true
    or root user execution.
  • Investigation: Pass security intent (e.g., "non-root only") to the K8s Hardener module.
  • 指标
    allowPrivilegeEscalation: true
    或以root用户执行。
  • 排查:将安全意图(例如“仅非root用户”)传递给K8s加固模块。

💡 Best Practices

💡 最佳实践

  • Context is King: Provide at least 5 lines of context around Git diffs for more accurate neural reasoning.
  • Continuous Gating: Run the FinOps auditor before every infrastructure change, not after.
  • Manual Sign-off: Use AI findings as a high-fidelity signal, but maintain human-in-the-loop for kernel-level merges.
  • 上下文至关重要:为Git diffs提供至少5行上下文,以获得更准确的神经推理结果。
  • 持续门禁:在每次基础设施变更前运行FinOps审计器,而非变更后。
  • 人工签字确认:将AI发现作为高保真信号,但内核级合并需保留人工参与环节。

🔒 Security & Safety Notes

🔒 安全与注意事项

  • Key Management: Use CI/CD secrets for 
    GEMINI_API_KEY
    in production.
  • Least Privilege: Test "Hardened" manifests in staging first to ensure no functional regressions.
  • 密钥管理:在生产环境中使用CI/CD密钥存储
    GEMINI_API_KEY
  • 最小权限:先在 staging 环境测试“加固后的”清单,确保无功能回归。

Links

链接

Limitations

局限性

  • Use this skill only when the task clearly matches the scope described above.
  • Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
  • Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
  • 仅当任务明确符合上述描述的范围时使用此工具。
  • 请勿将输出替代为特定环境的验证、测试或专家评审。
  • 如果缺少必要的输入、权限、安全边界或成功标准,请停止操作并请求澄清。