How a frog made me fall in love with custom GitHub agents

Shoutout to the brilliant Matteo Bianchi, Solutions Engineer at GitHub, who set up the little frog that brings a smile to my face every time it comes into my view.

Why security still frustrates developers

Security is hard. We’ve all seen time and time again how even big companies with huge security divisions fall prey to simple attacks by deploying insecure code to production. But it doesn’t have to be that hard.

One of the reasons security and compliance can feel like a horrible toll is because it’s handled far away from the code. Developer experience takes a hit when proud devs ready to ship their new cool feature are blocked by a separate team quoting findings surfaced in an obscure tool no dev has ever opened. 

I love SonarQube, but wow, have I seen many examples of it being something most developers in the team never open, and all scans are kept there merely because someone said we had to. And that defeats the whole purpose.

How GitHub Advanced Security (GHAS) brings security into the workflow

When I started working with GHAS, I was really happy that it was a way of incorporating security and compliance right where the devs already work, using the tools they use every day. Having all vulnerable dependencies fixed by automatic pull requests that devs can review when they are in there reviewing pull requests from colleagues anyway, with CodeQL and Copilot auto-fix, we moved even further with automatically fixing security holes in the cheese.

Check out our GitHub Enterprise Cloud e-manual

A custom GitHub agent that fixes vulnerabilities

So… now is probably the time to introduce my favorite security frog. 

The frog is a custom agent built by Matteo. It pulls info from the GHAS API, so it can extract all vulnerabilities related to a repo, then hop from vulnerability to vulnerability and fix them all in one PR to secure its pond. All while writing ribbit and having a small frog emoji in the PR title. 

Not only is the little froggy PR making me happy by being whimsical, playful, and hilarious. But it is also an agent that ensures security fixes are ready as soon as a vulnerability is discovered. I will simply be pinged by my frog when the fix is ready for review.

A frog hopping through vulnerabilities while croaking might not be for everyone, but that’s really the power of the custom agent. If you prefer any other personality, weird nerdy references to your favourite hobby, or just plain simple fixes, you choose what works for you in your team. 

For me, the whimsical nature of the security frog was exactly what made me fall in love with the whole concept of custom agents, because it made security fixes fun. I am looking forward to reading how it has rid its pond of threats, rather than dreading yet another automated PR (sometimes I do prefer to write code rather than review it :p )

Build your own security frog: Setup in minutes

In case all you think about now is how you get your own security frog hopping through vulnerabilities, here’s what you need:

As the security frog is traversing the GHAS API to get info on what to fix, a prerequisite will, of course, be to set up GHAS with Dependabot and CodeQL, so that we have access to a neat list of what we need to fix. You also need to have Copilot up and running in order to be able to set up a custom coding agent on top.

You can find the awesome frog right here and try it out on your own repos today. https://github.com/github-community-projects/breath-of-copilot-universe-2025/blob/main/.github/agents/frog-sec-fixer.md 

PS: The repository where you can find the fantastic frog is the demo repo built for the talk: Breath of Copilot: Level up your DevEx with GitHub Actions and GitHub Advanced Security. Matteo Bianchi and I gave this talk during GitHub Universe 2025.