AICybersecurityDefense

AI as Security Orchestrator: An Introduction To Darnit - Michael Lieberman, Kusari

OpenSSF
OpenSSFJun 4, 2026

Why It Matters

Darnit automates complex security compliance, letting developers focus on code while AI handles policy enforcement, accelerating time‑to‑market and reducing risk across large code portfolios.

Key Takeaways

  • Darnit orchestrates security audits, data collection, and remediation automatically.
  • Uses deterministic checks first, then LLMs for ambiguous findings.
  • Generates compliance reports and auto‑fixes missing security artifacts.
  • Integrates with tools like Scorecard, GitHub APIs, and CNCF formats.
  • Enables CI/CD gating and scalable project‑wide security enforcement.

Summary

The video introduces Darnit, a framework and CLI tool that acts as a security orchestrator for software projects. It automates audit, data collection, and conformance checks, aiming to relieve developers and open‑source maintainers from the growing burden of keeping up with security standards such as Scorecard, Baseline, and post‑quantum readiness. Key insights include a two‑stage approach: deterministic checks run first, and any ambiguous or missing data triggers pattern‑matching and large‑language‑model (LLM) assistance. Darnit installs modular "skills" that invoke MCPs (deterministic policies) and can fall back to LLM‑enhanced remediation, generating attestations and compliance artifacts throughout the process. During the live demo, the presenter runs Darnit against a fork of the Git‑tough project, showing how it discovers missing files like security.mmd, maintainers.mmd, and governance docs, then prompts the user or uses LLMs to fill gaps. The tool auto‑generates PRs that add branch protection, SCA checks, threat‑model templates, and other Baseline requirements, ultimately achieving 100% compliance. The implication is a streamlined, repeatable security workflow that can be embedded in CI/CD pipelines, scaling across an organization’s codebase while reducing manual effort and error. By combining deterministic policy enforcement with AI‑driven remediation, Darnit promises faster compliance, consistent documentation, and lower operational risk for development teams.

Original Description

AI as Security Orchestrator: An Introduction To Darnit - Michael Lieberman, Kusari
There's a million security tools, specifications, formats, models, schemas, and the list goes on. The problem of keeping up to date on security best practices seems insurmountable even for experienced practitioners. The problem is even worse for your average open source developer who wants to focus on features, not integrating the latest security and compliance tooling.
In this talk you'll how AI can be utilized to integrate with existing open source security validation tools like OpenSSF Scorecard, Privateer, Minder, and then use the data from that along with the context of a project to enable AI guided remediation.
This talk will introduce Darnit, a framework for architecting and implementing this pattern. It is an MCP/Agentic framework that:
1. Loads controls and context about a project
2. Runs an audit utilizing deterministic and heuristic tools
3. Gathers context not found in the audit and confirms with user about anything not clear and stores it.
4. Re-audits
5. Automatically remediates any issues discovered, and falls back to manual suggestions where it can't.

Comments

Want to join the conversation?

Loading comments...