Solutions · Agent workloads
Security scanner.
A GPU-backed remoco runs nightly security scans across your fleet: SAST on the source, DAST against deployed envs, SBOM generation, CVE matching. The agent writes a daily summary, files issues for findings, and archives the full report as a Remoco artifact.
What you need
- A GitHub org with repos to scan
- A remoco workstation (gpu-l4 — the GPU accelerates ML-based SAST)
- Your issue tracker creds in Doppler
- A cron schedule (nightly 2h window is plenty for ~50 repos)
Deploy to a remoco
Paste into Claude Code or Codex
claudecodex
# nightly security scanner on a gpu-l4 remoco
provision a gpu-l4-class remoco named sec-scanner.
install: semgrep · trivy · syft · grype · claude code.
pull our org repo list via gh api orgs/<org>/repos and
stash it at ~/code/scanner/repos.json.
schedule a cron at 02:00 local that:
1. clones each repo (shallow, main branch)
2. runs semgrep · trivy · syft for each
3. aggregates findings with claude into a prioritized report
4. files issues for high+critical in our tracker via doppler-injected creds
5. publishes the full report as a remoco artifact
6. emails a daily digest with the artifact URL
hand me the cron's next-fire time + the artifact URL template.
Why GPU
Modern SAST tools increasingly ship ML-based false-positive reduction. The L4 handles it locally, keeping scans under the 2-hour budget. If you're running simpler ruleset-only scanners (trivy, grype), you can drop to standard and save the GPU cost.
Cost
gpu-l4 class · 2h/day × 31d = 62 hrs/mo. After 40 hrs included, 22 billable × $1.04 = $22.88. Plus $40 plan, ~$12 disk, small egress = ~$75/mo before the $40 credit.