Citizen Coder Governance
Citizen Coder Governance is included on the Enterprise plan.
What this is
Citizen Coder platforms — Replit, Lovable, Bolt, v0 / Vercel, Cursor, Windsurf — have made it trivial for non-engineers to ship working software with an AI assistant. That is great for velocity and terrifying for security teams: these apps rarely pass through a formal review, often hold secrets in the wrong place, and frequently call production APIs with no awareness of the blast radius.
Citizen Coder Governance discovers those apps, scores them against an 8-signal model, and grades them with an AppSec letter grade from A to F. You get a ranked list of apps that deserve attention before they make the news.
Discovery
The citizen-coder discovery layer (backend/behavry/discovery/citizen/) pulls app lists from:
- Replit — Teams / Deployments API
- Lovable — Projects API
- Bolt — Projects API
- v0 / Vercel — Projects API, filtered for v0-generated projects
- Cursor — Team activity feed + deployment metadata
- Windsurf — Team workspace API
Connectors live under backend/behavry/discovery/connectors/ and are configured per-tenant in Settings → Integrations. A single scheduled sync task (sync_task.py) refreshes all citizen-coder sources every hour by default.
The 8 signals
Each discovered app is scored on 8 signals. The result is a weighted score and a letter grade.
| Signal | What it measures |
|---|---|
| Secret exposure | Secrets in source / env, rotated recently, scoped properly |
| Auth | Authentication present, password policy, SSO configured |
| Data egress | External API calls, where they go, whether they're on an allow-list |
| Input validation | Forms/inputs validated, sanitized, rate-limited |
| Dependency hygiene | Dependency ages, known-vulnerable versions, CVE count |
| Infra exposure | Publicly reachable? Behind a VPN? Debug routes disabled? |
| Telemetry | Errors logged, crash reports, audit trail |
| Ownership | Has a named owner, active maintainer, review cadence |
Signals are computed by the classifier in backend/behavry/discovery/classifier.py, which combines live connector data with a static rule set.
Grades
| Grade | Meaning | Typical action |
|---|---|---|
| A | Clean across all signals | Monitor |
| B | Minor issues in 1–2 signals | Owner FYI |
| C | Real issues in 2–3 signals | Require review |
| D | Multiple critical signals failing | Require remediation before continued use |
| F | Dangerous configuration (exposed secrets, public data egress, no auth) | Quarantine immediately |
Grades are recomputed every sync. When a grade drops (e.g. B → D), an alert fires and the app owner is notified.
Dashboard
Discovery → Citizen Coder shows:
- Apps grouped by platform with their grades
- Filters: grade, platform, owner, tenant tag
- Per-app drawer with the full signal breakdown, remediation tips, and a link back to the upstream platform
API
Routes: backend/behavry/discovery/citizen/ + routes.py.
| Method | Path | Purpose |
|---|---|---|
GET | /api/v1/discovery/citizen | List discovered apps with grades |
GET | /api/v1/discovery/citizen/{id} | App detail with signal breakdown |
POST | /api/v1/discovery/citizen/sync | Force a sync now |
POST | /api/v1/discovery/citizen/{id}/quarantine | Mark an F-graded app as quarantined |
Related
- AI Surface Mapping — citizen apps are a subclass of discovered AI assets
- AI Asset Dependency & Data Lineage — citizen apps appear in the dependency graph
- DLP Scanner — runs against content flowing through discovered apps where we have visibility