Skip to main content
Trident takes an AI-generated, human-approved approach to remediation. Sentinel, Trident’s security AI, analyzes each finding or attack path and produces a concrete fix — an IAM policy scope reduction, a Terraform change, a Kubernetes RBAC patch, or a cloud guardrail policy. Sentinel then opens a draft pull request in your repository so your team reviews, tests, and merges on your own schedule. No change is ever applied to your infrastructure without your explicit approval.
Trident opens pull requests as drafts only. Your infrastructure is never modified automatically. A human must review, approve, and merge the PR before any change takes effect.

Remediation workflow

1

A finding or attack path appears in the dashboard

Cloud findings surface in Cloud → Findings and attack paths in Cloud → Attack Paths on the Trident dashboard. Each item shows its severity, the assets involved, and the rule that fired.
2

Click Generate Fix

Open a finding or attack path and click Generate Fix. This invokes Sentinel, which reads the full path context — involved assets, IAM policies, blast radius, and the specific predicate that fired — and produces a draft fix artifact.
3

Sentinel produces the draft fix

Sentinel generates the remediation artifact appropriate for the finding type: an IAM policy JSON reduction, a Terraform resource change, a Kubernetes RBAC manifest, a Cloud Custodian policy, or secret rotation guidance. Sentinel also writes a synthetic test — a policy simulation or OPA assertion — that validates the fix closes the specific path it was generated for. If the test fails, Sentinel revises and retries before proposing the PR.
4

Preview the diff in the dashboard

The dashboard displays the full diff of the proposed change inline. Review the artifact, the synthetic test, and Sentinel’s reasoning before proceeding. You can edit the artifact directly in the diff view if you want to adjust scope.
5

Click Open PR

Click Open PR to trigger Trident’s GitHub App. The App creates a draft pull request in the repository you configured, targeting your default branch. The PR description includes the finding title, the attack path explanation, the synthetic test result, and a link back to the Trident dashboard finding for traceability.
6

Your team reviews, tests, and merges

Assign the PR to your infrastructure or security team. Run your normal CI pipeline — Trident’s generated tests can run as part of it. Mark the PR ready for review, get approvals, and merge. After merging, Trident’s next scan cycle re-evaluates the finding and marks it Verified if the path is closed.

GitHub App integration

The GitHub App is required for automated PR creation. Connect it once per project:
  1. Go to Settings → Integrations → GitHub in the Trident dashboard.
  2. Click Install GitHub App and authorize Trident on your organization or the specific repositories you want to receive PRs in.
  3. Select the target repository where Sentinel should open remediation PRs.
Once connected, the Open PR button becomes available on every finding that has a generated fix artifact. For full setup instructions, see /integrations/github.

Fix types

Sentinel generates different artifact types depending on the finding category:

IAM policy scoping

Reduces over-broad Allow * statements to the minimum set of actions and resources the identity actually needs. Delivered as inline policy JSON or a Terraform aws_iam_policy resource change.

Secret rotation guidance

For findings involving leaked or long-lived credentials, Sentinel generates rotation runbooks and, where applicable, Terraform or AWS CLI commands to rotate the secret and update references.

Network exposure reduction

Tightens security group rules or network ACLs that expose services to 0.0.0.0/0. Delivered as Terraform diffs or CloudFormation patches.

Kubernetes RBAC changes

Scopes ServiceAccount permissions, removes wildcard verbs from ClusterRoles, and generates least-privilege Role manifests for pods flagged in attack paths.

Agent permission reduction

For agent_injection_priv_role findings, Sentinel generates a replacement IAM role with the minimum permissions the agent’s tool calls actually require, based on observed CloudTrail activity.

Cloud guardrail policies

Kyverno, Conftest/Rego, CloudFormation Guard, and Cloud Custodian policies that prevent the misconfiguration from re-appearing after you fix the current instance.

Cloud guardrails in AUDIT mode

Every guardrail policy Sentinel generates starts in AUDIT mode. In AUDIT mode the policy logs violations — it does not block or alter any traffic or deployments. This lets you validate that the policy catches the right things and does not produce false positives before you commit to enforcement. When you are ready to enforce:
  1. Open the guardrail policy file in your repository.
  2. Change the mode annotation or action flag from Audit to Enforce (the exact field depends on the policy format — Sentinel comments the toggle location in every generated file).
  3. Open a second PR with the mode change and merge it through your normal review process.
Leave guardrails in AUDIT mode for at least one full deploy cycle in a non-production environment before switching to ENFORCE in production. This catches edge cases where legitimate workloads trigger the rule.

The self-validating fix agent

Sentinel does not just generate a fix and stop. Before proposing any PR, it runs a self-validation loop:
  1. Generate the fix artifact.
  2. Write a synthetic test — a policy simulation call, an OPA deny assertion, or a conftest test that should pass once the fix is applied.
  3. Judge whether the test passes against the proposed artifact.
  4. Retry with a revised artifact if the test fails, up to three attempts.
Only fixes that pass their own synthetic test are proposed as PRs. This substantially reduces the number of PRs that close a finding in the dashboard but do not actually eliminate the underlying path.

Manual remediation

If you prefer not to use the GitHub integration, every generated fix is also available as copyable code in the dashboard. Click Copy Fix on any finding to copy the artifact to your clipboard and apply it manually. Manual remediation still tracks in Trident: when you mark a finding as Resolved in the dashboard, Trident’s next scan cycle verifies the path is closed and updates the finding status to Verified automatically.