Overview
Once a week at Sunday 07:00 UK, rousseau runs govulncheck, npm audit, and a grep pass for common secret patterns across every repository under the workspace mount. It produces a digest and delivers it as a Signal message. Signal is chosen because the audit report should stay end-to-end encrypted in transit.
Prerequisites
- Signal transport working (
rousseau signal --account +…completes handshake). govulncheckandnpminstalled in the container image.- A workspace mount containing your repos.
Config
provider: claudecli
agent:
approver:
mode: pattern
default: deny
allow:
- {tool: read, match: ".*"}
- {tool: grep, match: ".*"}
- {tool: bash, match: "^(govulncheck ./...|npm audit --json|rg --hidden -e 'AWS_SECRET_ACCESS_KEY|-----BEGIN [A-Z]+ PRIVATE KEY-----|sk-[a-zA-Z0-9-]+' /workspace)"}
deny:
- {tool: bash, match: "rm |sudo|git push"}
signal:
account: "+447900123456"
allowlist:
- "+447900222222"
The bash allow list is deliberately narrow — the exact commands the audit needs, no more.
Register the cron job
rousseau cron add \
--name weekly-security-audit \
--schedule '0 7 * * SUN' \
--prompt 'For every repo under /workspace: (1) run govulncheck if it is a Go module, (2) run npm audit --json if package.json exists, (3) rg for common secret patterns. Summarise: total findings, top 5 by severity, any secret hits (with file:line). Under 1500 chars.' \
--deliver-to '+447900123456'
rousseau cron list
Launch
rousseau signal --account +447900123456 --allow +447900222222
The scheduler starts inside the signal daemon.
Verification
- Trigger the prompt manually via
rousseau chatand confirm the tool calls run in the expected order. - Wait for the next Sunday fire, or temporarily set
--schedule '*/5 * * * *'to smoke-test. - A Signal message lands at
+447900222222.
Failure modes
govulncheck: command not found— installgo install golang.org/x/vuln/cmd/govulncheck@latestinside the container image.npm auditslow or hangs on private registries — pin the registry URL withnpm config set registryin the image build.- False positives in secret grep — refine the regex to your project's key formats, and consider
truffleHogas a heavier alternative.