Skip to main content
Hack for Public Good
Tooling & Productivity

Security Magi

21 January 2026

Magi collects key security metrics in one place and displays them per-product.

Magi dashboard for care360

Magi dashboard for care360

The Product

Magi is a prototype dashboard for product owners and developers to quickly view key security metrics related to their product in one place.

Problem Statement

Vulnerability Assessment and Penetration Testing (VAPT)

  • Products in OGP with a certain level of public exposure and data sensitivity are expected to complete regular external penetration testing exercises depending on product resourcing status and other conditions

  • However, formally tracking these conditions are challenging especially when resourcing status transitions happens over a long period of time, or as product security risks evolve with the addition of new features

  • Current processes tracking this depends on external compliance, making it resource-intensive to keep data quality and reliability up to standard

  • Magi makes this metric product-owned, easy to update with required stakeholders in the loop for non-standard flows and clearly visible within the organisation


Codescan

  • CodeQL and other static analysis findings currently alert the security team, who then triage the issue and in turn alert product engineers

  • This adds to total resolution time and creates a heavy operations load on the security team, who may not always have the best context for the issue (especially across ~40 products)

  • Magi collects data on outstanding Codescan alerts for code repositories (repos) owned by each product and makes it highly visible per-product if a repo has an alert or requires an update in scanning configurations.


Wiz

  • Wiz is our Cloud Security Posture Management (CSPM) product and alerts on cloud security issues.

  • Similar to Codescan, Wiz currently alerts the security team before triaged issues are passed on to product engineers.

  • Per-product Wiz projects have been created, enabling Magi to easily collect per-product security issues and surface them directly to product owners.


Socket

  • Socket scans for 3rd-party dependency vulnerabilities with reachability analysis, resulting in high-signal alerts for supply chain risks.

  • Socket is currently being trialled — exposing findings from Socket via Magi will be part of the tool evaluation to determine if it can better move the needle on dependency vulnerabilities compared to Dependabot, a similar tool by GitHub.


Next Steps

The Magi prototype will test if increased security metric visibility per-product enables product teams to better self-own, triage and drive their security issues to resolution.

Back to top