ACIQ - Automated Code Intelligence & Quality Due Diligence

ACIQ: One agent, three commands - scan, migrate, compare. Automated engineering due diligence that replaces $200K consulting with minutes of AI-powered risk analysis on GitLab Duo.

Comment

ACIQ — Engineering Intelligence Agent

Inspiration

Technical due diligence is a $200K+ manual process. PE firms and acquirers pay consultants weeks of time to audit codebases before writing a check. We asked: what if a GitLab Duo agent could do the same job in minutes?

What It Does

ACIQ is an all-in-one engineering intelligence agent built on the GitLab Duo Agent Platform. You talk to it in Duo Chat with three commands.

Dimension Example Exposure
Bus Factor $40K–$120K
Code Ownership $20K–$80K
Test Coverage $30K–$90K
Architecture $50K–$150K
Security $60K–$200K
Technical Debt $80K–$240K
Compliance $25K–$100K

scan

Runs a full due diligence scan across 7 risk dimensions using benchmarks from IBM, Gartner, and PagerDuty. Results are filed as a GitLab Issue with a risk scorecard, financial impact table, and remediation roadmap.

migrate

Assesses how hard it would be to move a project to a new platform. Scores CI/CD portability, platform lock-in, dependency health, infrastructure coupling, documentation readiness, and data complexity. Produces an effort estimate with cost ranges and an actionable migration checklist.

compare

Analyzes two projects side-by-side for M&A evaluation and produces a scorecard showing which project wins on each dimension, with a clear recommendation.

How We Built It

ACIQ is built entirely on the GitLab Duo Agent Platform using YAML-defined agents and flows. It uses over 25 GitLab platform tools including list_commits, gitlab_api_get, list_vulnerabilities, grep, find_files, and create_issue.

The system has 9 specialized agents: a master agent that handles all three commands, 7 standalone dimension analyzers, and a migration readiness agent. There are also 3 orchestration flows: Due Diligence, Compare, and Migration Readiness.

The master @ACIQ agent uses command routing in the system prompt to detect whether the user wants to scan, migrate, or compare, then executes the appropriate multi-phase workflow.

Full source available at gitlab.com/gitlab-ai-hackathon/participants/10965136.

Challenges We Ran Into

Flows not appearing in Duo Chat. The platform's @ picker only surfaces agents, not flows. We worked around this by building a master agent that replicates the full multi-phase workflow in a single prompt with command routing.

The 64 KiB prompt limit. Flow definitions have a hard size limit. We had to compress all prompts significantly while keeping analysis quality intact.

Timeout on large projects. Some public projects have massive histories that cause the agent to hit the 300-second timeout. We optimized analysis phases to be more targeted.

Keeping the catalog in sync. When we deleted agents, the catalog mapping file still referenced them and broke the sync pipeline. Required careful cleanup after every deletion.

Accomplishments We're Proud Of

One agent, three workflows. A single @ACIQ handles scan, migrate, and compare from natural language commands.

Financial framing. We translate abstract code quality into dollar exposure executives can act on — not just risk labels.

Actionable reports. GitLab Issues with scorecards, financial impact tables, remediation roadmaps, and migration checklists that teams can execute immediately.

Working catalog sync pipeline. Agents are live and registered in the GitLab AI Catalog, accessible to any group member.

What We Learned

Agents are far more reliable than flows for user-facing features on the current platform. Flows are powerful for orchestration but invisible to users in the Duo Chat picker. Building a smart routing layer inside a single agent gives you a simple interface with complex multi-phase behavior underneath.

Financial framing matters. The same finding lands very differently as "high technical debt" versus "$80K to $240K in remediation exposure with a 6x ROI on fixing it now."

What's Next for ACIQ

Trend tracking — run scans over time and surface whether risk is improving or worsening after each release.

PR-level risk checks — trigger a quick scan automatically when a merge request is opened.

Community health dimension — contributor diversity, response time, and issue triage quality as a new scoring dimension.

Compare expansion — extend compare mode to cover all 7 dimensions instead of the top 3.

Natural language queries — let users ask "what is the biggest risk in this project?" without needing command syntax.

Built With

  • gitlab
Share this project:

Updates