Aero Audit

Aero-Audit is a zero-trust, multi-agent security gate deployed on GC, it autonomously detects and fixes AI-hallucinated dependencies. It moves security from a reactive alert to a proactive solution.

Comment

Inspiration

As a MSC student in Applied AI and Data Analytics, I’ve watched the AI Coding Revolution with both excitement and a touch of professional anxiety. While LLMs are incredible at accelerating development, they’ve introduced a new, silent killer in the software supply chain: Hallucinated Dependencies. I saw a future where a developer unknowingly merges a non-existent, AI-suggested library that is later hijacked by a malicious actor. I realized that AI suggestions need more than just a human-in-the-loop, they need an Autonomous Multi-Agent Guardrail. Aero-Audit was born from the idea that security should be a Blocking Gate, not just a notification.

What it does

Aero-Audit is a decoupled, serverless Security Operations Center (SOC) that lives on Google Cloud and polices GitLab repositories, that executes Autonomous Remediation.

  1. The Sentinel (Detection): Scans every Merge Request for dependencies and supply-chain anomalies.
  2. The Architect (Remediation): If a threat is detected, this agent ignores the compromised code and re-designs the function logic from scratch to ensure mathematical and security integrity.
  3. The Secretary (Orchestration): Executes the Solid Shutdown. It programmatically closes the malicious Merge Request to protect the main branch and opens a brand-new, secure remediation branch with the fix applied.

How we built it

The engine is a high-velocity, event-driven system built using:

  1. Google Cloud Functions: For a cost-optimized, serverless execution model that consumes zero idle power.
  2. Gemini 2.5 Flash: Leveraged for its massive context window and lightning-fast reasoning, allowing for real-time code auditing.
  3. Node.js 22 (LTS): Utilizing the latest asynchronous patterns for parallel agent execution.
  4. GitLab REST API v4: To act as a high-authority external auditor that functions outside the repository’s native (and potentially compromised) runner environment.

Challenges we ran into

The biggest hurdle was the Sandbox limitation. Early in the project, i prototyped native GitLab Duo Agents (our RepoMan and Flow prototypes), but found the restricted environment too limiting for high-governance security tasks. I had to make a high-stakes Architectural Pivot to a decoupled GCP model. This required mastering the GitLab API for remote state management and engineering a Manual Trigger Simulation to mirror how an enterprise-grade Webhook would function in a locked-down repository.

Accomplishments that we're proud of

Seeing the system move from detecting a hallucinated library to physically closing the merge request and labeling it as a security breach, all without human intervention was a great moment. I successfully turned a passive auditor into an active defender.

What we learned

I learned that the secret to reliable AI isn't only better prompt engineering, but Task Specialization. By splitting the engine into three distinct agents: The Sentinel, The Architect, and The Secretary, we eliminated task diffusion. This multi-agent consensus model proved far more reliable than a single-prompt approach, as each agent acted as a check and balance for the other.

What's next for Aero Audit

  1. Multi-Model Consensus: Integrating Vertex AI to run Consensus Audits where Gemini and Claude must both agree a fix is secure before it is proposed.
  2. Executive Dashboard: A UI for CISOs to visualize threats neutralized and compute savings in real-time.
  3. Auto-Merge Confidence: Implementing a threshold where low-risk, remediated patches are merged automatically, allowing developers to focus entirely on creative architecture while Aero-Audit handles the Plumbing Security.

Built With

Share this project:

Updates