AIDIT AI

AIDIT AI is the first GitLab Duo Agent that specifically audits AI-generated code, catching "slopsquatted" packages and logical vulnerabilities that traditional scanners miss.

Comment

posted an update

AIDIT AI v1.1 — CycloneDX SBOM, 98 Tests, Full Compliance Layer

Big update since the initial submission. Here's what shipped:

CycloneDX 1.6 SBOM — now live generate_provenance_report now produces a full CycloneDX 1.6 Software Bill of Materials alongside the JSON and Markdown report. Every package in the MR diff gets tagged with:

x-aidit:ai-introduced: true/false — was this package imported from an AI-generated file? cisa:generation-context — designed to address the CISA 2025 SBOM draft Generation Context requirement eu-cra:component-transparency — designed to support EU Cyber Resilience Act Art. 13 component transparency The SBOM appears as a summary table in the GitLab MR comment so judges and reviewers see it inline — no digging through artifacts.

98 tests, all green Added direct unit tests for the three services that previously had no coverage: registry_client (PyPI/npm/Maven/Cargo parallel checks), anthropic_client (prompt builder + token budget), and gitlab_client (MR comment, inline notes, commit status). Went from 57 → 98 tests.

DEMO_MODE for judges Set DEMO_MODE=true in .env and the server starts without an Anthropic API key. deep_review returns realistic mock findings — all other tools (AI detection, package scan, SBOM, pipeline gate) run fully against real data. No API key needed to evaluate the full workflow.

Production server live on Railway https://aidit-ai-production.up.railway.app/health — up and responding. The GitLab Duo Agent calls this directly on every MR.

Compliance language tightened Replaced "satisfies EU CRA / CISA" with "designed to support / designed to address" — more accurate given both regulations are still in draft/phased enforcement.

What AIDIT AI does (for new followers) It's a GitLab Duo Agent that triggers on every Merge Request and answers: "Can we trust this AI-generated code to ship?"

① Detects AI-generated files (AST heuristics, no LLM call, < 3s) ② Scans every import against PyPI, npm, Maven, Cargo in parallel (catches slopsquatting) ③ Calls Claude for deep security review of AI-generated sections specifically ④ Generates AI Provenance Report: JSON + Markdown + CycloneDX 1.6 SBOM ⑤ Posts full analysis as GitLab MR comment with inline diff notes on CRITICAL findings ⑥ Blocks, warns, or passes the pipeline — automatically

Cost: ~$0.012 per MR. End-to-end: < 90 seconds.

Repo: https://gitlab.com/marianooss-group1/aidit-ai

Log in or sign up for Devpost to join the conversation.