Antibody

What it does

Antibody is an autonomous DevSecOps agent — Google ADK + Gemini 3 on Cloud Run — that turns a single failure signal into codebase-wide immunity. Two infection signals start the loop: a pasted production incident/postmortem, or a live, actively-exploited CVE pulled from public threat intel. From that signal, Gemini extracts the underlying vulnerability class (CWE) — the precise dangerous call pattern, not just a package name. The GitLab MCP's semantic code search then finds every instance of that class in your own first-party code, and the agent opens coordinated fix merge requests and commits a CI guard so the class can never silently regress. A human approves every merge — Antibody never merges on its own.

Why it complements GitLab

Dependency scanning tells you a package is vulnerable. Antibody does what scanning can't: it finds and remediates the same dangerous pattern across your first-party code, then installs a permanent CI guard against its return. It drives GitLab's own official MCP server, showcasing the platform rather than competing with Duo.

Key features

• Two infection signals — paste an incident/postmortem, or auto-pull live actively-exploited CVEs (CISA KEV via the NVD API) plus OSV dependency matches.
• Class extraction with Gemini 3 — a structural vulnerability signature searchable across any repo.
• Hybrid GitLab MCP — the official GitLab MCP server (OAuth, built-in semantic code search) is preferred; a self-hosted PAT-backed FastMCP shim (no AI) is the deadline-safe fallback so the hosted URL judges test never breaks.
• Coordinated fix MRs — one per affected service, each with a minimal parameterized-query fix already applied.
• CI guard = immunity — the pipeline fails if the vulnerable pattern is ever reintroduced.
• Human-in-the-loop — the agent hands you a severity-grouped report to approve.

How we built it

Google Agent Development Kit (ADK) · Gemini 3 (gemini-3-flash-preview) on Vertex AI · Cloud Run (python:3.11-slim + uv, served by get_fast_api_app()) · GitLab official MCP server (/api/v4/mcp, OAuth) + a self-hosted FastMCP shim over the GitLab REST API.

Data sources (all non-AI public data)

• NVD 2.0 API — recent CVEs filtered on the cisaExploitAdd field (CISA Known Exploited Vulnerabilities), carrying CVSS + CWE class.
• OSV.dev (a Google open-source project) — maps the repo's dependency manifest to known CVEs.
• GitLab REST / MCP API — semantic code search plus MR / branch / commit operations.

What we learned

• Most "AI code review" only comments; the rewarded behavior is an agent that reasons, plans, and takes a concrete remediation step under human approval.
• The official GitLab MCP server (beta since GitLab 18.6) is real but OAuth-DCR-only, so a hybrid (official preferred, self-hosted shim fallback) is what keeps a headless hosted URL reliable for judges.
• Reframing from "AI MR-reviewer" (competes with Duo) to "first-party, class-wide remediation" (complements GitLab) was the difference between cloning the platform and showcasing it.

Built With

• cloud-run
• fastapi
• gemini
• gitlab
• google-adk
• google-cloud
• model-context-protocol
• python
• vertex-ai