ASRO-Autonomous Secure Release Orchestrator

Developers waste hours on manual security reviews. Critical vulnerabilities slip through. ASRO's Solution: Automates the entire secure release pipeline with intelligent AI agents

Comment

ASRO

ASRO is a GitLab-focused automation repo with a Node-based asro CLI, three packaged agent manifests, maintenance/release helper scripts, and a lightweight plugin system. The current codebase is real and usable, but it is narrower than some of the older documentation claimed.

Current State

  • CLI entrypoint: bin/asro.js
  • Packaged agent manifests: cleanup, auto-rebase, release
  • Agent scripts: cleanup, auto-rebase, release, compliance, rollback, setup verification
  • Plugin registry seed: plugins/registry.json is currently empty
  • Local plugin install path: .asro/plugins/<name>
  • API server: api/server.js
  • Plugin registry server: plugin-registry/server.js

What Works Today

  • asro built-in commands dispatch through cli/core/engine.js
  • asro agent list reads YAML manifests from agents/
  • asro agent run cleanup|auto-rebase|release runs the packaged agent scripts
  • asro compliance, asro rollback, asro doctor, and asro setup now run through the CLI
  • asro plugin list|install|remove|improve manages local plugins under .asro/plugins
  • asro generate "<description>" scaffolds a plugin with the mock AI client when no real provider is configured

What Is Not Fully Wired Yet

  • The plugin marketplace registry starts empty and uses in-memory storage
  • The default CLI AI client is a mock implementation unless you provide real API-backed integrations
  • Several older “planned” agents in AGENTS.md do not exist as packaged YAML manifests in agents/
  • Runtime verification depends on a working local Node.js installation plus GitLab credentials

Quick Start

git clone https://gitlab.com/git-lab-AI-hackathon/asrorepo.git
cd asrorepo
npm install
node bin/asro.js doctor

If you have the package linked globally, you can use asro ... directly. Otherwise use node bin/asro.js ....

CLI Commands

Core

asro commit "message"
asro push
asro scan
asro patch [projectId]
asro pipeline [projectId]

Agents

asro agent list
asro agent run cleanup
asro agent run cleanup --dry-run
asro agent run cleanup --auto-approve
asro agent run auto-rebase
asro agent run auto-rebase --dry-run
asro agent run auto-rebase --auto-rebase
asro agent run release

Analysis And Ops

asro analyze prioritize
asro analyze review
asro analyze threats
asro analyze all
asro dashboard
asro notify

Plugins

asro plugin list
asro plugin install <name> <git-repo-url>
asro plugin remove <name>
asro plugin improve <name>
asro generate "describe the plugin you want"

Operations

asro compliance
asro rollback
asro rollback <action-id>
asro doctor
asro setup

Global Flags

asro <command> ... --tenant <tenantId> --project <gitlabProjectId>

Environment Variables

  • GITLAB_TOKEN: required for GitLab API operations
  • CI_PROJECT_ID: default project id for pipeline and vulnerability commands
  • ASRO_TENANT_ID: default tenant id for plugin and CLI context
  • API_PORT: API server port, default 3000
  • REGISTRY_PORT: registry server port, default 3001
  • OPENAI_API_KEY: optional, enables external AI integrations where implemented
  • ANTHROPIC_API_KEY: optional, detected by setup verification

Packaged Agents

Only these manifests are currently present in agents/cleanup_agent.yaml, agents/auto_rebase_agent.yaml, and agents/release_agent.yaml:

  • Cleanup Agent
  • Auto-Rebase Agent
  • Release Agent

Other agent concepts described elsewhere in the repo are helper scripts, planned work, or documentation targets rather than packaged agent manifests.

Reports Produced

  • Cleanup: cleanup_report.json, cleanup_summary.md
  • Auto-rebase: auto_rebase_report.json
  • Release: release_summary.md, release_report.json
  • Compliance: compliance_report.json, compliance_score.txt, compliance_summary.md
  • Rollback: rollback_report.json, rollback_log.json

Verification Note

In the current workspace session I could inspect the codebase, but I could not run the Node-based commands because node and npm were not available on the shell PATH in this environment. The docs below therefore reflect code-level verification of command wiring, plus the prerequisites required to execute them locally.

More detail lives in USAGE_GUIDE.md and HACKATHON.md.

For a timed walkthrough, use DEMO_GUIDE.md.

Built With

  • ai:-google-gemini-3.1-(flash-&-pro)-backend:-node.js
  • cloud
  • database:
  • express.js
  • firebase
  • firestore
  • framer-motion
  • github
  • gitlab
  • gitlab-rest-api-frontend:-react-19
  • gitlabagenticduo
  • kilocode
  • lucide
  • run
  • tailwind-css
  • vercel
  • vscode
Share this project:

Updates

posted an update

Our asro cli is getting better with commands... we are trying hard to improve the streamlining of using asro cli right out of the box, at the moments commands that work when u enter asro even from root, are listed below: ASRO — Autonomous Secure Release Orchestrator v1.0.0

Usage: asro [args...] [--tenant ] [--project ]

Built-in commands: commit AI-enhanced git commit push Push and trigger GitLab pipeline scan Security scan of current diff patch [projectId] Auto-patch critical vulnerabilities pipeline [projectId] Trigger a GitLab pipeline plugin [args] Manage plugins (install/list/remove/improve) generate AI-generate a new plugin agent [args] List or run packaged agents analyze Run scripted analysis (prioritize/review/threats/all) dashboard Generate the HTML security dashboard notify Run notification checks / Slack test flow compliance [args] Run compliance scan and write reports rollback [actionId] Show rollback report or rollback one action doctor Verify GitLab/environment setup setup Run interactive setup for local credentials We will then focus on the Security plugins marketplace and our 4 built in plugins.

Log in or sign up for Devpost to join the conversation.