The AI agent audits the MR and detects critical security violations
A detailed security issue is automatically created and block merged with all detected violations.
After fixing the issues, recheck confirms zero vulnerabilities
All security fixes are validated and the code is ready for safe merge.

🚨 Compliance Drift Detective

Predicting security breaches before they happen

💡 Inspiration

Modern security tools are reactive — they detect vulnerabilities after code is merged, when the exposure window is already open.

According to IBM Security 2025:

💸 Average breach cost: $10.2M
⏳ Average detection time: 94 days
🔑 65% of organizations expose API keys

This delay is costly.

We asked:

What if security worked like a weather forecast — predicting risks before they happen, and stopping them in real time?

⚙️ What It Does

Compliance Drift Detective is an AI-powered autonomous security platform built on the GitLab Duo Agent Platform that predicts, prevents, and enforces secure code before merge.

It transforms security from a passive review step into an active merge gatekeeper.

🔄 Core Workflow

Developer opens a Merge Request
AI audits code for OWASP vulnerabilities and secret leaks
Generates a risk score, drift score, and violation report
🚫 Flags the MR as “Blocked by AI Compliance” and creates a tracked issue
Provides copy-paste, production-ready fixes
Developer updates code → triggers AI recheck
✅ AI validates fixes and marks MR as “Ready to Merge”

🔥 Key Features

🧠 Predictive Compliance Audit

Goes beyond detection — predicts likely future vulnerabilities based on patterns and past violations

🚫 AI-Enforced Merge Guard

Simulates an autonomous merge gate:

Blocks unsafe MRs
Prevents approval decisions until critical issues are resolved
Enforces secure development workflows

🔁 Autonomous Recheck

Continuously verifies fixes with zero manual effort

📜 Security Historian

Analyzes past violations to guide developers before they introduce risks

📈 Trend Intelligence

Tracks security patterns across merge requests, helping teams identify systemic weaknesses

🔮 Risk Forecasting

Predicts future vulnerabilities with probabilities

Example: ⚠️ “95% probability of a critical secret leak in the next commit”

📊 Drift Score (0–100)

A real-time security health metric for every project

Lower score → higher risk
Enables data-driven security decisions

🌱 Sustainability Intelligence

Links insecure code to:

Increased compute waste
Rework cycles
Higher carbon footprint

🛠️ How We Built It

Built entirely on GitLab Duo Agent Platform
Zero external APIs or infrastructure
Fully GitLab-native AI workflows

Each AI agent:

Analyzes MR diffs
Detects vulnerabilities
Generates insights
Creates issues
Suggests fixes
Re-validates changes

All triggered via simple GitLab mentions.

🚧 Challenges

⚙️ Reverse-engineered undocumented YAML schemas
🔗 Stabilized multi-agent orchestration flows
🧠 Distinguished real secrets from placeholders
⚖️ Balanced strict security with developer usability

🏆 Accomplishments

✅ 8 fully functional AI security agents running on real MRs
🚫 Implemented AI-driven merge blocking simulation
📊 Introduced Drift Score (novel security metric)
🔮 Built predictive risk forecasting capability
🌱 Connected security practices with sustainability impact
⚡ Achieved full functionality with zero infrastructure

📚 What We Learned

AI enables a shift from reactive detection → predictive prevention
Constraints led to more efficient and elegant system design
Security inefficiencies also increase environmental cost
Developers adopt security faster when fixes are actionable

🚀 What’s Next

⚡ Auto-trigger on every MR open
🌍 Cross-project and organization-wide risk intelligence
🚫 Drift Score–based hard merge blocking via pipeline enforcement
📊 Integration with GitLab Security Dashboard
🧠 Improved prediction accuracy using historical data

🆚 Why This Is Different

Unlike traditional tools:

❌ SAST → detects after code is written
❌ Linters → enforce rules without context
❌ Security scanners → generate reports only

✅ Compliance Drift Detective:

Predicts future vulnerabilities
Enforces secure development before merge
Learns from historical patterns
Acts autonomously inside the developer workflow

🎯 Final Thought

The future of security is not detection — it’s prediction, prevention, and enforcement.

Built With

create-issue
create-merge-request-note
gitlab
gitlab-duo-agent
gitlab-restapi
list-issues
list-merge-request-diffs
owasp
pattern-based-analysis
security-drift-score
sustainability-score
yaml

Submitted to

GitLab AI Hackathon

Created by

I designed and built the entire system end-to-end, including all 8 AI agent flows and the core predictive security logic.

My contributions include:
- Designing the architecture using GitLab Duo Agent Platform
- Building all agent workflows (compliance audit, recheck, historian, risk forecast, etc.)
- Implementing security detection logic based on OWASP principles
- Developing the Security Drift Score, Drift Timeline, and risk prediction system
- Creating automated remediation workflows with issue tracking and MR feedback
- Handling YAML workflow design, debugging, and platform constraints

This project was built entirely within GitLab’s ecosystem without external infrastructure.

Siri Lekkala

Updates

Siri Lekkala started this project — Mar 24, 2026 01:27 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.