Inspiration
Security and compliance signals in GitLab are scattered across merge requests, CI pipelines, and vulnerability dashboards. Reviewers see a diff — but not whether the SAST job ran on this pipeline for this function, or whether SEC-442 is still open on the node being changed.
GitLab Orbit connects those entities in a knowledge graph. I built Compliance Gap Sentinel to use that graph as proof of causality, not decoration: if Orbit cannot confirm the relationship between changed code, pipeline execution, and security findings, enforcement does not fire.
What it does
- Loads policy-as-code — sensitive path patterns and rules POL-001..POL-004 from
compliance-gap-sentinel.yml. - Queries Orbit — three specialized traversals (MR, Pipeline, SecurityFinding) merged into one evidence graph.
- Evaluates deterministically — risk score, severity, confidence, and rule IDs with full node chains.
- Acts on the MR — adds labels (
compliance-risk,security-review-required,compliance-critical), assigns a security reviewer, and posts a structured comment with JSON evidence payload. - Audits every decision — local audit trail in
.cgs-audit/for traceability.
Example evidence path:
MR !1 → src/auth/session.ts → rotateSessionToken() → Pipeline #8802 (no SAST) → SEC-442 (open)
Trigger on any MR: @ai-compliance-gap-sentinel-gitlab-ai-hackathon analyze this MR for compliance gaps using Orbit graph evidence
How we built it
| Layer | Technology |
|---|---|
| Policy engine | TypeScript — deterministic POL-001..004 evaluation |
| Orbit integration | POST /api/v4/orbit/query + typed response parsing (parse-response.ts) |
| Agent platform | GitLab Duo Flow (3 components) + project Skill |
| Catalog publish | AI Catalog Sync CI component (tag 0.1.4) |
| Reference CLI | Node.js 20+ — npm run analyze, seeded demo scenarios |
| Tests | Vitest — 20 tests across policy, Orbit parsing, analyzer, executor |
| License | MIT |
Flow architecture: context_gatherer → orbit_analyzer → compliance_officer
Artifacts:
- Flow:
flows/compliance-gap-sentinel-flow.yml - Skill:
skills/compliance-gap-sentinel/SKILL.md - Orbit query recipes:
skills/compliance-gap-sentinel/references/orbit-queries.md
Challenges we ran into
- Catalog CI — Protected CI variables were not visible to tag pipelines until tags were protected or variables unprotected; flow filename had to match
compliance-gap-sentinel-flow.yml. - Orbit response shapes — Live API returns both array (
result: [...]) and aggregation v2 (result: { rows: [...] }) formats; builtgetOrbitRows()to handle both. - Honest enforcement — Early prototypes used path heuristics for findings; refactored so High/Critical actions require parsed Orbit nodes with
source: "orbit", andgraphComplete: falseblocks enforcement. - Advisory messaging — Low/Medium scenarios initially showed "insufficient graph evidence" when the graph was complete but severity was below threshold; fixed with discriminated MR comment headers and tests.
Accomplishments that we're proud of
- Published Compliance Gap Sentinel to the GitLab AI Catalog (flow #1011889).
- Orbit-as-proof design: enforcement is a consequence of verified graph relationships, not file-path guessing.
- Four deterministic demo scenarios (low → critical) with copy-paste MR test files under
examples/mr-pipeline/. - 20 passing tests locking policy outcomes, Orbit parsing, and advisory vs enforce messaging.
- Full SDLC automation — labels, reviewer, MR comments — not chat-only responses.
What we learned
- Orbit is most powerful when queries are narrow and joined — three focused traversals beat one overloaded query for reliability and explainability.
- Compliance tooling must distinguish "no violation", "violation below threshold", and "cannot verify graph" — developers trust tools that explain which case applies.
- GitLab Duo Flow + Skill + Catalog CI is a viable path from prototype to installable team artifact in a hackathon timeframe.
What's next for Compliance Gap Sentinel
- GitLab CI component (
include: compliance-gap-sentinel) for one-line adoption - Approval-rule integration for merge blocking on Critical severity
- Group-level Orbit queries for cross-project compliance dashboards
- Convergence with incident forensics (post-merge graph replay)
Built With
- ai-catalog
- ci/cd
- gitlab
- node.js
- orbit
- typescript
- vitest
- yaml
Log in or sign up for Devpost to join the conversation.