Inspiration

Security and compliance signals in GitLab are scattered across merge requests, CI pipelines, and vulnerability dashboards. Reviewers see a diff — but not whether the SAST job ran on this pipeline for this function, or whether SEC-442 is still open on the node being changed.

GitLab Orbit connects those entities in a knowledge graph. I built Compliance Gap Sentinel to use that graph as proof of causality, not decoration: if Orbit cannot confirm the relationship between changed code, pipeline execution, and security findings, enforcement does not fire.

What it does

  1. Loads policy-as-code — sensitive path patterns and rules POL-001..POL-004 from compliance-gap-sentinel.yml.
  2. Queries Orbit — three specialized traversals (MR, Pipeline, SecurityFinding) merged into one evidence graph.
  3. Evaluates deterministically — risk score, severity, confidence, and rule IDs with full node chains.
  4. Acts on the MR — adds labels (compliance-risk, security-review-required, compliance-critical), assigns a security reviewer, and posts a structured comment with JSON evidence payload.
  5. Audits every decision — local audit trail in .cgs-audit/ for traceability.

Example evidence path:

MR !1 → src/auth/session.ts → rotateSessionToken() → Pipeline #8802 (no SAST) → SEC-442 (open)

Trigger on any MR: @ai-compliance-gap-sentinel-gitlab-ai-hackathon analyze this MR for compliance gaps using Orbit graph evidence

How we built it

Layer Technology
Policy engine TypeScript — deterministic POL-001..004 evaluation
Orbit integration POST /api/v4/orbit/query + typed response parsing (parse-response.ts)
Agent platform GitLab Duo Flow (3 components) + project Skill
Catalog publish AI Catalog Sync CI component (tag 0.1.4)
Reference CLI Node.js 20+ — npm run analyze, seeded demo scenarios
Tests Vitest — 20 tests across policy, Orbit parsing, analyzer, executor
License MIT

Flow architecture: context_gathererorbit_analyzercompliance_officer

Artifacts:

  • Flow: flows/compliance-gap-sentinel-flow.yml
  • Skill: skills/compliance-gap-sentinel/SKILL.md
  • Orbit query recipes: skills/compliance-gap-sentinel/references/orbit-queries.md

Challenges we ran into

  • Catalog CI — Protected CI variables were not visible to tag pipelines until tags were protected or variables unprotected; flow filename had to match compliance-gap-sentinel-flow.yml.
  • Orbit response shapes — Live API returns both array (result: [...]) and aggregation v2 (result: { rows: [...] }) formats; built getOrbitRows() to handle both.
  • Honest enforcement — Early prototypes used path heuristics for findings; refactored so High/Critical actions require parsed Orbit nodes with source: "orbit", and graphComplete: false blocks enforcement.
  • Advisory messaging — Low/Medium scenarios initially showed "insufficient graph evidence" when the graph was complete but severity was below threshold; fixed with discriminated MR comment headers and tests.

Accomplishments that we're proud of

  • Published Compliance Gap Sentinel to the GitLab AI Catalog (flow #1011889).
  • Orbit-as-proof design: enforcement is a consequence of verified graph relationships, not file-path guessing.
  • Four deterministic demo scenarios (low → critical) with copy-paste MR test files under examples/mr-pipeline/.
  • 20 passing tests locking policy outcomes, Orbit parsing, and advisory vs enforce messaging.
  • Full SDLC automation — labels, reviewer, MR comments — not chat-only responses.

What we learned

  • Orbit is most powerful when queries are narrow and joined — three focused traversals beat one overloaded query for reliability and explainability.
  • Compliance tooling must distinguish "no violation", "violation below threshold", and "cannot verify graph" — developers trust tools that explain which case applies.
  • GitLab Duo Flow + Skill + Catalog CI is a viable path from prototype to installable team artifact in a hackathon timeframe.

What's next for Compliance Gap Sentinel

  • GitLab CI component (include: compliance-gap-sentinel) for one-line adoption
  • Approval-rule integration for merge blocking on Critical severity
  • Group-level Orbit queries for cross-project compliance dashboards
  • Convergence with incident forensics (post-merge graph replay)

Built With

Share this project:

Updates