SecurePath

Readme.md
Pipelines
My_Agents
securepath_flow
one of my 5 bot in action, the triage bot in gitlab duo chat.

What Inspired Me

Every developer I know has lived this moment: a security scan drops a wall of CVEs right before a deadline or an audit. The pain isn't just the vulnerabilities themselves, it's the manual, repetitive work that follows: read each CVE, look up the CVSS score, figure out which compliance framework it breaks, write a patch, write a test, open a PR, generate a report, deploy carefully. It's the kind of work that keeps engineers working weekends for no good reason.

I wanted to build something that made that entire chain disappear. Not just assist — fully automate it, end to end, with a human only touching the final approval.

How I Built It

SecurePath is built as a 5-agent flow on the GitLab Duo Agent Platform, each agent specialising in one step of the pipeline:

Triage Bot - reads all security findings, enriches them with live CVE data from the NVD API, scores by priority using the formula:

$$\text{Priority} = (\text{CVSS} \times 2) + (\text{Compliance Exposure} \times 1.5) + (\text{Fix Available} \times 1)$$

Patch Architect - generates minimal, production-safe code fixes and unit tests
Security Reviewer - audits the patch and opens a Merge Request
Compliance Scribe - calls a real microservice on GCP Cloud Run to map CVEs to SOC2, PCI-DSS 4.0, GDPR Article 32, and HIPAA controls
Deploy Orchestrator - triggers a canary deployment after human MR approval, monitors health, and auto-rollbacks if the error rate rises more than 2%

The compliance service is a Python Flask API deployed on Google Cloud Run that fetches live data from the NVD API and generates audit-ready markdown reports.

What I Learned

How to chain agents using structured JSON outputs so each agent feeds the next cleanly
How pipeline_hooks and mention triggers work on the GitLab Duo Agent Platform, the flow reacts to real events, not just chat prompts
How to map CWE weakness IDs to specific compliance controls across 4 frameworks
That the hardest part of multi-agent systems is failure handling - what does agent 3 do if agent 2 produced no patches?

Challenges I Faced

Agent chaining reliability - getting each agent to output clean JSON that the next agent could parse without hallucinating extra fields
Compliance mapping depth - SOC2, PCI-DSS, GDPR, and HIPAA all have different control structures; building a CWE-to-control mapping that works across all four took significant research
Keeping humans in the loop correctly - the deploy agent must never deploy without a human approving the MR, which required careful prompt engineering to prevent the agent from skipping that check
Removing a hardcoded GCP service account key that was accidentally committed to the CI config - caught and fixed during development

Built With

canary
claude
flask
gdpr
gitlab
google-cloud
hipaa
nvd
pci-dss-4.0
python
soc
yaml

Updates

Tanmay . started this project — Mar 24, 2026 06:19 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.