CVE Propagation Tracer

• 

  CVE Propagation Tracer running in terminal, Orbit traces 3 infected files across 2 projects in seconds

• 

  Auto-generated GitLab issue with full blast radius report and remediation plan, created automatically by the agent

Inspiration

When a CVE drops for a package your team uses, finding out which files, functions, and projects are actually affected can take hours of manual searching through code. Most tools just flag the import, they don't tell you which functions actually call the vulnerable code, or how deep the exposure goes.

What it does

CVE Propagation Tracer is a GitLab Duo agent that uses the Orbit knowledge graph to automatically trace vulnerability propagation across your entire GitLab group. Give it a CVE ID and a package name and it will:

• Discover all projects in your GitLab group automatically
• Find every file that imports the vulnerable package
• Trace the call graph to find functions invoking vulnerable code
• Check existing GitLab security scan findings for the CVE
• Generate a full blast radius report with severity scoring
• Auto-create a GitLab issue with a complete remediation plan

All in one command. In under 30 seconds.

How we built it

The core is a Python agent that queries GitLab Orbit's knowledge graph using the remote query API via the glab CLI. Orbit indexes the entire codebase as a graph of connected nodes, files, imports, definitions, vulnerabilities, projects, so instead of grepping through code, the agent runs structured graph traversal queries to get exact answers.

The agent runs three queries in sequence:

1. Find all projects in the group via the CONTAINS relationship between Group and Project nodes
2. Trace imports of the vulnerable package via IMPORTS edges between File and ImportedSymbol nodes, connected to projects via Branch and CONTAINS relationships
3. Optionally trace the call graph via CALLS edges between Definition nodes

Results are displayed as a rich terminal report and then pushed to GitLab as a formatted issue using the GitLab REST API.

Challenges we ran into

The biggest challenge was figuring out the correct Orbit query DSL. The schema and query language documentation was detailed but the relationships between source code entities were not obvious at first. I had to systematically test each relationship type to find the correct traversal path from ImportedSymbol all the way back to Project.

Accomplishments that we're proud of

The tool actually works end to end. From a single command, it discovers projects, traces imports through Orbit's knowledge graph, generates a blast radius report, and opens a GitLab issue with a remediation plan, all automatically.

Getting the Orbit query traversal right was a great achievement. Source code entities connect to projects through Branch nodes, not directly, and figuring out that relationship chain through live testing was genuinely satisfying.

The terminal output is clean and readable. Using the rich library to display colour-coded severity tables and a formatted blast radius panel makes the results easy to understand at a glance, which matters when a security team is responding to a live CVE.

Most importantly, this is not a demo that fakes the output. Every result shown comes from a real Orbit query against a real GitLab codebase. That is something worth being proud of.

What we learned

Orbit's query language is powerful but very strict, every query needs at least one selective filter, and source code entities like File and ImportedSymbol connect to projects through Branch nodes rather than directly. Learning to traverse the graph correctly was the biggest challenge and the most rewarding part.

I also learned that giving AI structured context, instead of raw file dumps, makes it dramatically faster and more accurate. Orbit is the missing piece that makes AI agents actually useful in large codebases.

What's next for CVE Propagation Tracer

• Add support for scanning multiple CVEs at once
• Add automatic MR creation with dependency version bumps
• Integrate with GitLab webhooks so the agent triggers automatically when a new CVE advisory is published
• Publish to the GitLab AI Catalog for the community to use

Built With

• gitlab-duo-agent-platform
• gitlab-orbit
• gitlab-rest-api
• glab-cli
• python