Inspiration Every developer has felt that sinking feeling: a security vulnerability made it to production. Maybe it was a hardcoded API key that got committed. Maybe it was a SQL injection that slipped through code review. Maybe it was a Terraform config that left an S3 bucket public. Maybe it was a Dockerfile running as root with secrets baked into ENV variables.
The stats are sobering:
83% of codebases contain at least one known vulnerability The average cost of a data breach is $4.45 million 70% of breaches originate from application vulnerabilities Infrastructure misconfigurations are the no.1 cause of cloud breaches Security reviews are often an afterthought—a bottleneck at the end of the development cycle when changes are expensive and deadlines are tight. Developers lack security expertise, security teams are overwhelmed, and compliance documentation is a manual burden.
We asked: What if every merge request could have an expert security reviewer—one that knows application security AND infrastructure security—instantly?
What it does DevSecOps Guardian is an AI-powered security sentinel built on the GitLab Duo Agent Platform. It consists of two components that bring enterprise-grade security analysis directly into the developer workflow:
Security Scanner Flow (Automated): When assigned to a merge request or mentioned in a comment, the flow runs a 6-step automated pipeline:
Gather Context—Collects the MR diff, identifies languages and frameworks Deep Vulnerability Scan—Scans for 40+ vulnerability types across application code and infrastructure-as-code CVSS v3.1 Scoring—Calculates precise severity with full vector strings (AV/AC/PR/UI/S/C/I/A) Compliance Mapping—Maps every finding to 9 compliance frameworks simultaneously Remediation Planning—Generates defense-in-depth fixes with shift-left tooling recommendations Post Report—Delivers a formal compliance report as an MR comment with APPROVE/CHANGES REQUESTED/BLOCK verdict Interactive Agent (Duo Chat): Developers can chat with the agent to analyze code, get remediation plans, and cross-reference compliance frameworks in real time.
How we built it Designed custom agent and flow YAML schemas for GitLab Duo Agent Platform Implemented vulnerability scanning logic for 40+ vulnerability types Integrated CVSS v3.1 scoring and compliance mapping for 9 frameworks Automated reporting and remediation planning Used OpenCV to extract demo screenshots from a recorded video walkthrough Polished documentation and demo assets for submission Challenges Debugging YAML schema for agent and flow registration Handling platform-injected emojis in Duo Chat (not controllable from agent YAML) Cleaning up duplicate catalog entries (blocked by permissions) Recording and extracting high-quality demo assets Ensuring CI pipeline validation and compliance What we learned How to build and orchestrate custom agents and flows on GitLab Duo Agent Platform Best practices for security automation and compliance reporting Effective demo asset creation and submission workflow
Built With
- devpost-platforms:-gitlab
- gitlab
- gitlab-ci/cd-tools:-opencv-(for-video-processing)
- languages:-python
- markdown-frameworks:-gitlab-duo-agent-platform
- mit
- other:
- yaml
- youtube
Log in or sign up for Devpost to join the conversation.