ExceptionOps AI

ExceptionOps AI turns risky merge requests into clear, audit-ready decisions by separating new risk from existing risk and creating exception records only when truly needed.

Comment

Use this:

Inspiration

Software teams often know a merge request looks risky, but the hard part is deciding what to do next in a way that is fast, consistent, and auditable. In many teams, risky changes create friction between developers, security reviewers, and compliance stakeholders. Existing review processes also tend to blur together what the current MR actually introduced, what risky code or configuration already existed in the files it touched, and what process evidence is missing. That leads to noisy reviews, poor prioritization, and exception handling that lives in scattered comments instead of a structured workflow. We built ExceptionOps AI to close that gap inside GitLab.

What it does

ExceptionOps AI is a GitLab-native, merge-request-first governance workflow. It reviews a merge request, separates newly introduced or modified risk from pre-existing baseline risk in touched files, identifies governance and evidence gaps, and then gives a decision: Ready to merge, Ready after minor fixes, Requires exception review, or Not ready to merge. When formal exception handling is actually needed, it creates or updates a linked Exception Record issue inside GitLab with compensating controls, follow-up actions, and revalidation guidance. When exception handling is not needed, it keeps the response within the MR review, reducing noise and over-escalation.

How we built it

We built ExceptionOps AI using the GitLab Duo Agent Platform with a custom public flow and custom public agent, both defined in YAML. The core workflow is MR-first and uses GitLab context, merge request metadata, diffs, notes, search tools, issue creation, and update actions to produce structured governance decisions. We designed the flow logic to support both direct MR triggering and issue-based intake, while keeping the real review path centered on merge requests. We also created demo files in Python and YAML to simulate risky patterns and realistic review scenarios, and used structured Markdown outputs to keep the workflow readable and audit-friendly.

Challenges we ran into

The biggest challenge was making the workflow behave like a real automation instead of a chatbot. Early on, the flow often fell into clarification loops when triggered in the wrong context, especially when issue comments were mistaken for merge request reviews. Another challenge was preventing the system from unfairly blaming the current MR for pre-existing risky code in the files it touched. We also had to refine the conditions under which an Exception Record should be created, because opening one for every governance gap made the workflow noisy and less credible. Getting the flow to be deterministic, useful, and disciplined took multiple iterations.

Accomplishments that we're proud of

We are proud that ExceptionOps AI became more than just an "I reviewer.” It now functions as a real decision-support workflow within GitLab. It can distinguish between introduced and baseline risk, classify governance gaps separately from technical findings, avoid unnecessary exception records, and update existing exception records rather than duplicating them. We are also proud that the workflow remains within GitLab as an agentic system that responds to triggers and takes action, rather than just generating chat-like advice.

What we learned

We learned that building useful AI workflows is less about making the model sound intelligent and more about controlling how it behaves in ambiguous situations. Safe fallback behavior, clear trigger design, and explicit decision rules matter more than flashy prompts. We also learned that developers and reviewers need AI systems that are fair: if the workflow cannot distinguish new risk from old risk, it quickly loses trust. Finally, we learned that governance workflows become much more valuable when they not only detect risk, but also prescribe the next action and create the tracking artifact needed for follow-up.

What's next for ExceptionOps AI

The next step is to make ExceptionOps AI even more useful as a lifecycle tool. We want to expand exception records with stronger ownership, status transitions, expiration handling, and revalidation reminders. We also want to improve how the system reasons about governance evidence, reviewer requirements, and compensating controls across different risk types. In the longer term, ExceptionOps AI could evolve into a broader GitLab-native decision layer for risky changes, helping teams move faster without sacrificing auditability, consistency, or governance quality.

Built With

  • custom-gitlab-public-agent
  • custom-gitlab-public-flow
  • demo
  • gitlab-automation/session-logs
  • gitlab-duo-agent-platform
  • gitlab-issue-tracking
  • gitlab-merge-request-workflows
  • gitlab-search-and-note-tools
  • markdown-output-formatting
  • python
  • yaml
  • yaml-configuration
Share this project:

Updates