DuoGuard

Modern development moves fast, sometimes a little too fast. While working on projects and exploring DevOps workflows, I kept noticing the same problem: security often ends up as an afterthought during code reviews. Most developers focus on functionality, deadlines, and getting things merged quickly, and in that rush, subtle vulnerabilities quietly slip through.

That got me thinking about shifting security left in the development lifecycle, catching issues right at the Merge Request stage, where fixes are fastest and cheapest.

With the rise of AI models, a question came to mind: what if security reviews could happen instantly, automatically, and intelligently, almost like having a senior security engineer reviewing every pull request?

That idea became DuoGuard.

DuoGuard is an AI-powered security agent that integrates directly into GitLab Merge Requests. Whenever a developer creates or updates a Merge Request, DuoGuard automatically triggers in GitLab CI/CD, fetches the code changes, analyses them with an AI model, and posts a structured security report as a comment.

It detects real-world vulnerabilities such as hardcoded secrets and API keys, SQL injection risks, cross-site scripting issues, unsafe function usage like eval or exec, sensitive data leaks in logs, and dependency-related risks.

The goal is simple: make security feedback instant, actionable, and impossible to ignore.

I built DuoGuard as a lightweight yet powerful system that fits naturally into existing DevOps workflows. The core flow looks like this:

Merge Request → GitLab CI → Python Script → AI Analysis → MR Comment

The system relies on GitLab CI/CD for triggering pipelines, a Python script (duoguard.py) to fetch diffs and handle communication, the Groq API with LLaMA 3.3 70B for vulnerability analysis, and the GitLab REST API for authentication and posting comments.

I focused heavily on keeping the system plug-and-play, minimal in configuration, and fully automated.

Of course, building DuoGuard came with its own challenges. Extracting meaningful diffs from GitLab wasn’t straightforward because the raw data can be noisy, and structuring it in a way that the AI could actually understand required careful handling.

Prompt engineering turned out to be another major challenge. If the prompts were too vague, the output became generic and unhelpful, while overly strict prompts caused the model to miss real vulnerabilities. Finding the right balance took multiple iterations.

I also had to deal with false positives. A security tool is only useful if developers trust it, so I worked to ensure the output had high signal, clear explanations, and practical fixes rather than overwhelming noise.

Formatting the Merge Request comments was another important piece, because raw AI output isn’t very developer-friendly. I structured the responses to be clean, readable, and actionable.

What I’m most proud of is that DuoGuard works as a fully automated AI security reviewer inside GitLab, requires zero manual intervention, produces clean and structured MR comments with suggested fixes, detects real vulnerabilities instead of just acting like a linter, and is simple to set up using CI/CD variables.

More than anything, DuoGuard feels like having a security engineer reviewing every Merge Request instantly.

This project taught me a lot about real-world DevOps workflows, GitLab CI pipelines, integrating AI into production-like systems, prompt engineering for precision, and designing tools that developers will actually use rather than ignore.

One key takeaway stood out clearly: AI is powerful, but its real value depends on how well it is integrated into actual workflows.

Looking ahead, DuoGuard can evolve much further. I’m planning deeper static analysis with better context awareness, dependency vulnerability scanning using CVE data, systems that learn from past Merge Request feedback, support for platforms like GitHub and Bitbucket, security scoring and dashboards, and integrations with tools like Slack or Teams for critical alerts.

The long-term vision is to turn DuoGuard into a continuous AI-powered security layer across the entire DevOps pipeline.

Built With

• devops
• gitlabci/cd
• gitlabrestapi
• groqapi
• llama3.3-70b
• python