Inspiration
Security vulnerabilities in code are often discovered too late in the development cycle, after code review or even in production. We wanted to create an AI-powered solution that catches security issues before they're merged, providing developers with immediate, actionable feedback. The GitLab Duo platform's agent capabilities gave us the perfect foundation to build an intelligent security auditor that understands context and reduces false positives.
What it does
VectorCod is an AI-powered security audit agent for GitLab that automatically scans merge requests for security vulnerabilities and policy violations. When triggered on an MR, it:
Scans all changed files against 9 security rules (hardcoded secrets, API keys, private keys, AWS credentials, disabled SSL, etc.) and 5 policy rules (debug statements, broad exception handling, untracked TODOs, etc.) Performs contextual analysis using Claude AI to detect false positives and re-rank severity based on file context (test vs. production vs. config) Posts a compliance checklist on every MR showing which security and policy checks passed or failed Creates confidential tracking issues for critical/high findings, automatically linked to the MR and assigned to the author Performs cross-file analysis checking for .env.example coverage, .gitignore configuration, and recommending centralized config patterns when secrets span multiple files Provides detailed audit reports with severity-sorted findings and remediation guidance
How we built it
We built VectorCod as a GitLab Duo Flow with the following architecture:
Flow Definition (flows/audit-mr.yml) - Orchestrates the entire audit workflow, triggered when the agent is mentioned or assigned as a reviewer on an MR Agent Component - Uses Anthropic Claude to analyze code changes against security and policy rules Rule Engine - 14 configurable YAML-based rules (9 security + 5 policy) that define what patterns to detect Tool Integration - Leverages GitLab API tools to fetch MR details, read diffs, analyze files, and create issues Fixture Files - Intentionally vulnerable demo code (fixtures/) to showcase the agent's detection capabilities
The agent executes in this sequence:
Fetch MR metadata and changed files Scan diffs against security/policy rules Perform cross-file checks (.env.example, .gitignore) Create confidential tracking issues for findings Post a structured compliance checklist to the MR
Challenges we ran into
Schema Validation - Getting the agent configuration to comply with GitLab's AI Catalog schema requirements, particularly around tool definitions and field formats False Positive Detection - Distinguishing between actual vulnerabilities and legitimate code patterns (e.g., test fixtures, documentation, configuration examples) Context-Aware Severity - Determining if a hardcoded secret in a test file is as critical as one in production code Cross-File Analysis - Implementing intelligent checks that span multiple files (checking .env.example against found secrets, verifying .gitignore configuration) Automated Issue Creation - Ensuring tracking issues are created with proper context, confidentiality, and assignment to the right team members
Accomplishments that we're proud of
Fully Functional Security Audit Agent - A production-ready agent that runs on every MR and provides immediate security feedback Intelligent False Positive Detection - Uses Claude AI to understand code context and reduce noise Comprehensive Rule Set - 14 rules covering the most common security and policy violations Automated Remediation Tracking - Automatically creates confidential issues for critical findings, keeping security debt visible Compliance Checklist - Provides a clear pass/fail checklist on every MR, making security status immediately visible Cross-File Intelligence - Checks for proper .env.example and .gitignore configuration, recommending best practices Full SDLC Integration - Issues are linked to MRs, assigned to authors, and labeled for tracking
What we learned
GitLab Duo Flows are powerful - The combination of flows, agents, and tools creates a seamless way to automate complex security workflows Context matters in security - The same code pattern has different risk levels depending on whether it's in a test file, config file, or production code Developers want actionable feedback - Rather than just flagging issues, providing specific line numbers, code snippets, and remediation steps makes a huge difference Automation reduces friction - Automatically creating tracking issues means security findings don't get lost in the noise of code review Schema compliance is critical - Getting the agent configuration right requires careful attention to GitLab's AI Catalog schema requirements
What's next for Gitlab security and audit agent
Expand Rule Coverage - Add rules for OWASP Top 10 vulnerabilities, dependency scanning, and container security Machine Learning Integration - Train models on real vulnerability patterns to improve detection accuracy Remediation Suggestions - Provide AI-generated code fixes for common issues (e.g., "Replace hardcoded password with os.getenv('DB_PASSWORD')") Custom Rule Builder - Allow teams to define their own security and compliance rules via UI Integration with GitLab Security Dashboard - Surface VectorCod findings in the project's security dashboard alongside SAST/DAST results Performance Optimization - Cache rule evaluations and optimize for large MRs with thousands of changed lines Team Collaboration - Add approval workflows where security leads can review and approve findings before they're tracked as issues Compliance Reporting - Generate compliance reports (SOC 2, ISO 27001, etc.) based on audit findings across all MRs
Built With
- anthropic-claude
- gitlab-agents
- gitlab-ci/cd
- gitlab-duo
- gitlab-flows
- gitlab-rest-api
- gitlab.com
- pattern-matching
- python
- yaml
Log in or sign up for Devpost to join the conversation.