Gitlab Security-Sentinel – On-Demand AI Security Review

Every development team struggles with inconsistent security reviews, static scanner noise and vulnerabilities slip into production because of late reviews. Gitlab Security-Sentinel changes that.

Comment

GitLab Security-Sentinel — On-Demand AI Security Review

Inspiration

Modern development moves fast — but security reviews often don’t. Teams rely on static scanners that generate excessive noise, or they depend on security engineers who become bottlenecks in the release cycle. Developers frequently merge code without fully understanding the security implications of small changes.

We were inspired by a simple question: What if security review could be triggered instantly, directly inside the merge request, only when needed — and focused only on what changed?

Instead of replacing existing security tooling, we wanted to enhance the developer workflow with contextual, actionable, and on-demand security intelligence.

That’s how GitLab Security-Sentinel was born.

What it does

GitLab Security-Sentinel is an AI-powered security agent that activates when mentioned inside a merge request (e.g., @security-sentinel).

Once triggered, it:

  • Fetches only the modified lines of code
  • Scans for exposed secrets (API keys, tokens, credentials)
  • Detects common OWASP Top 10 vulnerabilities (SQL injection, XSS, insecure crypto, etc.)
  • Identifies unsafe coding patterns (eval, weak hashing, string-concatenated queries)
  • Classifies findings by severity (Low, Medium, High, Critical)
  • Posts a structured, developer-friendly security summary directly into the MR

The result is immediate, contextual security feedback exactly where developers already work — without switching tools or waiting for pipeline results.
It is advisory by design, reducing friction while increasing awareness.

How we built it

We designed GitLab Sentinel as a lightweight, event-driven architecture integrated directly with GitLab.

Core components:

  • Webhook Listener
    Listens for merge request comment events
    Triggers only when @security-sentinel is mentioned

  • Diff Fetcher
    Retrieves only changed files via GitLab API
    Filters out vendor and irrelevant directories
    Minimizes false positives by focusing on new code

  • Security Analysis Engine

    • Rule-based secret detection (regex + entropy)
    • OWASP vulnerability pattern checks
    • Weak crypto and dangerous function detection
    • Optional LLM layer for contextual explanation and remediation guidance

  • Risk Aggregator
    Assigns deterministic severity scores
    Calculates overall MR risk classification

  • MR Comment Generator
    Posts a structured security report directly back into the merge request

We deliberately combined deterministic scanning with AI-driven explanation to reduce hallucination risk while improving clarity.
The system is stateless, lightweight, and designed for easy extensibility.

Challenges we ran into

1. Balancing AI and Determinism

Pure AI scanning risks hallucinations. Pure rule-based scanning lacks context.
We had to carefully design a hybrid model where detection is deterministic and AI enhances explanation.

2. Reducing False Positives

Security tools often lose trust due to noise. By restricting analysis to only modified lines, we significantly improved signal-to-noise ratio.

3. Merge Request Context Handling

Extracting diffs accurately and mapping findings to correct line numbers required careful parsing.

4. Scope Control

It was tempting to build a full SAST platform. We intentionally limited scope to make it reliable, fast, and hackathon-feasible.

Accomplishments that we're proud of

  • Seamless GitLab-native integration
  • Diff-aware security analysis
  • Clear severity-based reporting
  • Structured, actionable output instead of vague warnings
  • Hybrid architecture that minimizes hallucination risk
  • Developer-triggered workflow that reduces alert fatigue

Most importantly, we delivered a working end-to-end system that:
Trigger → Analyze → Classify → Report
All inside the merge request.

What we learned

  • Security must meet developers where they work.
  • Tool switching kills adoption.
  • Noise is the enemy of trust.
  • Focusing on changed code dramatically improves relevance.
  • AI works best when constrained.
  • Deterministic scanning plus AI explanation creates reliable results.
  • Advisory-first design reduces resistance.
  • Blocking merges is powerful — but trust must be built first.
  • Workflow integration matters more than raw capability.
  • A modest but well-integrated tool outperforms complex disconnected systems.

What's next for GitLab Security-Sentinel

The roadmap includes:

Enhanced Detection:

  • AST-based parsing for deeper semantic analysis
  • Expanded language support
  • Organization-specific policy enforcement

Enterprise Features:

  • Merge-blocking risk thresholds
  • Compliance mapping (SOC2, ISO, HIPAA)
  • Audit logging and reporting
  • Security metrics dashboard per repository

Built With

  • bandit
  • detect-secrets)
  • gitlab-ai-catalog
  • gitlab-ci/cd
  • python
  • rest-apis
  • safety
  • sqlite
  • yaml
Share this project:

Updates