GitPulse — Agent-Native Security Scanner & Autofixer

• 

  Code-level evidence panel revealing line-grounded vulnerabilities and AI-assisted review summaries.

• 

  Vulnerability findings audit view displaying CVSS scores, remediation priorities, and estimated breach costs.

• 

  GitPulse dashboard showing the initial workspace interface with demo mode, scan settings, and OAuth authentication.

• 

  Real-case scanner interface listing accessible GitLab projects and selectable vulnerability scan packs.

• 

  The diagnostics panel checking live scanner status, Gemini connectivity, and GitLab OAuth credentials.

• 

  The target repository on GitLab showing the automatically synthesized Merge Request containing fix evidence.

• 

  Remediation MR modal showing the created branch, commits, and verified test pipelines on GitLab.

Inspiration

AI-assisted coding tools enable developers to write and ship code at a blistering pace. However, this velocity often leaves critical security vulnerabilities in its wake—such as hardcoded secrets, SQL injection, reflected XSS, and weak authentication configurations. Traditional security scanners alert developers but stop there, creating a bottleneck. We built GitPulse to bridge this gap: an agent-native security platform that not only scans your code but exposes structured, machine-readable remediation plans via Model Context Protocol (MCP) so your local AI coding agent can automatically apply and verify the fixes.

What it does

GitPulse functions as an automated security auditor and remediation pipeline for GitLab repositories:

1. Repository Auditing: Runs scans to identify secrets, SQL injection, SSRF, XSS, auth flaws, and dependency lockfile risks.
2. AI-Assisted Scan Review: Uses Google Gemini to review findings, plan security scans, and provide clear explanations of vulnerability impacts.
3. Model Context Protocol (MCP) Integration: Prepares structured, agent-ready fix plans and validation instructions.
4. Automated Remediation Pipelines: Automatically creates Git branches, commits the security patches, runs verification checks, and opens Merge Requests (MRs) with code evidence.
5. No-Auth Demo Walkthrough: Includes an interactive demo mode utilizing pre-configured vulnerable fixtures so judges can test the full auditing-to-fixing pipeline instantly.

How we built it

• Frontend UI: Built with vanilla HTML5, CSS3, and JavaScript, designed to be highly responsive, lightweight, and framework-independent.
• Backend API: An Express.js application running on Google Cloud Run.
• AI Agent Intelligence: Deployed Google Gemini models to synthesize review findings, draft remediation steps, and structure the scan results.
• Git Integration: Implemented OAuth-based GitLab API integrations to authenticate users, scan remote repositories securely, and push branches/commits/MRs.
• Hosting: Deployed to Firebase Hosting and Google Cloud Run for low-cost, high-performance hosting.

Challenges we ran into

• Restricting AI Hallucinations in Security: Having an LLM review security vulnerabilities carries a high risk of false positives or hallucinated remediation strategies. We solved this by constraining Gemini's review to deterministic scanner inputs and strictly mapping findings to standard CWE/OWASP rules.
• Secure OAuth Workflows: Managing user OAuth tokens safely. We structured our Express API to keep GitLab credentials server-side and only return session states to the frontend client.

Accomplishments that we're proud of

• Fully Automated End-to-End Remediation: Creating a working bridge between repository scanners and merge request generation with live, testable CI logs.
• SaaS Readiness Architecture: Outlining a comprehensive transition plan including remote MCP servers, scheduled scans, and GitHub support.
• Clean and Fast Demo Mode: Allowing evaluators to run a full GitLab vulnerability-scan-and-fix pipeline in under 10 seconds without setting up any credentials.

What we learned

• MCP is the future of developer tooling: Copypasting security logs into ChatGPT is tedious. Exposing structured endpoints over Model Context Protocol allows the developer's local editor (like Cursor or Claude Code) to ingest context and write patches programmatically.
• Defense-in-depth is crucial for AI coding: With AI writing code faster than ever, automated gatekeeping and audit trails at the repository level are essential to prevent vulnerabilities from reaching production.

What's next for GitPulse

• GitHub App Support: Expand repository integrations to support GitHub Apps, PR checks, and native code scanning imports.
• Remote Hosted MCP Server: Launch a hosted MCP server enabling any local agent (Cursor, Claude Code, Antigravity) to query active repository vulnerabilities and patch them locally with one command.
• Durable Scan Histories & Scheduling: Add scheduled scans, deploy webhooks, baseline diffing, and Slack/email notifications for ongoing project health.

Built With

• context
• css3
• express.js
• firebase-hosting
• git
• gitlab-api
• gitlab-oauth
• google-cloud-run
• google-gemini-api
• html5
• javascript-(es6)
• model
• node.js
• protocol
• vertex-ai