GuardianAI DevSecOps

AI agent + flow that scans every MR for OWASP Top 10 vulnerabilities, auto-creates tracking issues, generates fix commits, and posts security reports — all from a single @mention.

Comment

Inspiration

Security reviews are the biggest bottleneck in modern DevOps. Developers wait hours or days for security teams to review MRs, and vulnerabilities slip through when teams are under pressure. We built GuardianAI to make security instant, automated, and developer-friendly.

What it does

GuardianAI is a full-stack DevSecOps automation built on the GitLab Duo Agent Platform:

  • Agent (Duo Chat): A security advisor with 48 tools and 6 playbooks — scans code, creates issues, auto-fixes vulnerabilities, and posts reports conversationally.
  • Flow (MR trigger): A 7-step automated pipeline — gathers MR context, snapshots vulnerabilities, deep-scans for OWASP Top 10 patterns, triages findings, generates auto-fix commits, handles errors, and posts a security report.

How we built it

  1. Designed a 7-step flow using AgentComponent with structured output contracts between steps
  2. Built a custom agent with 6 playbooks covering scanning, triage, auto-fix, compliance, CI/CD health, and MR review
  3. Created a sample vulnerable app (auth.py, app.py) with intentional OWASP Top 10 vulnerabilities as a demo target
  4. Configured CI/CD with SAST, DAST, Secret Detection, and Dependency Scanning
  5. Iterated on flow design — moved from DeterministicStepComponent to AgentComponent for reliability, added error recovery, and hardcoded project paths for tool scoping

Demo Results

  • Found 16 vulnerabilities across 8 OWASP categories
  • Created 7 tracking issues with remediation code and CWE references
  • Auto-fixed all 16 vulnerabilities in one commit
  • Created a fix merge request automatically
  • Flow completed with 215 tool calls in 20 minutes

Challenges

  • Flow sessions failed initially due to platform token scope limitations — solved by switching Step 1 from DeterministicStepComponent to AgentComponent
  • Tools require explicit project paths — solved by hardcoding project context in every prompt
  • Schema validation required careful YAML structure — iterated through multiple versions

What we learned

  • The GitLab Duo Agent Platform is powerful for multi-step automation
  • Structured output contracts between flow steps are critical for reliability
  • Error recovery should be a first-class step, not an afterthought

Built With

  • claude
  • gitlab-duo-agent-platform
  • python
  • yaml
Share this project:

Updates