GuardianFlow

An 8-agent GitLab Duo flow that detects risk, generates fixes, enforces compliance, evaluates sustainability, and takes real MR actions—notes, labels, and issues—automatically.

Comment

Inspiration

Modern teams ship fast—but merge-time decisions remain a bottleneck:

  • Security issues caught too late
  • Compliance checks scattered across tools
  • Weak visibility into test readiness
  • No awareness of CI sustainability impact

We built GuardianFlow to transform this into a fully automated, event-driven workflow inside GitLab—where decisions happen during the merge request, not after.

What it does

GuardianFlow is a custom GitLab Duo flow orchestrating 8 specialized AI agents that automate the entire merge request lifecycle:

🧠 Core Flow

  1. Scanner → analyzes MR diff → produces risk_score + findings
  2. Remediation → generates patch plan + confidence
  3. Compliance → validates policies + produces audit evidence
  4. Verification → assesses test readiness + execution status
  5. Green Insights → estimates runtime, energy, CO₂ + optimizations
  6. Deploy Guard → takes action:
    • Adds MR notes
    • Applies labels (risk::*, green-score::*, gate::*)
    • Creates blocking issues
  7. Security Advisor → deep analysis for high-risk cases
  8. Judge Showrunner → generates executive summary:
    • What happened
    • What changed
    • What should happen next

👉 Key Differentiator:
This is NOT a chatbot. GuardianFlow takes real actions inside GitLab workflows.

How we built it

  • 🔁 8 custom agents + 1 orchestrated flow (guardianflow-mr-guard.yml)
  • 🔗 Structured JSON contracts: context:{component}.final_answer
  • ⚙️ Configurable policies via .guardianflow.yml
  • 🧪 GitLab CI validation:
  • yamllint
  • validate_duo_config.py
  • 📦 Deployment bundle:
  • guardianflow-duo-bundle.tgz
  • 📚 Full documentation:

Challenges we ran into

  • Maintaining strict JSON contracts across 8 agents
  • Designing deterministic gating with flexible fallbacks
  • Enforcing least-privilege agent access
  • Handling tooling/schema inconsistencies

Accomplishments that we're proud of

  • Action-first AI → not suggestions, but execution
  • ✅ Full end-to-end SDLC automation in one flow
  • ✅ Built-in Green Agent (sustainability scoring)
  • ✅ Dedicated Judge Showrunner (perfect for demos & stakeholders)
  • ✅ Production-ready repository (CI, templates, governance)

What we learned

  • Multi-agent systems require strict contracts, not just prompts
  • Observability via GitLab Sessions is critical
  • Sustainability must be part of deployment decisions, not separate reports

What's next for GuardianFlow

  • 📊 External metrics integrations (real CI baselines)
  • 🧩 Environment-aware policies (dev / stage / prod)
  • 🔁 Extended workflows (post-merge automation)

Built With

  • anthropic
  • ci
  • gitlab
  • gitlab-duo-agent-platform
  • markdown
  • merge-request
  • python
  • yaml
Share this project:

Updates