Issue2Secure AI

• 

  A plain-text feature request. No code, no implementation — just a description of what needs to be built.

• 

  One mention is all it takes. The Feature to Deploy Orchestrator picks it up and starts working immediately.

• 

  The Planner Agent reads the issue, analyzes the codebase, and generates a structured implementation plan.

• 

  Complete production-ready code for every required file, posted automatically as a comment.

• 

  Code is ready. Now the Security Scanner takes over — triggered with a single mention in the same issue.

• 

  No critical vulnerabilities found. The code passed all security checks. Verdict: APPROVED.

• 

  Scan complete. From a plain-text issue to secure, reviewed code — fully automated, no manual steps.

Inspiration

Every developer knows the cycle: write a ticket, context-switch to implement it, forget to check for security issues, open a PR, get flagged in review, fix, repeat. The gap between "I have an idea" and "this is ready to merge securely" is filled with manual, repetitive work that slows every team down.

We wanted to close that gap entirely. Not with a chatbot that answers questions, but with agents that actually do the work.

What it does

Issue2Secure AI is a two-flow multi-agent system built on the GitLab Duo Agent Platform:

Flow 1 — Feature to Deploy Orchestrator

• A developer mentions the flow in a GitLab issue
• The Planner Agent reads the issue, analyzes the existing codebase, and posts a structured implementation plan as a comment
• The Code Generator Agent reads the plan and generates complete, production-ready code for every required file
• A Merge Request is created automatically, linked to the original issue

Flow 2 — Security Scanner

• Triggered in the same issue after code generation
• Reads all generated code from issue comments
• Audits for critical vulnerabilities: SQL injection, hardcoded secrets, missing authentication, race conditions, memory exhaustion, IP spoofing, insecure JWT configuration, and more
• Posts a detailed security report with severity levels (Critical, High, Medium, Low), affected files, line references, and concrete remediation steps
• Automatically blocks or approves the MR based on findings

The result: from a plain-text issue to a security-reviewed MR in minutes, with zero manual steps.

How we built it

The system is built entirely on the GitLab Duo Agent Platform using custom flows and agents defined in YAML configuration files.

Each flow is composed of AgentComponents with specialized system prompts and tool access:

• Planner Agent uses get_issue, find_files, and read_file to understand context before planning
• Code Generator Agent uses list_issue_notes to read the plan and create_merge_request to open the MR
• Security Scanner Agent uses list_issue_notes to read generated code and update_merge_request to block or approve

Claude powers the reasoning behind every agent decision through GitLab's AI infrastructure, enabling the agents to understand requirements, generate idiomatic code, and identify real security vulnerabilities with actionable fixes.

Challenges we ran into

Schema discovery — The GitLab Duo Agent Platform is new and the YAML schema for flows is strict. Small mistakes like using string format for inputs instead of from/as objects pass validation but cause silent WebSocket failures at runtime. We had to debug this through trial and error and community help in the hackathon Discord.

Agent loops — When an agent cannot complete a task with its available tools, it enters a read loop instead of failing gracefully. We learned to keep each agent's toolset minimal and focused to prevent this behavior.

Tool limitations — The create_file_with_contents tool does not reliably commit files in the current platform version. We adapted by having the Code Generator post complete code as structured issue comments, keeping the workflow functional and auditable.

Multi-agent coordination — Passing context between agents in a flow requires careful prompt engineering. Each agent must know how to find the output of the previous one using only the tools available.

Accomplishments that we're proud of

• Two fully functional public flows in the GitLab AI Catalog
• A Security Scanner that detects real vulnerabilities with specific file references, line numbers, and production-ready fix suggestions
• End-to-end workflow from issue to MR with zero manual intervention
• Automatic MR blocking when Critical or High severity vulnerabilities are found
• The system identified real security issues in its own generated code — IP spoofing, memory exhaustion, missing authentication, hardcoded credentials — and blocked the MR correctly every time

What we learned

• The GitLab Duo Agent Platform rewards simplicity — focused agents with minimal toolsets outperform complex ones
• Prompt engineering for agentic systems is fundamentally different from chat prompts — agents need explicit step-by-step instructions and must be told exactly what to do when they cannot complete a step
• Real security vulnerabilities appear naturally in AI-generated code, making automated security scanning not just useful but necessary in an AI-assisted development workflow
• Multi-agent coordination via shared issue comments is a practical and auditable pattern for passing context between specialized agents

What's next for Issue2Secure AI

• Auto-fix agent — a third flow that reads the security report and generates fixed versions of vulnerable files
• Test Writer agent — generates unit and integration tests for every file in the implementation plan
• CI/CD integration — trigger flows automatically from GitLab CI pipelines without manual mentions
• Slack/Teams notifications — notify the team when the security scan completes with a summary
• Multi-language support — extend beyond Python to TypeScript, Go, and Java codebases

Built With

• claude
• fastapi
• gitlab-duo-agent-platform
• postgresql
• python
• sqlalchemy
• yaml