LabScan

LabScan is an AI-powered security scanner for GitLab. It finds vulnerabilities and posts AI-generated fix suggestions as comments directly in your merge requests, making secure coding simple and fast.

Comment

About the Project: LabScan AI Security Scanner

The Inspiration: Closing the Gap Between Security and Speed

As a developer, I think we've all been there: you're ready to merge a feature, only to have a traditional security scanner block your pipeline with a long, confusing report full of false positives. The process felt slow, created friction, and treated security as a gatekeeper instead of a partner.

I was inspired by a simple question: What if I could make security feedback as instant, intelligent, and helpful as a senior developer's code review?

My vision was to build a tool that not just found problems but actively helped solve them, delivering insights directly into my workflow without ever asking me to leave GitLab. I wanted to leverage the power of Google Cloud's advanced AI to create a true security partner, not just another noisy scanner.

How I Built It: A Cloud-Native, AI-Powered DevSecOps Workflow

I designed LabScan as a complete, end-to-end platform built on the incredible synergy between GitLab and Google Cloud.

1. The Brain: Google Cloud Vertex AI The scanner's core is Google's Vertex AI, specifically the code-bison model. Instead of relying on rigid regex, I engineered sophisticated prompts to ask the AI to perform contextual analysis. This "hybrid" approach allowed me to:

  • Use AI to understand code intent and reduce false positives.
  • Ask a second, targeted AI prompt to generate a secure code fix for each validated vulnerability.

2. The Engine: A Production-Ready Python & FastAPI Service I built a robust backend service using Python and FastAPI. It's not just a script; it's a scalable, secure API featuring:

  • Pydantic models for strict data validation.
  • API key authentication and rate limiting.
  • Asynchronous task support for handling long-running scans without blocking.

3. The Home: Google Cloud Run & Docker The entire application is containerized with Docker and deployed as a serverless application on Google Cloud Run. This gives it incredible scalability, cost-efficiency (scaling to zero when not in use), and a secure, isolated environment for the service.

4. The Integration: Deeply Native to GitLab This is where I believe LabScan truly shines. I went beyond a simple webhook.

  • GitLab CI/CD Catalog: I packaged the entire scanner into a highly-configurable, reusable CI/CD Catalog component. This is the most modern and powerful way to distribute CI/CD logic on GitLab.
  • GitLab API: I used the API to provide a seamless developer experience:
    • Inline MR Comments: Vulnerabilities are posted as comments on the exact line of code that is problematic.
    • AI-Powered Suggestions: The AI-generated code fixes are formatted using GitLab's native suggestion Markdown, creating a one-click "Apply suggestion" button.
    • Native SAST Reports: The tool generates reports in the official GitLab SAST format, automatically populating the project's Security Dashboard and Merge Request security widget.

Challenges I Faced

  1. AI Reliability and "Prompt Whispering": Getting a consistent, machine-readable JSON output from an LLM was challenging. I overcame this by engineering highly specific prompts with examples and building a resilient parsing layer that falls back gracefully to pattern-matching if the AI response is malformed.

  2. The Perfect GitLab Integration: Posting a single summary comment was easy. The real challenge was providing inline feedback. I had to dive deep into the GitLab API documentation to master the "Discussions" and "Positions" endpoints, which are required to create line-specific comments and suggestions on a merge request's diff.

  3. Building a Quality CI/CD Component: Creating a simple CI/CD job is easy. Creating a robust, reusable, and highly configurable catalog component required me to think like a platform engineer, adding over 15 inputs to allow other teams to customize the scanner for their specific needs.

What I Learned

  1. The Future is Contextual: I learned that AI's true power isn't just pattern matching but understanding context. Applying this to security allows for accuracy that traditional tools struggle to achieve.
  2. Developer Experience is Everything: A security tool is only effective if developers use it. By delivering feedback instantly and in line with one-click fixes, I aimed to transform security from a chore into a helpful, productive experience.
  3. The Power of a Platform Ecosystem: The real magic happened when I combined the strengths of the sponsors. GitLab's CI/CD and API provided the perfect workflow automation, while Google Cloud provided the powerful AI engine and scalable infrastructure to bring my vision to life.

LabScan is my answer to the future of DevSecOps—an intelligent, integrated, and empowering future for every developer.

Built With

Share this project:

Updates