Mamori 守り

Devs want to ship; security wants to sleep. Mamori bridges the gap, automating the "boring" stuff- GDPR, SOC 2, and security scans inside GitLab. The digital teammate that saves your Friday nights.

Comment

Inspiration

The GitLab AI Hackathon brief highlighted a critical insight: "AI writes code. That's expected now. The real opportunity? Everything else."

I observed that development teams face three major bottlenecks:

  1. Security - Manual vulnerability reviews are slow and error-prone
  2. Compliance - Regulatory checks (GDPR, PCI-DSS, HIPAA, SOC 2) are tedious and often missed
  3. Deployments - Pre-deployment validation requires multiple manual checks

These aren't coding problems, they're workflow problems. I built Mamori to automate them.

What It Does

Mamori is a multi-flow AI agent that protects codebases across the entire development lifecycle:

1. Mamori Guardian Flow

  • Security Analysis
  • Discovers all source files in your repository
  • Analyzes code for OWASP Top 10 vulnerabilities
  • Supports 7+ languages (Python, JavaScript, Java, Ruby, Go, PHP, C#)
  • Generates detailed security reports with:
    • Vulnerability type and severity
    • Exact code location and risk assessment
    • Protected code examples with fixes
    • Performance and environmental impact analysis
    • Estimated remediation time

2. Mamori Code Review Flow

  • Automated MR Review
  • Reviews merge request changes for security issues
  • Posts detailed suggestions as MR comments
  • Offers auto-fix on approval (human-in-the-loop)
  • Creates commits with clear explanations
  • Integrates with GitLab CI/CD pipeline

3. Mamori Compliance Guardian Flow

  • Regulatory Compliance
  • Checks for GDPR violations (unencrypted PII, missing consent)
  • Validates PCI-DSS compliance (hardcoded credentials, weak crypto)
  • Verifies HIPAA requirements (encrypted health data, audit trails)
  • Ensures SOC 2 controls (logging, access controls, encryption)
  • Generates compliance reports with remediation steps

4. Mamori Deployment Validator Flow

  • Pre-Deployment Checks
  • Validates configuration files (no hardcoded secrets)
  • Checks infrastructure security (encryption, TLS, network policies)
  • Verifies application security (headers, CORS, rate limiting)
  • Confirms monitoring & logging setup
  • Validates backup & disaster recovery plans
  • Provides deployment approval/rejection with clear reasoning

5. Mamori Dependency Guard Flow

  • Dependency Scanning
  • Scans for vulnerable dependencies
  • Identifies outdated packages with known CVEs
  • Suggests safe update versions
  • Supports npm, pip, gems, maven, composer, go.mod

6. Mamori Commit Assistant Flow

  • Conventional Commits
  • Auto-generates conventional commit messages
  • Detects change type (feat, fix, docs, refactor, etc.)
  • Identifies scope (security, analyzer, flow, etc.)
  • Links to related issues

How We Built It

Architecture

Agents/
├── mamori_agent.yml              # Core security analysis agent
│   └── System prompt with 7+ language-specific checks
│   └── OWASP Top 10 vulnerability detection
│   └── Compliance framework checks (GDPR, PCI-DSS, HIPAA, SOC 2)
│   └── Performance & sustainability analysis

Flows/
├── mamori_flow.yml               # Security Analysis (3 steps)
├── mamori_code_review.yml        # Code Review (3 steps)
├── mamori_compliance_check.yml   # Compliance Guardian (3 steps) [NEW]
├── mamori_deployment_validation.yml # Deployment Validator (3 steps) [NEW]
├── mamori_dependency_guard.yml   # Dependency Scanning (3 steps)
└── mamori_commit_assistant.yml   # Commit Messages (2 steps)

CI/CD/
└── .gitlab-ci.yml                # Three-stage security pipeline
    ├── validate (AI Catalog sync)
    ├── publish (AI Catalog publish)
    └── security (Mamori flows)

Technology Stack

  • Platform: GitLab Duo Agent Platform
  • Language: YAML (flow definitions) + System Prompts (agent behavior)
  • Tools: GitLab API tools (get_repository_file, create_merge_request_note, create_commit, etc.)
  • Integration: GitLab CI/CD, Merge Requests, Duo Chat

Key Features

  1. Multi-Step Orchestration - Each flow has 2-3 components that work together
  2. Human-in-the-Loop - Requires explicit approval before applying fixes
  3. Language Agnostic - Supports 7+ programming languages
  4. Framework Aware - Django, Flask, Spring, Rails, etc. specific checks
  5. Compliance Focused - GDPR, PCI-DSS, HIPAA, SOC 2 validation
  6. Actionable Output - Code examples, not just warnings
  7. Environmental Impact - Quantifies resource savings from optimizations

Challenges We Ran Into

1. Tool Mapping Complexity

  • Challenge: GitLab Duo Agent Platform has 89+ available tools with specific naming conventions
  • Solution: Mapped flows to correct tools (find_files, get_repository_file, read_file, create_merge_request_note, create_commit, list_vulnerabilities)
  • Learning: Tool names differ from intuitive naming (e.g., find_files vs list_repository_tree)

2. Flow Definition Syntax

  • Challenge: YAML flow definitions require precise structure with components, prompts, routers, and entry points
  • Solution: Studied existing flows, created templates, iterated on definitions
  • Learning: Each component needs explicit inputs, toolsets, and UI logging configuration

3. Prompt Engineering for Multi-Step Flows

  • Challenge: System prompts needed to be detailed enough for accurate analysis but concise enough to fit token limits
  • Solution: Created comprehensive prompts with:
    • Language-specific vulnerability patterns
    • Severity definitions
    • Output format specifications
    • Error handling guidelines
  • Learning: Prompt quality directly impacts analysis accuracy

4. Compliance Framework Coverage

  • Challenge: Covering GDPR, PCI-DSS, HIPAA, and SOC 2 in a single flow
  • Solution: Created separate sections in prompts for each framework with specific checks
  • Learning: Compliance is context-dependent; need to understand business domain

5. Deployment Validation Scope

  • Challenge: Pre-deployment checks span infrastructure, application, and operational concerns
  • Solution: Broke down into 5 categories (secrets, infrastructure, application, monitoring, backup)
  • Learning: Deployment readiness is multi-dimensional

6. CI/CD Integration

  • Challenge: Making flows accessible from CI/CD pipeline without breaking YAML syntax
  • Solution: Created documentation jobs that explain how to invoke flows via GitLab Duo Chat
  • Learning: Flows are best triggered from UI (Duo Chat) rather than CI/CD scripts

Accomplishments We're Proud Of

1. Comprehensive Security Coverage

  • 7+ programming languages supported
  • 20+ vulnerability types detected
  • Framework-specific checks (Django, Flask, Spring, Rails, etc.)
  • OWASP Top 10 alignment
  • Actionable fixes with code examples

2. Compliance as a First-Class Feature

  • GDPR compliance checking (PII, consent, data retention)
  • PCI-DSS validation (credentials, encryption, access controls)
  • HIPAA requirements (health data protection, audit trails)
  • SOC 2 controls (logging, access, encryption)
  • Regulatory remediation guidance

3. Deployment Readiness Validation

  • Pre-deployment security checks
  • Configuration validation
  • Infrastructure security assessment
  • Monitoring & logging verification
  • Disaster recovery validation
  • Clear approval/rejection with reasoning

4. Human-in-the-Loop Design

  • Explicit approval required before fixes
  • Detailed explanations for each suggestion
  • No automatic changes without consent
  • Clear audit trail of decisions

5. Multi-Flow Architecture

  • 6 specialized flows for different use cases
  • Consistent design patterns across flows
  • Modular and extensible
  • Clear documentation for each flow

6. Production-Ready Documentation

  • AGENT.md - Agent capabilities and checks
  • FLOWS.md - Flow documentation and usage
  • TEST_RESULTS.md - Test cases and examples
  • README.md - Quick start and overview
  • Demo files - Vulnerable code examples

7. Hackathon Brief Alignment

  • Security - Mamori Guardian + Code Review flows
  • Compliance - Dedicated compliance checking flow
  • Deployments - Pre-deployment validation flow
  • Automation - Flows respond to MR events
  • Takes Action - Auto-fixes, creates issues, posts comments
  • Digital Teammate - Autonomous agent, not a chatbot

What We Learned

1. Workflow Automation is the Real Opportunity

  • Coding is solved; the bottlenecks are in security, compliance, and deployments
  • Teams spend more time on reviews and validation than writing code
  • Automation here has immediate ROI

2. Multi-Step Orchestration is Powerful

  • Breaking complex tasks into 2-3 steps improves accuracy
  • Each step can use different tools and prompts
  • Routers enable flexible workflow control

3. Compliance is Context-Dependent

  • One-size-fits-all compliance checking doesn't work
  • Need to understand business domain (healthcare, payments, etc.)
  • Regulatory requirements vary by jurisdiction

4. Human-in-the-Loop is Essential

  • Developers need control over automated changes
  • Explicit approval gates build trust
  • Clear explanations are as important as fixes

5. Prompt Engineering Matters

  • Detailed system prompts lead to better analysis
  • Specific output formats improve consistency
  • Error handling guidance prevents hallucinations

6. Documentation is Critical

  • Clear examples help users understand capabilities
  • Test files demonstrate real-world scenarios
  • Troubleshooting guides reduce support burden

What's Next for Mamori

Phase 2: Enhanced Capabilities

  1. Advanced Vulnerability Detection

    • Machine learning-based anomaly detection
    • Custom vulnerability rule creation
    • Integration with external SAST tools (SonarQube, Semgrep)
    • Real-time vulnerability database updates

  2. Expanded Compliance Coverage

    • SOX (Sarbanes-Oxley) compliance
    • CCPA (California Consumer Privacy Act)
    • LGPD (Lei Geral de Proteção de Dados)
    • Industry-specific standards (PCI-DSS v4.0, HIPAA updates)

  3. Deployment Automation

    • Automated deployment execution (with approval)
    • Rollback automation on deployment failure
    • Blue-green deployment validation
    • Canary deployment monitoring

  4. Performance Optimization

    • Algorithmic complexity analysis
    • Database query optimization suggestions
    • Memory leak detection
    • Resource utilization analysis

Phase 3: Enterprise Features

  1. Team Collaboration

    • Shared security policies
    • Team-based approval workflows
    • Audit logging and compliance reports
    • Integration with issue tracking (Jira, Azure DevOps)

  2. Custom Rules Engine

    • Define organization-specific security rules
    • Custom compliance frameworks
    • Industry-specific checks
    • Policy-as-code support

  3. Advanced Reporting

    • Security dashboards
    • Compliance trend analysis
    • Risk scoring and prioritization
    • Executive summaries

  4. Integration Ecosystem

    • Slack/Teams notifications
    • Webhook support for external systems
    • API for programmatic access
    • CI/CD pipeline integration (GitHub Actions, Jenkins, etc.)

Phase 4: AI-Powered Features

  1. Predictive Security

    • Predict vulnerability patterns before they occur
    • Risk scoring based on code patterns
    • Anomaly detection in deployments

  2. Intelligent Remediation

    • Context-aware fix suggestions
    • Learning from approved fixes
    • Automated refactoring for security

  3. Natural Language Policies

    • Define security policies in plain English
    • AI translates to automated checks
    • Policy versioning and tracking

Metrics & Impact

Current Capabilities

  • Languages Supported: 7 (Python, JavaScript, Java, Ruby, Go, PHP, C#)
  • Vulnerability Types: 20+
  • Compliance Frameworks: 4 (GDPR, PCI-DSS, HIPAA, SOC 2)
  • Flows: 6 specialized workflows
  • Tools Used: 15+ GitLab API tools
  • Documentation: 4 comprehensive guides

Expected Impact

  • Security Review Time: 80% reduction (manual -> automated)
  • Compliance Violations: 90% detection rate
  • Deployment Failures: 70% reduction (pre-deployment validation)
  • Code Review Cycles: 50% faster (automated suggestions)
  • Developer Productivity: 30% improvement (less manual review)

Conclusion

Mamori demonstrates that the real opportunity in AI-assisted development isn't in writing code- it's in automating the workflows that slow teams down. By focusing on security, compliance, and deployments, Mamori becomes a true digital teammate that takes action on behalf of developers.

The GitLab Duo Agent Platform enabled us to build a sophisticated, multi-flow security system that integrates seamlessly into existing workflows. Mamori isn't a chatbot that answers questions; it's an autonomous agent that jumps into your merge requests, analyzes code, validates compliance, and suggests fixes- all without leaving GitLab.

Mamori 守り: Protecting your code with vigilance, precision, and care. 🛡️✨

Built With

Share this project:

Updates