Merge Request Risk Radar Agent

Autonomous DevSecOps agent that evaluates merge request risk and posts a structured risk assessment with enforcement recommendations.

Comment

Merge Request Risk Radar

Inspiration

Modern software teams move fast, but speed often introduces risk. Merge requests frequently contain hundreds of lines of changes, modifications to critical infrastructure, or hidden security issues. Reviewers must manually inspect large diffs, check pipelines, analyze vulnerabilities, and determine whether a change is safe to merge.

In practice, this process is inconsistent and highly dependent on the reviewer’s experience and available time.

The inspiration behind Merge Request Risk Radar was to create an autonomous AI agent that continuously monitors merge requests and performs structured DevSecOps risk evaluation. Instead of acting like a conversational assistant, the agent acts as a digital risk analyst embedded directly into the GitLab workflow, providing deterministic and actionable insights for every merge request.

The goal is simple: help developers ship faster while reducing operational and security risk.

What the Project Does

Merge Request Risk Radar is an autonomous DevSecOps agent that evaluates merge requests and generates a structured risk report.

When a merge request is opened or updated, the agent automatically:

  1. Builds the complete merge request context
  2. Analyzes code diffs and total lines changed
  3. Detects modifications to critical system directories
  4. Checks if test files were updated
  5. Evaluates pipeline failures
  6. Inspects security scan results for vulnerabilities
  7. Detects changes to sensitive configuration files

Using these signals, the agent computes a deterministic risk score between 0 and 100 and classifies the merge request as:

  • LOW risk
  • MEDIUM risk
  • HIGH risk

The agent then posts a structured Merge Request Risk Report directly inside the merge request, highlighting detected risk factors and recommending enforcement actions such as senior review or merge blocking.

This turns merge requests into observable risk objects rather than simple code changes.

How We Built It

The system was built using the GitLab Duo Agent Platform, which allows developers to create autonomous agents that react to events inside the software development lifecycle.

The agent workflow includes several stages:

Context Construction

The agent first builds a full merge request context using GitLab tools, including:

  • merge request metadata
  • commit history
  • code diffs
  • pipeline results
  • vulnerability scan reports

Risk Evaluation Engine

A deterministic scoring model evaluates several structural signals:

  • diff size
  • critical directories modified
  • missing test updates
  • pipeline failures
  • security vulnerabilities
  • sensitive configuration changes

Each signal contributes a predefined score. The total score is capped at 100 to ensure predictable classification.

Risk Classification

The final score is categorized into:

  • LOW (0–29)
  • MEDIUM (30–69)
  • HIGH (70–100)

Automated Reporting

Finally, the agent posts a structured risk report into the merge request using the GitLab API, ensuring developers receive actionable insights directly where they work.

Challenges We Ran Into

One of the main challenges was designing a deterministic risk model that is both simple and meaningful. Many AI-based tools rely on probabilistic models, which can produce inconsistent results. For developer workflows, consistency is critical.

Another challenge was ensuring the agent could operate autonomously without requiring conversational interaction. The agent needed to evaluate context, apply scoring logic, and generate reports without asking follow-up questions.

Balancing useful signal detection while avoiding false positives was also an important design consideration.

What We Learned

This project highlighted the potential of AI agents as workflow participants rather than passive assistants. Instead of responding to prompts, agents can actively monitor events, analyze data, and enforce policies.

We also learned that DevSecOps automation benefits greatly from transparent and deterministic systems. Developers are more likely to trust automated decisions when the scoring model and reasoning are clear.

Finally, building with the GitLab Duo Agent Platform demonstrated how AI agents can be embedded deeply into the software development lifecycle.

Future Improvements

Future versions of Merge Request Risk Radar could introduce:

  • historical risk analysis across repositories
  • automated reviewer assignment based on risk level
  • integration with deployment gates
  • machine learning models that refine risk scoring using past incidents

These improvements would further transform merge requests into intelligent, risk-aware checkpoints in the development pipeline.

Impact

Merge Request Risk Radar improves software delivery by making risk visible early in the development process.

It helps teams:

  • identify risky changes faster
  • prioritize code review effort
  • prevent unstable deployments
  • strengthen DevSecOps practices

By embedding autonomous risk evaluation directly into the merge request workflow, developers gain a real-time safety layer for modern software delivery.

Built With

  • build-review-merge-request-context
  • create-merge-request-note
  • get-pipeline-failing-jobs
  • gitlab
  • list-merge-request-diffs
  • list-vulnerabilities
  • update-merge-request
Share this project:

Updates