MergeGuard — Pre-Merge Risk Analyzer

Auto-analyzes every GitLab MR for blast radius, test gaps & security signals. Enriched with GitLab Orbit knowledge graph. Posts 🔴/🟡/🟢 risk report as MR comment before merging.

Comment

Inspiration

Every day, developers merge code without truly knowing what could break. A one-line change in an auth file can cascade through dozens of modules. I built MergeGuard to make that invisible risk visible — before it reaches production.

What it does

MergeGuard is a GitLab Duo Agent that analyzes merge requests for security risk and blast radius using the GitLab Orbit knowledge graph. When triggered in any MR, it:

  • Maps every file and module impacted by the change (blast radius)
  • Flags security-sensitive patterns (auth, API endpoints, secrets, permissions)
  • Identifies test coverage gaps in the impacted zone
  • Suggests the best reviewers based on Orbit's contributor graph
  • Scores overall risk as 🟢 LOW / 🟡 MEDIUM / 🔴 HIGH

How I built it

  • GitLab Duo Agent Platform — created a custom agent with a detailed system prompt
  • SKILL.md — defined MergeGuard's behavior, output format, and risk scoring rules in a skill file stored in the repository under skills/mergesguard/SKILL.md
  • JavaScript (mergesguard.js) — implemented the core Orbit API integration logic showing how blast radius, test coverage, and contributor data would be fetched in production
  • GitLab Orbit — the knowledge graph that powers the call graph traversal and contributor analysis

Challenges I ran into

Getting the risk scoring logic right was the hardest part — balancing sensitivity (not too many false HIGH alerts) with coverage (not missing real risks). I also had to learn the GitLab Duo Agent Platform from scratch during the hackathon.

Accomplishments

  • Built and deployed a working GitLab Duo Agent in under 24 hours
  • MergeGuard successfully analyzed a real merge request and produced a structured risk report
  • The agent is live and enabled in the project, ready for any developer to use

What I learned

I learned how GitLab Orbit models codebases as knowledge graphs, how to author skills and agents on the Duo Agent Platform, and how to think about security risk in terms of dependency graphs rather than just file contents.

What's next for MergeGuard

  • Connect directly to Orbit's live API for real call graph traversal
  • Add CI/CD pipeline integration to auto-trigger on every MR
  • Publish to the GitLab AI Catalog for the wider community

Built With

  • gitlab-ci/cd
  • gitlab-duo-agent-platform
  • gitlab-orbit-api
  • gitlab-rest-api
  • python
Share this project:

Updates