MR Security Fix Agent

A GitLab Duo flow that reviews merge requests, detects security risks, and posts actionable remediation guidance with a suggested patch directly into GitLab.

Comment

Inspiration

Security tools can detect problems, but developers still lose time figuring out what matters most and what the safest next step should be. We wanted to build something that reduces that friction directly inside the merge request workflow. Instead of another chat interface, we focused on a trigger-driven GitLab Duo flow that can review a merge request, identify the top security concern, and provide remediation guidance where developers are already working.

What it does

MR Security Fix Agent is a GitLab Duo custom flow that reviews merge requests and posts actionable security remediation guidance directly back into GitLab. In our working demo, it detects a hardcoded API token introduced in a merge request, explains why the issue is risky, recommends the safest fix, provides a suggested patch using environment variables, and includes validation steps so the developer can remediate the issue quickly before merge.

How we built it

We built the project around GitLab Duo custom flows and GitLab-native merge request interactions. The flow is triggered inside a merge request, reads the merge request, inspects the diff, identifies the highest-priority security concern, and writes a structured remediation comment directly into the merge request discussion. Alongside the live GitLab flow, we also created a local Python prototype to model triage, ranking, and output formatting so the project is easier to test and evolve.

Challenges we ran into

One of the biggest challenges was trigger and context reliability. In our testing, not every trigger type resolved merge request context equally well. We found that a mention-based trigger with the full merge request URL was the most reliable path for a consistent end-to-end workflow. Another challenge was moving beyond simple detection and making the output more useful, so we improved the flow to include a suggested patch for straightforward remediation cases.

Accomplishments that we're proud of

We built a working GitLab Duo flow that does more than explain a problem. It reads a merge request, identifies a meaningful security issue, and posts a useful remediation comment with validation guidance and a suggested patch directly inside GitLab. We are especially proud that the project is trigger-driven, action-oriented, and demonstrated successfully in the official hackathon repository.

What we learned

We learned that trigger design and context handling matter just as much as the prompt itself. A smaller workflow that is reliable and easy to demonstrate is more valuable than a broader one that is harder to trust. We also learned that security-focused AI becomes much more useful when it gives developers a concrete remediation path instead of simply repeating scanner output.

What's next for MR Security Fix Agent

Next, we want to improve support for more trigger patterns, expand coverage beyond hardcoded secrets to dependency and application security issues, and add stronger remediation automation such as follow-up issue creation or safer patch generation for more vulnerability types. We also want to make the suggested fixes more context-aware across different repositories and programming stacks.

Built With

  • claude
  • gitlab-custom-flows
  • gitlab-duo-agent-platform
  • gitlab-merge-requests
  • python
  • yaml
Share this project:

Updates