DuoMRReviewer

An autonomous GitLab Duo flow that reviews code, catches security flaws, and auto-fixes issues instantly, reducing time to merge from days to minutes.

Comment

Inspiration: The AI Paradox

Despite massive advancements in AI code generation, the Software Development Lifecycle (SDLC) is still completely bottlenecked by human code reviews. Developers wait days for feedback, leading to constant context switching and delayed releases. Even worse, overworked reviewers often skim Merge Requests (MRs), allowing critical security vulnerabilities (like hardcoded secrets or SQL injections) to slip into production.

We realized there is an "AI Paradox" in modern DevOps: We use AI to write code at lightning speed, but we still rely on slow, manual processes to review and merge it. We set out to build an autonomous system that could eliminate this bottleneck forever.

What it does

Duo MR Reviewer is a fully autonomous, multi-agent AI flow built on the GitLab Duo Agent Platform. When a developer opens a Merge Request (or tags @ai-duo-mr-reviewer-gitlab-ai-hackathon), it triggers a deeply orchestrated 3-agent CI/CD pipeline:

  1. Code Review Agent: Analyzes the diff for logic bugs, performance issues, and best practices. Crucially, it leaves precise, line-by-line inline comments natively on the GitLab diff, just like a human reviewer.
  2. Security Scanner Agent: Kicks in immediately after to scan the MR for OWASP vulnerabilities (e.g., exposed API keys, XSS), cross-referencing them natively.
  3. Auto-Fixer & Smart Verdict Agent: Automatically fixes trivially safe issues (like typos, missing imports, or bad formatting), validates the fixes using run_tests, and commits them back to the branch. Finally, it calculates a formal "MR Health Score" and applies ~AI-Ready or ~Needs-Attention labels to guide human reviewers.

How we built it

We built this entirely on the GitLab Duo Agent Platform powered by Anthropic Claude.

We heavily utilized GitLab's advanced Custom Flows to orchestrate three independent YAML-defined agents, routing outputs and context from the Code Reviewer and Security Scanner directly into the context window of the Auto-Fixer.

We also heavily utilized GitLab's native Agent Tools, including:

  • build_review_merge_request_context and list_merge_request_diffs for context gathering.
  • post_duo_code_review for leaving native inline threaded comments.
  • edit_file, run_tests, and create_commit to allow the Auto-Fixer to safely modify code, ensure tests pass, and cleanly push the fix back to the branch.

Challenges we ran into

Our biggest challenge was UX (User Experience) and Information Overload. Initially, our agents were dumping massive, unreadable walls of text into the main MR thread. We realized this is a common anti-pattern in AI tooling that developers hate.

To solve this, we engineered a "Progressive Feedback" UX. We explicitly commanded the agents to use the post_duo_code_review tool to place comments inline on the exact lines of code, rather than the main thread. Because our agents execute sequentially, the developer receives real-time, threaded feedback. This keeps MR threads cleanly organized and makes the AI feel like a deeply integrated part of the GitLab UI.

Accomplishments that we're proud of

We are incredibly proud of achieving true Multi-Agent Orchestration. We proved that AI agents are not just for chat interfaces—they can act as background CI/CD workers that execute deeply complex, async pipelines. By successfully chaining three distinct AI personas (Reviewer, Security, Fixer) and allowing them to physically touch the code and commit fixes natively, we created a system that feels like magic.

What we learned

We learned the sheer power of Anthropic Claude when paired with Native GitLab Tools. Claude proved exceptional at not only maintaining deep context across large file diffs, but also at reliably determining what was "safe" to auto-fix and what required human intervention. We also learned how robust the GitLab Duo Agent Platform's flows YAML syntax is for building production-grade orchestration.

What's next for Duo MR Reviewer

In the future, we plan to train the Auto-Fixer to handle far more complex refactoring tasks (like breaking up monolithic functions or migrating legacy components) by dynamically reading the repository's internal architecture documentation before generating and applying its fixes. We also aim to expand the Reviewer's capability to automatically generate and commit missing unit tests for the functions it evaluates.

Built With

  • anthropic
  • claude
  • gitlab
  • gitlab-api
  • gitlab-duo
  • gitlab-duo-agent-platform
  • gitlab-flows
  • gitlabe-agents
  • python
  • yaml
Share this project:

Updates