AI Threat Modeling Agent

STRIDEGUARD DEMO

What it does StrideGuard is an AI agent built on the GitLab Duo Agent Platform that automatically performs STRIDE threat modeling on merge requests and epics — before vulnerabilities reach production.

Every time a developer opens or updates a merge request, StrideGuard triggers automatically. It reads the full diff and relevant source files, reasons through all six STRIDE categories (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), and creates a structured GitLab issue for every threat it identifies. Each issue includes:

The affected file and line number Severity rating (critical / high / medium / low) CWE reference where applicable Plain-English description of the exploit path Specific remediation steps A resolution checklist for the developer A summary comment is posted on the MR showing a severity-sorted table of all threats with direct links to their issues. When the developer pushes a fix, StrideGuard re-runs, closes resolved issues automatically, and updates the comment — the threat model stays in sync with the code throughout review.

A second trigger mode lets teams apply the needs-threat-model label to any GitLab epic or issue to trigger a pre-implementation threat model. The agent analyzes the feature description and generates design risks before any code is written, shifting security left all the way to the planning phase.

The problem it solves Threat modeling is universally recognized as valuable and universally avoided because it requires a calendar invite, a security engineer's time, and a feature that is already half-built — at which point fixing architectural problems is expensive. This is a textbook "AI Paradox" bottleneck: the process has clear value but the manual toil makes it unsustainable at scale.

Existing tools do not solve this. SAST tools (Semgrep, CodeQL, Snyk) match known vulnerability syntax patterns. They do not reason about architectural threat categories or apply structured security methodology. GitLab's own SAST, DAST, and dependency scanning all operate at the code level. None generates pre-implementation threat models from feature descriptions.

StrideGuard is the only agent that applies STRIDE methodology at the MR and planning layer, in real time, with zero human scheduling effort.

How it uses the GitLab Duo Agent Platform StrideGuard uses all three pillars of the platform:

Triggers — Two trigger types:

merge_request events (opened / updated) — fires on every MR change label event on needs-threat-model — fires when applied to any issue or epic Context — The agent reads:

merge_request_diff — the actual code change being reviewed repository_files — source files (Python, Go, JS/TS, Ruby, Java, C#, Dockerfiles, RBAC configs, auth configs) for full context beyond the diff issue_description and epic_description — for label-triggered pre-implementation analysis Tools — Five GitLab tools used in a deliberate sequence:

gitlab:list_issues — checks for existing open StrideGuard issues to prevent duplicates gitlab:create_issue — creates one issue per new threat with full structured content gitlab:close_issue — closes issues for threats resolved in an updated MR gitlab:create_note — posts the summary comment on first analysis gitlab:update_note — updates the existing comment on re-runs (single living comment) STRIDE categories and what StrideGuard detects Category What StrideGuard looks for Spoofing Missing or bypassable auth, weak token validation, session fixation, insecure SSO Tampering Unsanitized input reaching databases or files, SQL injection, missing integrity checks, deserialization Repudiation Actions without audit log entries, log entries missing user ID or timestamp, writable audit logs Information Disclosure Hardcoded secrets, PII in logs, stack traces in responses, overly permissive CORS Denial of Service No rate limiting, unbounded queries, file upload without size validation, no circuit breakers Elevation of Privilege BOLA/IDOR, missing permission checks before privileged operations, admin routes accessible to users Features and functionality Zero-configuration for developers — no developer action required; analysis runs automatically Structured, actionable issues — every issue has ID, severity, CWE, description, remediation, checklist Label taxonomy — strideguard, security, stride::, severity:: on every issue Deduplication — checks open issues before creating to prevent duplicates on re-runs Auto-resolution — closes issues automatically when threats disappear from updated diffs Living MR comment — single comment updated in place, not spammed on every re-run Pre-implementation mode — label-triggered analysis from feature descriptions Automatic cleanup — removes needs-threat-model label and adds threat-model-complete after analysis

Built With

claude
gitlab
shell
typescript

Submitted to

GitLab AI Hackathon

Created by

. My contribution was the intitial repo and code to build it and inside of it.

Arjun Sriram
I contributed to testing, editing the code, creating a web app that was used to test the Custom Duo Agent, making code that would purposefully trigger a response and create items such as issues/tasks, and making the video demo.

r
I made the agent and did all the gitlab side of the project

KryophoraX
I contributed to testing, editing the code, creating a web app that was used to test the Custom Duo Agent, making code that would purposefully trigger a response and create items such as issues/tasks, and making the video demo.

Sai

Updates

Arjun Sriram started this project — Mar 25, 2026 10:15 AM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.