Neural Commit

SecureShip scans every merge request for vulnerabilities, suggests exact code fixes, and auto‑generates a security and compliance report before human review, so teams can ship safer code faster.

Comment

SecureShip – AI Security & Compliance Review for GitLab

Inspiration

AI and modern tooling make it easy to generate and ship code quickly, but security and compliance reviews are still manual, slow, and hard to scale. In regulated environments like finance and healthcare, teams lose countless hours on repetitive security checks and writing compliance documentation instead of building features.

We wanted to change that by treating security and compliance as first-class citizens in the merge request itself.

What It Does

SecureShip is an intelligent security and compliance review system for GitLab that automatically analyzes every merge request.

It:

  • Performs security scanning on code diffs to identify vulnerabilities:
    • SQL/NoSQL Injection
    • XSS
    • SSRF
    • Broken Access Control
    • Hardcoded Secrets
    • Weak Cryptography
  • Classifies findings by severity and suggests concrete code fixes
  • Generates compliance reports aligned with:
    • OWASP Top 10
    • SOC 2
    • GDPR
    • PCI-DSS
    • ISO 27001
  • Posts results automatically on MR creation or when invoked via mentions
    (e.g., @ai-secureship-<group>)
  • Turns every merge request into a security- and compliance-aware review by default

How We Built It

The core architecture uses two YAML configurations:

1. secureship-flow.yml – Two-Agent Flow

agents:
  - name: security_scanner
    description: Analyzes merge request diff for vulnerabilities
    skills:
      - skills/security-scan
    output: security_findings.json

  - name: compliance_reporter
    description: Generates compliance report based on findings
    skills:
      - skills/compliance-report
    input: security_findings.json
    output: compliance_report.json

flow:
  - security_scanner
  - compliance_reporter

2. secureship-agent.yml – External AI Agent

agent:
  name: secureship-agent
  provider: anthropic
  model: claude-3
  description: Runs security scan and compliance reporting in one pass

inputs:
  - merge_request_diff
  - project_context

outputs:
  - security_findings
  - compliance_report
  - remediation_suggestions

GitLab Duo Configuration

.gitlab/duo/chat-rules.md

# SecureShip Rules

- Always analyze MR diff only
- Classify vulnerabilities by severity: Low, Medium, High, Critical
- Map findings to OWASP Top 10
- Generate compliance notes for SOC2, GDPR, PCI-DSS, ISO27001
- Suggest fixes for each vulnerability
- Keep output structured and deterministic

mr-review-instructions.yaml

review:
  focus:
    - security vulnerabilities
    - compliance issues
    - data handling risks
    - authentication and authorization
    - secrets management

  severity_levels:
    - low
    - medium
    - high
    - critical

Skills – Security Scan

skills/security-scan/skill.yaml

name: security-scan
description: Detects security vulnerabilities in code diffs

detect:
  - sql_injection
  - nosql_injection
  - xss
  - ssrf
  - broken_access_control
  - hardcoded_secrets
  - weak_crypto

classify_severity:
  critical:
    - hardcoded_secrets
    - broken_access_control
  high:
    - sql_injection
    - ssrf
  medium:
    - xss
  low:
    - weak_crypto

Skills – Compliance Report

skills/compliance-report/skill.yaml

name: compliance-report
description: Maps security findings to compliance frameworks

frameworks:
  - OWASP_TOP_10
  - SOC2
  - GDPR
  - PCI_DSS
  - ISO_27001

mapping:
  sql_injection: OWASP_A03
  xss: OWASP_A03
  broken_access_control: OWASP_A01
  hardcoded_secrets: SOC2_CC6
  weak_crypto: PCI_DSS_3

Challenges We Ran Into

  • Balancing detail and noise: Too many findings overwhelm reviewers; too few miss vulnerabilities.
  • Making compliance actionable instead of checkbox-based.
  • Natural GitLab integration with MR triggers and mentions.
  • Designing deterministic prompts for CI-like workflows.

Accomplishments

  • Designed multi-agent workflows that chain together seamlessly
  • Created structured agent skills that focus on specific tasks
  • Built practical vulnerability classification tied to OWASP Top 10
  • Translated compliance frameworks into actionable, audit-friendly checklists
  • Achieved seamless GitLab integration so SecureShip feels built-in
  • Demonstrated how to write constrained LLM instructions for CI workflows

What We Learned

  • How to design GitLab Duo Flows with multiple interdependent agents
  • How to structure domain logic into focused skills (security vs compliance)
  • How to leverage MR-diff context for targeted, efficient analysis
  • Deep knowledge of vulnerability categories and OWASP mappings
  • How to translate compliance frameworks into machine-readable logic
  • How to write deterministic prompts for external LLMs in production workflows

What's Next for SecureShip

  • Customization: Tune severity thresholds and compliance frameworks per project
  • Remediation suggestions: AI-generated fix proposals
  • Metrics & dashboards: Track security and compliance trends
  • Integration with CI/CD: Block merges based on severity policies
  • Multi-language support
  • Audit trail: Generate audit-ready compliance reports

Example MR Comment Output

{
  "vulnerabilities": [
    {
      "type": "SQL Injection",
      "severity": "High",
      "file": "user/login.js",
      "line": 42,
      "fix": "Use parameterized queries"
    }
  ],
  "compliance": {
    "OWASP": "A03: Injection",
    "SOC2": "CC6",
    "GDPR": "Article 32 - Security of Processing"
  }
}

License

MIT License

Links

GitLab
OWASP Top 10
SOC 2
GDPR
PCI-DSS
ISO 27001

Built With

  • ai
  • yaml
Share this project:

Updates