ORBIT-GUARDIAN — Forensic MR Auditor for GitLab Orbit
Inspiration
Every security conversation about CI/CD focuses on the code: SAST, DAST, SonarQube, dependency scanners. None ask the question that keeps security teams up at night: "Is the person behind this merge request who they say they are, and are they acting in good faith?"
Supply chain attacks don't start with a 0-day. They start with a trusted contributor whose account got compromised, or social engineering embedded in a PR description: "quick hotfix, CTO approved, please merge before EOD." Those signals are invisible to existing CI/CD tools because they're not in the diff — they're in the human layer around it.
ORBIT-GUARDIAN exists to read that layer.
What it does
ORBIT-GUARDIAN is a forensic merge request auditor that plugs into GitLab Orbit's code graph. For every MR it analyzes:
- Authorship anomalies — writing style changes, timing patterns that don't match the contributor's history
- Obfuscated payloads — base64 injection, high-entropy code clusters, encryption indicators hidden in diffs
- Social engineering — urgency manipulation, authority spoofing, Gricean maxim violations, and Cialdini's six persuasion principles scored against every word in the description and comments
Three independent forensic cores run in parallel — EntropyCore, SemioticCore, and ManipulationCore — and a corroboration gate requires at least two to agree before escalating beyond WARN. The result posts as an MR comment: a structured verdict (PASS / WARN / REQUIRE_REVIEW / BLOCK), a tamper-evident SHA-256-sealed audit chain, and a devil's advocate counter-hypothesis for every HIGH-severity finding so reviewers see both sides before acting.
No LLM in the verdict loop. Scoring uses Python fractions.Fraction — deterministic rational arithmetic, identical results every run.
How I built it
Backend: Python + FastAPI. All forensic scoring uses fractions.Fraction — no floats touch the verdict pipeline. Shannon entropy for payload detection. Gunning Fog Index for readability anomalies. Grice's cooperative maxims and Carnegie's influence taxonomy as rule engines.
GitLab Orbit integration: The blast radius module queries Orbit Local's code graph via orbit CLI to measure the structural impact of changed files before scoring — a change touching 40 downstream dependencies gets weighted differently than an isolated utility function.
Audit chain: Every session gets a cryptographic nonce derived from the first evidence hash. Each subsequent finding is chained via SHA-256. Any tampering breaks all downstream hashes — the chain is tamper-evident by construction.
Frontend: A single-file browser SPA, no build step. Designed as a laboratory instrument: dark substrate, one living color for verdicts, monospace for everything the forensic engine says.
Challenges
The hardest problem was the corroboration gate. A single suspicious signal is almost always noise. An urgency phrase in a commit message could be a stressed engineer having a bad week — not a social engineering attack. Calibrating three independent scoring systems against each other, not just individually, was the key.
The second challenge was making the audit chain genuinely tamper-evident without external dependencies. Deriving the session nonce from the first evidence hash and chaining every subsequent finding means the chain is self-sealing: you can't retroactively insert or modify a finding without breaking everything that came after it.
Accomplishments
Shipping a security tool where every verdict claim is mathematically reproducible. "The speedup is not a claim on a slide, it is a chain of hashes anyone can replay" — same philosophy here. ORBIT-GUARDIAN doesn't tell you a merge request is suspicious. It shows you the exact sequence of signals, the arithmetic that produced the score, and the strongest argument against its own conclusion.
What I learned
I came into this hackathon not knowing how GitLab's merge request system worked — I'd never submitted an MR to a production open source project before. Learning the contribution workflow while building a tool about merge request integrity was unexpectedly fitting. Reading the Orbit codebase to understand integration taught me more about real-world graph-based code analysis than any tutorial would have.
What's next
- GitHub Action version — same forensic engine, triggered on every PR
- Streaming mode — analyze MR comments in real time as a review conversation unfolds
- Baseline learning — build per-contributor writing style models from MR history so anomaly detection is personalized, not generic
- GitLab Duo integration — surface findings directly in the Duo chat interface so reviewers can interrogate evidence without leaving the MR
Contribute Track — Merge Requests to GitLab Orbit
A personal note: this hackathon was my first time contributing to production open source. I didn't know how the MR system worked, wasn't sure my contributions would be good enough, and almost didn't submit them. I'm glad I did.
| MR | Title | What it fixed |
|---|---|---|
| !1840 | Python __init__.py Root Scope Fix |
__init__.py at repository root incorrectly emitted "__init__" as module scope, producing broken graph edges for relative imports. Added 10 unit tests. |
| !1841 | Missing Limit Bounds Check | The limit query parameter had no Rust-level guard — values up to ~4 billion could reach ClickHouse. Added runtime cap (1–1000) and 4 boundary tests. |
| !1842 | FK Star + Elevated Security Filter | FK star optimization removed the node table scan that SecurityPass needed for role-gated filters. Security Managers with valid roles saw 0 results. Disabled star optimization when peripheral nodes need elevated filters. |
| !1843 | Lua Language Support | Added Lua as fully indexed language: global/local function declarations, require() imports (all quote variants), tree-sitter wiring, 10 unit tests, 2 YAML integration fixtures. |
Contribute Track — 4 Merge Requests to GitLab Orbit
- !1840 — Python
__init__.pyRoot Scope Fix - !1841 — Missing Limit Bounds Check
- !1842 — FK Star + Elevated Security Filter
- !1843 — Lua Language Support
Built With
Links
- Repository: https://gitlab.com/anna.tchijova/orbit-guardian
- Demo Video: [YouTube URL]
- Live Demo: https://orbit-guardian-orcin.vercel.app/
Built With
- cli
- fastapi
- fractions.fraction
- gitlab
- html/css
- orbit
- python
- sha-256
Log in or sign up for Devpost to join the conversation.