ORBIT Security Blast Radius Agent

Know your full CVE blast radius in 30 seconds trace every affected file, service, and owner across all repos using GitLab Orbit's knowledge graph.

Comment

Inspiration

Every security engineer knows the feeling. A critical CVE drops at 2am. The Slack message reads: "requests library has a remote code execution vulnerability. Are we affected?"

And then the real work begins manually opening each repository, searching dependency files one by one, trying to remember who owns which service, checking if pipelines are even running security scans. For organisations with 20, 50, or 100 repositories, this process takes hours. Hours of exposure. Hours where attackers can move faster than defenders.

I built the ORBIT Security Blast Radius Agent because I believe that question "which of our services are affected?" should take 30 seconds, not 4 hours. And with GitLab Orbit's knowledge graph, it finally can.

What It Does

The ORBIT Security Blast Radius Agent is a GitLab Duo agent that performs organisation-wide security impact analysis using Orbit's cross-repository knowledge graph.

When a developer or security engineer asks about a CVE or vulnerable dependency, the agent:

  1. Queries Orbit's knowledge graph across all repositories simultaneously
  2. Finds every file importing the vulnerable library across all repos, all languages
  3. Identifies the owners of each affected service by name
  4. Checks which repositories are missing security scan pipelines entirely
  5. Ranks affected repositories by actual risk authentication and payment services first, archived repos last
  6. Delivers a complete Blast Radius Report with a prioritised remediation plan
  7. Generates a ready-to-use CI/CD snippet for repositories missing security scans
  8. Offers to create GitLab issues in each affected repository with the owner assigned

A question that once took hours now takes 30 seconds.

How I Built It

The project is built entirely on the GitLab Duo Agent Platform using the Agent Skills specification.

The Agent was created in the GitLab UI with three tools enabled:

  • Orbit: Get Graph Schema discovers what node types and relationships Orbit has indexed for the organisation
  • Orbit: Query Graph executes cross-repository graph queries to trace vulnerability impact across all repos
  • Create Issue automatically creates remediation issues with owners assigned

The Skill lives in skills/blast-radius/SKILL.md. This is the core of the project. It teaches the agent an 8-step structured workflow: get schema → find affected files cross-repo → find owners → check pipeline coverage → rank by risk → generate report → provide CI snippet → offer follow-up actions.

The System Prompt defines the agent's identity, its structured output format (the Blast Radius Report), and its rules always use Orbit, never guess, always name specific files and owners, always rank by risk.

The key technical insight is what makes Orbit uniquely suited to this problem: standard GitLab APIs are project-scoped. To check 50 repositories, you need 50 API calls, manual aggregation, and you still get no cross-file function reference data. Orbit indexes the entire organisation as a single property graph one query covers every repository, every file, every function reference, every pipeline, and every contributor simultaneously.

Challenges I Faced

Understanding Orbit's query model was the first challenge. Orbit is not a traditional search it is a property graph. I had to understand how node types (File, Repository, Contributor, Pipeline, SecurityFinding) relate to each other before I could design queries that produce meaningful security impact analysis.

Designing the risk ranking logic without a trained ML model was a real challenge. I wanted the agent to rank repositories by actual risk not alphabetically. The solution was to use observable signals from Orbit data: repository names containing "auth", "payment", "session", or "credentials" are CRITICAL. Repos with recent MR activity are HIGH. Archived repos are LOW. This is transparent, explainable, and does not require a model.

Making the output actionable rather than just informational took several iterations of the system prompt. Early versions produced reports that listed affected files but did not tell the engineer what to do next. The final version always includes: safe upgrade version, CI snippet for missing scans, and an offer to create remediation issues with owners assigned.

What I Learned

  • GitLab Orbit's cross-repo graph queries are genuinely powerful the ability to trace function references and import statements across an entire organisation in a single query is something no standard API provides.

  • Explainability matters more than accuracy for AI security tools. Engineers will not act on a mysterious risk score. Every ranking in the Blast Radius Report must be explained by observable Orbit data.

  • The Agent Skills specification is a clean, powerful way to encode complex workflows the 8-step query workflow in SKILL.md gives the agent consistent, structured behaviour across all security queries.

  • Security impact analysis is fundamentally a graph problem. Vulnerability blast radius is about tracing relationships which file calls which function, which service depends on which library. Graph databases like Orbit are the right tool for this problem.

What's Next

  • Multi-CVE batch analysis "Scan all repos against this week's NVD CVE feed and rank everything by risk"
  • Scheduled blast radius reports weekly email/Slack summary of the organisation's security posture
  • MR-triggered analysis automatically run blast radius check when a dependency file is changed in any merge request
  • Historical trending track how security posture improves over time as teams patch vulnerabilities

Impact

The average time to assess CVE blast radius across a multi-repo organisation is 4+ hours with manual methods. This agent reduces that to under 30 seconds using GitLab Orbit's unique cross-repository knowledge graph.

For a security team managing 50 repositories, this agent can save hundreds of hours per year and more importantly close the window between CVE publication and remediation before attackers can exploit it.

Built With

  • gitlab-agent-skills-specification
  • gitlab-ci/cd
  • gitlab-duo-agent-platform
  • gitlab-duo-chat
  • gitlab-orbit-get-graph-schema-api
  • gitlab-orbit-knowledge-graph
  • gitlab-orbit-query-graph-api
  • markdown
  • yaml
Share this project:

Updates