Inspiration

Personal: I'm a engineer who watched teams waste days on manual vulnerability analysis. This frustrated me.

Problem: Security teams spend 4+ hours per vulnerability analyzing impact, identifying owners, and writing fixes.

Solution: I built Orbit Tracer Security Agent to automate this entire workflow.

What it does

For security teams:

  • Reduces analysis time: 4+ hours → 45 seconds (99.8% faster)
  • Saves per team: 40+ hours/month
  • Saves organization: 40+ hours × number of security teams

For engineering teams:

  • Faster vulnerability remediation
  • Secure code generation
  • Clear ownership and accountability

Orbit Tracer is an intelligent security agent that:

  • Analyzes security findings from GitLab SAST scans
  • Traces blast radius using Orbit's knowledge graph (3-hop dependency analysis)
  • Scores risk intelligently (1-10) based on organizational impact
  • Identifies affected services and code owners
  • Generates secure code automatically in 7+ languages
  • Creates merge requests with HITL approval gates

Works with ANY project structure, ANY team size, supports Python, JavaScript, Go, Java, C#, C++, Rust, etc..

How we built it

  • Agent Framework: GitLab Duo with 1000+ line system prompt
  • Knowledge Graph: Orbit API for multi-hop dependency tracing
  • Risk Engine: Multi-factor scoring (Severity × Impact × Exploitability)
  • Code Generation: Claude AI with language detection
  • Integration: GitLab REST API for MR creation and assignment

Challenges

  1. Universal Design - Built for ANY project, not just ours. Solution: Leverage Orbit instead of hardcoding patterns.
  2. Accurate Risk Scoring - CVSS alone doesn't capture business impact. Solution: Multi-factor algorithm + compliance awareness.
  3. Language-Agnostic - Different languages, same remediation. Solution: Pattern-based approach with language bindings.
  4. Safety + Speed - Too much automation = risky, too slow = pointless. Solution: Risk-based approval gating (auto-approve LOW/MEDIUM, require review CRITICAL/HIGH).
  5. Integration Complexity - Getting systems to work together. Solution: Clear abstraction layers and comprehensive documentation.

Accomplishments

Enterprise-grade agent - Production-ready code with full documentation ✅ Intelligent blast radius - 3-hop Orbit tracing shows true organizational impact ✅ Universal applicability - One agent, any project structure, any team ✅ Measurable impact - 99.8% time savings (4+ hours → 45 seconds per vulnerability) ✅ Compliance-aware - Understands GDPR, PCI-DSS, HIPAA implications ✅ Professional submission - README, security policy, test cases, OpenAPI spec

What we learned

  1. Knowledge graphs enable universal solutions (better than hardcoding)
  2. Risk assessment requires organizational context, not just vulnerability scores
  3. Separating concepts from implementations enables language-agnostic design
  4. HITL (Human-in-the-Loop) is a feature, not a compromise
  5. Professional documentation and polish matter to judges

What's next

Market opportunity:

The global AppSec market faces a critical bottleneck. Organizations can't analyze vulnerabilities fast enough. Orbit Tracer solves this for any team, any codebase, any language.

Market size: Every organization using GitLab (thousands globally)

Vision:

  • Phase 2: Real-time vulnerability tracking dashboard
  • Phase 3: Automated scheduled remediation
  • Phase 4: Multi-organization enterprise features
  • Phase 5: Open source ecosystem + SaaS platform

  • Goal : Become the standard for automated security remediation

Built With

Share this project:

Updates