PathForge Duo

GitLab-triggered AI agent that detects risky CI/CD paths in merge requests and automatically posts review comments and remediation issues before unsafe changes reach production.

Comment

Inspiration

CI/CD changes can silently create unsafe paths to production. A small merge request that modifies pipeline logic, deploy scripts, environment configuration, token usage, or validation behavior can have much larger consequences than a reviewer immediately sees.

We built PathForge Duo to solve that problem. Instead of treating a merge request as just a file diff, PathForge Duo models it as a deployment-risk path through the CI/CD system and turns that into actionable GitLab decisions.

Problem

CI/CD merge requests often look small at the file-diff level, but they can quietly create dangerous deployment paths to production. Changes to pipeline logic, deploy scripts, environment configuration, token usage, or validation behavior may introduce privilege escalation, unsafe runner trust, or weakened release controls that are difficult for reviewers to detect quickly.

Traditional review workflows do not always capture how a single merge request can affect the broader deployment chain. As a result, risky paths to production may go unnoticed until they become operational incidents.

Solution

PathForge Duo is a GitLab-triggered AI risk agent for CI/CD.

When a merge request event happens, PathForge Duo:

  • receives the real GitLab webhook
  • analyzes the CI/CD risk scenario behind the merge request
  • models the path from Merge Request → Pipeline → Job → Token → Runner → Environment → Deploy Target
  • scores the risk
  • estimates blast radius
  • recommends the best intervention
  • automatically posts a merge request comment
  • automatically creates a remediation issue

The system is designed to detect high-value CI/CD risk patterns such as:

  • unsafe production deployment reachability
  • privileged token exposure
  • weak or non-isolated runner trust
  • staging vs production risk differences
  • validation / rollback bypass in release flows

How it works

Graph-based CI/CD attack path reasoning

PathForge Duo models CI/CD risk as an attack-path problem rather than a flat checklist.

For each merge request, it builds a structured path through the delivery system:

Merge Request → Pipeline → Job → Token → Runner → Environment → Deploy Target

This graph allows the system to reason about:

  • whether production is reachable
  • where privilege is concentrated
  • whether runners are isolated or shared
  • how tokens and environments affect blast radius
  • whether deployment safety controls are being weakened

Instead of asking only “what files changed?”, the system asks “what risky path does this change create or strengthen inside the CI/CD system?” That makes the review output much more operationally useful.

Memory-guided reasoning

A key innovation in PathForge Duo is its memory-guided risk layer. Instead of treating each CI/CD event as an isolated one-time signal, the system maintains memory over risk-bearing nodes such as privileged jobs, tokens, runners, environments, and deployment targets.

Repeated risky paths reinforce those nodes over time, while unused risk patterns gradually decay. This allows PathForge Duo to become more sensitive to recurring production and privilege-related exposure instead of reacting only to a single merge request in isolation.

In practice, this means the agent can prioritize intervention based on both:

  • the current merge request risk path
  • the historical structure of repeated CI/CD exposure

This gives the system a stronger notion of operational context. A merge request is not only judged by what changed now, but also by whether it continues or strengthens an already risky deployment pathway. As a result, PathForge Duo can make more informed review decisions, improve prioritization, and better identify persistent CI/CD risk patterns before they become incidents.

Sustainable Design Justification

PathForge Duo supports sustainable software delivery by detecting unsafe CI/CD paths before they cause failed releases, repeated pipeline reruns, rollback churn, and avoidable operational overhead. Its memory-guided reasoning reinforces recurring risky nodes over time, making the system more sensitive to repeated deployment-risk patterns and enabling earlier intervention. This helps reduce wasted execution, repeated remediation, and unnecessary friction across the delivery pipeline.

Scenarios

We built and tested multiple CI/CD risk scenarios.

Scenario 1 — Production deployment risk

A merge request changes:

  • .gitlab-ci.yml
  • scripts/deploy.sh
  • deploy/config/prod.env

This represents a high-risk production deployment path with:

  • privileged deploy job
  • high-privilege token
  • non-isolated runner
  • production environment reachable

Expected outcome:

  • high risk
  • production reachable = true
  • strong remediation and approval guidance

Scenario 2 — Staging medium-risk deployment

A merge request changes:

  • .gitlab-ci.yml
  • scripts/deploy_staging.sh

This represents a staging deployment flow with weaker blast radius than production.

Expected outcome:

  • medium risk
  • production reachable = false
  • lighter intervention guidance

Scenario 3 — Validation / rollback bypass risk

A merge request changes:

  • .gitlab-ci.yml
  • scripts/deploy.sh
  • scripts/health_check.sh
  • scripts/rollback.sh

This scenario simulates release-safety weakening by making health verification and rollback behavior non-blocking while a production-like deployment path remains reachable.

Expected outcome:

  • high risk
  • production reachable = true
  • remediation focused on restoring validation and rollback assurance

Live GitLab workflow

The live workflow now works like this:

  1. A real merge request is opened or updated in GitLab
  2. GitLab sends a webhook to PathForge Duo
  3. PathForge Duo runs scenario-based CI/CD risk analysis
  4. The system classifies the risk and selects interventions
  5. It automatically writes back into GitLab by:
    • posting a merge request comment
    • creating a remediation issue

Results / Demo proof

PathForge Duo is not just a static demo or chatbot. It is a real GitLab-triggered prototype that:

  • reacts to real merge request events
  • runs backend risk analysis
  • posts real comments into GitLab
  • creates real remediation issues

The demo proves an end-to-end GitLab agent loop:

  • merge request event received
  • CI/CD attack path constructed
  • risk scored with operational context
  • intervention selected
  • GitLab updated automatically with reviewer-facing outputs

This shows that PathForge Duo can turn CI/CD risk reasoning into real platform action, helping teams catch unsafe deployment changes before they reach protected environments.

Built With

Share this project:

Updates