Saqr — Autonomous Security Remediation Agent

Transforms security alerts into resolved issues in seconds — autonomous vulnerability remediation.

Comment

Inspiration

Security scans are only useful if someone acts on them. In most teams, SAST findings sit in dashboards for weeks — developers are busy, context-switching is expensive, and triaging vulnerabilities manually is tedious. Saqr was built to close that gap: the moment a scan finds a vulnerability, Saqr fixes it.

The name comes from the Saqr falcon — vigilant, precise, and fast.

What it does

Saqr is an autonomous security remediation agent built on the GitLab Duo Agent Platform.

When GitLab security scans (SAST, Dependency Scanning, Secret Detection) complete in a CI/CD pipeline, Saqr automatically:

  1. Analyzes each vulnerability with full code context — fetching the affected file and surrounding lines from the GitLab repository
  2. Generates a precise, minimal fix using Claude — targeting only the vulnerable lines without refactoring unrelated code
  3. Creates a merge request with the fix applied, a human-readable explanation, CWE/OWASP references, and links back to the original finding
  4. Falls back gracefully — if a vulnerability requires human judgment (architectural flaw, missing business context), Saqr creates a GitLab Issue with detailed remediation guidance instead of a broken MR

How we built it

  • GitLab Duo Agent Platform — AGENTS.md defines Saqr's identity, capabilities, and behavior constraints; security_remediation_flow.yml orchestrates the multi-step pipeline
  • Claude (claude-opus-4-6) — powers both vulnerability analysis and fix generation via the Anthropic SDK
  • GitLab REST API — used for fetching repository files, creating branches, committing fixes, opening MRs, and posting issues
  • Python 3.12 + httpx — lightweight runtime with no heavy frameworks
  • GitLab CI/CD — Saqr runs as a remediate stage job, triggered automatically after semgrep-sast and bandit-sast complete

Challenges we ran into

  • Minimal fix scope: Getting Claude to fix only the vulnerable line without touching surrounding code required careful prompt engineering
  • CI artifact handoff: GitLab security scan reports are passed as job artifacts — wiring the needs: + artifact pipeline correctly was non-trivial
  • Graceful degradation: Not every vulnerability can be auto-fixed. Building the triage logic to decide between MR vs. Issue took iteration

Accomplishments that we're proud of

  • End-to-end pipeline from scan detection to MR creation with zero human intervention
  • Saqr correctly identifies unfixable vulnerabilities and creates actionable issues instead of broken PRs
  • The fix prompt produces minimal, surgical changes that pass code review

What we learned

  • GitLab Duo Agent Platform's AGENTS.md is a powerful primitive for defining agent behavior in a human-readable, reviewable format
  • Claude is remarkably good at understanding security context when given the full file alongside the vulnerable snippet

What's next for Saqr

  • Container Scanning and DAST report support
  • MCP integration for richer tool use (query GitLab Security Dashboard directly)
  • Auto-assign reviewers based on CODEOWNERS
  • Slack/email notifications when MRs are created

Built With

  • agent
  • anthropic
  • ci/cd
  • claude
  • dependency
  • gitlabduo
  • httpx
  • platform
  • python
  • sast
  • scanning
Share this project:

Updates