The Moment That Inspired This
It's 11:47 PM. A developer merges a PR. Inside that PR, buried on line 247 of a 600-line diff:
query = "SELECT * FROM users WHERE id = " + request.args.get("id")
Nobody caught it. The security reviewer was swamped. The author didn't notice. The tests passed. Three weeks later, the database is dumped. Customer data is gone.
This happens every single day at software companies of every size.
Not because developers are careless. Because the review process is broken — slow, inconsistent, and completely dependent on humans who are already stretched thin.
SDLC Guardian exists to fix that.
What It Does (In Plain English)
SDLC Guardian is a GitLab Duo agent suite that jumps into your workflow and handles the four most painful bottlenecks in software development — automatically, every time, without being asked.
You open a merge request. It reads every changed file. Five minutes later, there's a comment on your MR:
[BLOCKING] — 1 Critical, 2 High severity findings
- SQL injection on
db/queries.py:247- Hardcoded API key on
config/settings.py:12- Missing auth check on
/api/admin/usersendpointFull report with remediation: [Issue #87]
That's not a chatbot. That's an agent that read your code, found real vulnerabilities, created a GitLab issue with remediation steps, filed formal vulnerability records, and blocked the merge — all while you were getting coffee.
The Four Things It Does
Security & Compliance Guardian
Every MR gets a full OWASP Top 10 scan. Not pattern matching — actual reasoning by Claude Opus 4.6 with adaptive thinking enabled. It checks SQL injection, command injection, hardcoded secrets, broken access control, weak cryptography, SSRF, path traversal, and 15 other vulnerability classes. Then it audits your new dependencies for GPL license contamination and GDPR compliance gaps.
Result: A formatted MR comment with a pass/review/block verdict, a security issue with line-by-line remediation, and formal vulnerability records linked to the MR.
MR Auto-Describe & Review Assistant
Most MR descriptions look like this: "fixed stuff"
That helps nobody. SDLC Guardian reads the actual diff and writes the description your team deserves — what changed, why, how to test it, what could go wrong, database migration notes, API contract changes, deployment flags. Then it posts a reviewer guide that tells your teammates exactly which 3 files need the most attention and why.
Result: Faster reviews. Less back-and-forth. PRs that actually communicate.
Incident Response & Postmortem Agent
Your pipeline just turned red at 2 AM. Most teams spend the first hour just figuring out what happened.
SDLC Guardian reads the job logs, traces back through recent commits, finds the change that broke the build, runs a 5 Whys analysis, and drafts a complete blameless postmortem — all before your on-call engineer has finished their first cup of coffee.
Result: A postmortem issue, P1/P2/P3 action items already filed as GitLab issues, and a permanent record saved to your repository.
Release Notes Generator
Nobody enjoys writing release notes. They're always rushed, always incomplete, always missing the things that actually matter to users.
Give SDLC Guardian a milestone. It reads every merged MR and closed issue, categorizes them (features, fixes, security, breaking changes, deprecations), writes professional user-facing release notes with contributor credits and a migration guide, and publishes to GitLab Releases.
Result: Release notes that read like a human wrote them. Because one did — just not one of your engineers.
How It's Built
The Brain — GitLab Duo Agent Platform
The core is a 5-step multi-agent flow (flows/sdlc_guardian_flow.yml) running on the GitLab Duo Agent Platform. Each step is a specialized Claude agent with its own toolset and instructions:
smart_triage → security_compliance_analyzer → incident_release_analyzer
→ mr_description_reviewer → unified_publisher
Step 1 reads the input, detects what type of work item it is, and emits activation signals (RUN_SECURITY_SCAN: true, RUN_INCIDENT_RESPONSE: false, etc.). Every downstream step checks these signals before executing — so you never get a security scan triggered by a milestone query, or release notes generated for a pipeline failure.
The Deep Analysis Layer — Anthropic Claude API
The GitLab Duo flow handles orchestration. But for the deepest security analysis, I go direct.
anthropic_analyzer/analyzer.py calls Claude Opus 4.6 directly via the Anthropic API with adaptive thinking enabled — Claude's extended reasoning mode where it thinks through the problem before responding. The entire analysis streams to your terminal in real time.
with client.messages.stream(
model="claude-opus-4-6",
max_tokens=16000,
thinking={"type": "adaptive"},
system=SECURITY_EXPERT_SYSTEM_PROMPT,
messages=[{"role": "user", "content": full_mr_context}],
) as stream:
# Claude thinks. Then it talks.
The output is structured JSON — finding IDs, severities, OWASP categories, file paths, code evidence, and specific remediation with corrected code examples. No vague "this might be a problem." Concrete, actionable, specific.
This runs automatically as a CI/CD job on every merge request.
40+ Tools. One Entry Point.
Feed SDLC Guardian anything:
"Review MR !42"→ security scan + description + reviewer notes"Pipeline #1234 failed"→ incident investigation + postmortem"Release notes for milestone v2.3.0"→ categorized, published release notes"Incident issue #99"→ root cause analysis + action items
One agent. It figures out the rest.
The Part I'm Proud Of
Most security tools are either too noisy (flag everything, ignore nothing) or too quiet (miss the real issues). Getting Claude to be a useful security reviewer — one that checks context before flagging, that understands whether an SQL query is actually parameterized even if it looks weird, that knows the difference between a test file and production code — that took real prompt engineering.
The ACTIVATION SIGNALS pattern is something I am particularly happy with. Instead of building 4 separate flows (one per capability), the triage agent outputs boolean flags that every downstream agent reads before deciding whether to run. It makes the unified flow genuinely intelligent about what to do — not just a linear pipeline that does everything regardless of input.
Stack
| Layer | Technology |
|---|---|
| Agent orchestration | GitLab Duo Agent Platform |
| AI reasoning | Anthropic Claude Opus 4.6 (adaptive thinking) |
| Security analysis | Direct Anthropic API + streaming |
| CI/CD integration | GitLab CI (.gitlab-ci.yml) |
| Language | Python 3.11 |
Try It Yourself
git clone https://gitlab.com/gitlab-ai-hackathon/participants/34570711
cd 34570711
# Set your keys
export ANTHROPIC_API_KEY=sk-ant-...
export GITLAB_TOKEN=glpat-...
# Run a security scan on any MR
pip install -r anthropic_analyzer/requirements.txt
python anthropic_analyzer/analyzer.py \
--project your-namespace/your-project \
--mr 1 \
--post-comment
Or just open any MR in a project where the GitLab Duo flow is deployed. The agent will find you.
What's Next
The pipeline that matters most isn't the one I built. It's the one that runs at your company, with your code, catching vulnerabilities before they ship.
SDLC Guardian is built to be forked, extended, and made your own. Every prompt, every flow, every tool call is in the open. Take it, break it, improve it.
The goal was never to build a product. It was to prove that AI agents can do real security work — not summarize it, not chat about it, but actually do it.
I think I proved it.
Built With
- anthropic
- gitlab
Log in or sign up for Devpost to join the conversation.