SDLC Intelligence Agent

GitLab Duo Agentic AI streamlines SDLC: automated MR security scans, AI-driven failure diagnosis, policy enforcement, and weekly reports triggered by events - delivering zero-touch, secure DevOps.

Comment

SDLC Intelligence Agent is a GitLab-native multi-agent system that embeds AI directly into the software delivery lifecycle. Instead of a chat interface, it reacts to real GitLab events, a merge request opened, a reviewer assigned, a pipeline failed, or a weekly schedule and takes automated action: posting findings as MR comments, alerting Slack, uploading HTML reports to GCS, and synthesizing sprint digests.

Four specialized agents handle distinct concerns:

  • Security Agent — RAG-backed policy scan of MR diffs against OWASP Top 10 and internal coding standards. Fetches the diff, retrieves relevant policy chunks via semantic similarity, calls Claude Sonnet, and posts a APPROVE / REQUEST_CHANGES / BLOCK verdict as an MR comment with color-coded severity findings.

  • Compliance Agent — Evaluates a 10-point delivery checklist (branch naming, linked issue, labels, description quality, test evidence, WIP status, target branch, docs, file count, assignee) triggered the moment a reviewer is assigned. Posts a pass/warn/fail table directly on the MR.

  • Insight Agent — Fetches failed CI/CD job logs, identifies root cause, classifies the failure type (flaky test, dependency, config, code bug, etc.), estimates recurrence risk, and generates a styled HTML report uploaded to Google Cloud Storage. Detects repeat failure patterns across the past 7 days.

  • Digest Agent — Runs on a weekly schedule, pulling merged MRs, closed issues, commits, and pipeline pass/fail stats from GitLab, then synthesizing a narrative sprint summary with highlights, risks, and next steps — posted to Slack.

The system runs as a Docker container on Google Cloud Run, receives GitLab system hooks via FastAPI, and uses a shared tools layer for Anthropic API calls, GitLab REST, Slack Block Kit messaging, GCS uploads, and per-model token cost tracking. The Security Agent's RAG store is backed by sentence-transformers embeddings stored locally as NumPy vectors, with a hash-based fallback for restricted environments.

Built With

  • anthropic-api
  • anthropic-claude-api-(claude-sonnet-4-6
  • apscheduler
  • claude-haiku-4-5-20251001)
  • cloud-build
  • css
  • docker
  • fastapi
  • gitlab-ai-gateway
  • gitlab-ai-gateway-(optional)
  • gitlab-ci/cd
  • gitlab-rest-api
  • google-cloud
  • google-cloud-build
  • google-cloud-build-(cloudbuild.yaml)
  • google-cloud-run
  • html
  • html/css
  • json
  • json-token-log
  • numpy
  • optional-qdrant-cloud
  • pydantic
  • pypdf
  • pytest
  • python
  • python-dotenv
  • qdrant-client
  • sentence-transformers
  • slack-incoming-webhooks
  • uvicorn
  • yaml
Share this project:

Updates