SecretsSentinel Rapid

A Gemini-powered security agent that uses GitLab MCP to autonomously detect, report, and block secrets directly in your repositories and Merge Requests.

Comment

Inspiration

Hardcoded secrets, exposed credentials, and weak PKI/TLS configurations remain some of the most common and damaging security vulnerabilities in modern software delivery. Too often, these vulnerabilities are caught late in the cycle or overlooked entirely because existing static linting tools generate noisy alerts that lack context and require tedious manual triage. I wanted to build something better: an autonomous security analyst that bridges the gap between passive scanning and active developer workflows. I envisioned a tool that doesn't just flag issues, but actually reasons about them and takes action directly where developers work: in their repositories and Merge Requests.

What it does

SecretsSentinel Rapid is a Gemini-powered, autonomous security agent designed specifically for GitLab. By leveraging a native Model Context Protocol (MCP) connection, it dynamically analyzes your codebase for hardcoded secrets, expiring certificates, and weak cryptographic configurations.

Unlike traditional pipeline scripts, SecretsSentinel Rapid is a true agent. You give it a GitLab repository or Merge Request URL, and it uses Gemini 2.5 Flash's function calling to independently investigate the code. When it finds a vulnerability, it takes immediate action:

  • Merge Request Defense: It analyzes MR diffs and posts inline review comments directly on the specific lines where credentials were leaked, blocking them before they merge.
  • Actionable Issue Creation: It files detailed GitLab Issues containing severity labels, rationale, and step-by-step remediation checklists.
  • Security Reporting: It autonomously maintains a "Security Health Report" page in the repository's Wiki, giving security engineers a high-level audit trail.

All of this is orchestrated via a real-time Gradio Web UI that streams the agent's internal thoughts, logic, and tool executions.

How I built it

I built the agent using Python and Google's Gemini 2.5 Flash via Vertex AI. The core innovation is how I connected Gemini to the codebase: I integrated the official @modelcontextprotocol/server-gitlab using the Python mcp SDK.

Instead of writing rigid, procedural logic, I gave Gemini a suite of MCP tools (like list_project_files, get_file_contents, create_issue, and create_merge_request_discussion) and let its reasoning engine drive the execution loop. The agent decides which files to inspect, chunks the content to manage context windows, and determines the appropriate GitLab action based on what it discovers. I wrapped this agentic loop in a responsive Gradio UI that yields the agent's thought process and API calls via an asynchronous generator, providing a transparent, real-time view of the agent at work. The entire application is containerized with Docker and deployed to Google Cloud Run.

Challenges I ran into

One of the biggest hurdles was managing the LLM context window against potentially massive repositories. I couldn't just dump an entire codebase into the prompt. I had to design a resilient strategy where the agent uses MCP to first discover the file tree or MR diffs, and then surgically requests specific file contents. I also implemented strict 4,000-character limits per file read to prevent context bloat while ensuring the agent still saw the most critical lines.

Another challenge was ensuring the agentic loop didn't spiral out of control. I had to carefully tune the system prompts and function definitions to guarantee that the agent handled API rate limits, large binary files, and missing wiki pages gracefully, without breaking the overall scan execution.

Accomplishments I'm proud of

I am incredibly proud of achieving a genuine agentic workflow. Seeing the agent autonomously decide to fetch an MR diff, realize a Slack token was exposed on line 42, and then dynamically call the GitLab API to post an inline comment exactly on that line, without any hardcoded pipeline instructing it to do so, feels like a massive leap forward.

I'm also proud of the real-time UI streaming. Making the LLM's internal "thoughts" and tool calls visible as they happen transforms the experience from waiting for a black box to watching a digital teammate work.

What I learned

I learned a tremendous amount about the power and practical limitations of the Model Context Protocol (MCP). MCP is a game-changer for standardizing how LLMs interact with external systems like GitLab, drastically reducing the boilerplate integration code I had to write. I also learned that Gemini 2.5 Flash is exceptionally fast and capable at zero-shot reasoning over code snippets, making it the perfect engine for real-time security analysis where both latency and accuracy are paramount.

What's next for SecretsSentinel Rapid

For the hackathon, I focused on a standalone UI workflow to prove the agentic concept. The immediate next step is to package SecretsSentinel Rapid as a native GitLab CI/CD component that automatically triggers on every Merge Request.

Beyond that, I plan to expand its reasoning capabilities to include automated secret rotation - where the agent not only finds a leaked API key but uses an integration to proactively revoke it and issue a new one. I also want to implement multi-repository scanning to allow organizations to unleash the agent across their entire GitLab group footprint.

Built With

Share this project:

Updates