SecureFlow AI

Inspiration

Modern development is no longer slowed by writing code, but by everything around it—testing, security, compliance, and deployment. We were inspired by the idea of transforming GitLab workflows into an autonomous system where AI agents don’t just assist but actively take action. This led us to build SecureFlow AI, a multi-agent DevSecOps pipeline that listens to events like issue creation or security alerts, generates code, writes tests, fixes vulnerabilities, and deploys applications automatically. While building this, we learned how to orchestrate agent-based systems using GitLab Duo, integrate AI reasoning through Anthropic, and deploy scalable services on Google Cloud. One of our biggest challenges was ensuring reliability while using AI, which we solved by combining intelligent reasoning with structured rules and validations. Ultimately, our goal was to move beyond chat-based AI and create a true digital teammate that accelerates secure software development.

What it does

SecureFlow AI transforms GitLab into an autonomous DevSecOps pipeline powered by intelligent agents. When a developer creates an issue, the system automatically breaks it into tasks, generates production-ready code, writes comprehensive test cases, and scans for security vulnerabilities. If any issues are detected, it applies fixes instantly and updates the merge request. The pipeline then validates the code and deploys the application without manual intervention. By reacting to real GitLab events and taking action at every stage, SecureFlow AI reduces development friction, improves security, and accelerates delivery—acting as a true AI-powered teammate for developers.

How we built it

We built SecureFlow AI as a multi-agent system integrated directly into GitLab workflows. Using GitLab Duo Agents and Flows, we designed an event-driven pipeline where actions are triggered by events such as issue creation, merge requests, and security alerts. Each stage of the pipeline is handled by a dedicated AI agent—Planner, Developer, Test, Security, and Deploy—responsible for specific tasks. We leveraged Anthropic (Claude) for intelligent reasoning, including code generation, test creation, and vulnerability fixing. The agents were implemented as lightweight services using Python (Flask) and deployed on Google Cloud Run for scalability. GitLab CI/CD pipelines were used to run tests, perform security scans (SAST), and manage deployments, while GitLab APIs enabled automated commits, merge requests, and workflow orchestration. This combination allowed us to create a seamless, automated system from idea to deployment.

Challenges we ran into

One of the main challenges was orchestrating multiple AI agents to work reliably in a sequential pipeline, ensuring each step completed correctly before triggering the next. Integrating with real GitLab events such as issues, merge requests, and CI/CD pipelines also required careful handling of webhooks and API interactions. Another significant challenge was ensuring that AI-generated code and security fixes were accurate and did not introduce new issues, which we addressed by adding validation through tests and strict prompting rules. Balancing flexibility and control was difficult, as purely AI-driven outputs can be unpredictable, so we combined intelligent reasoning with structured workflows. Additionally, deploying and connecting agents on Google Cloud while maintaining smooth communication with GitLab added complexity, but helped us build a scalable and realistic system.

Accomplishments that we're proud of

We are proud to have built a fully autonomous DevSecOps pipeline where multiple AI agents collaborate to take real actions inside GitLab workflows. Instead of creating a simple chatbot, we developed a system that can go from a feature request to code generation, testing, security fixing, and deployment without manual intervention. Successfully integrating GitLab Duo Agents with Anthropic for intelligent decision-making and deploying scalable agent services on Google Cloud Run was a major achievement. We also ensured that the system handles real-world challenges like security vulnerabilities and test coverage, making it practical and impactful. Most importantly, we transformed the idea of AI assistance into a true AI-powered teammate that actively accelerates secure software development.

What we learned

Through building SecureFlow AI, we learned how to design and orchestrate multi-agent systems that operate reliably within real-world DevOps workflows. We gained hands-on experience with event-driven architectures using GitLab Duo Agents and CI/CD pipelines, and understood how to integrate AI reasoning (Anthropic/Claude) into actionable automation rather than just generating responses. We also learned the importance of balancing AI flexibility with structured validation to ensure safe and consistent outputs, especially for code generation and security fixes. Additionally, working with Google Cloud Run helped us understand scalable deployment of agent services. Overall, we realized that the true power of AI lies not just in generating code, but in enabling systems that can act, adapt, and automate end-to-end development processes.

What's next for SecureFlow AI

The next step for SecureFlow AI is to evolve from a rule-based multi-agent system into a more intelligent, self-improving platform. We plan to introduce learning capabilities where agents adapt based on past fixes, code reviews, and deployment outcomes. Expanding support for multiple programming languages and frameworks will make the system more versatile for real-world teams. We also aim to enhance collaboration by allowing developers to interact seamlessly with agents during workflows, rather than only triggering them. On the infrastructure side, we plan to scale the system with deeper Google Cloud integrations and improve observability with advanced logging and metrics. Additionally, we aim to incorporate Green AI features to optimize code for performance and energy efficiency. Ultimately, our vision is to transform SecureFlow AI into a fully autonomous, production-ready DevSecOps assistant used by teams at scale.

Built With

• anthropic-(claude-api)
• docker
• gitlab-ci/cd
• gitlab-duo-agents-&-flows
• gitlab-rest-api
• google-cloud
• google-cloud-run
• python-(flask)
• sast-(gitlab-security-scanning)