SecureFlow

Landing Page
Run Agent
Check Security after fixing
Merge Request Created
Dashboard

Inspiration

In modern software development, security is often seen as a bottleneck. While SAST (Static Analysis Security Testing) and DAST (Dynamic Analysis Security Testing) tools are excellent at finding vulnerabilities, they are notorious for creating massive backlogs that security teams struggle to clear.

We were inspired by a simple but painful truth: Finding a vulnerability is easy; fixing it is the hard part. We wanted to build a bridge across this "Remediation Gap"a tool that doesn't just point out problems, but actually engineers the solution, validates it, and prepares it for production all autonomously.

What it does

SecureFlow is an autonomous AI-driven orchestration pipeline that automates the entire security remediation lifecycle. When a vulnerability is detected in a CI/CD pipeline, SecureFlow triggers a series of specialized AI agents:

Triage Agent: Analyzes the raw security reports, filters out false positives, and prioritizes "True Positives" that pose real risks. Remediation Agent: Utilizing Claude 3.5 Sonnet, it deep-dives into the codebase to engineer a context-aware security patch that adheres to best practices. Validation Agent: Deploys the fix into an isolated environment and runs the project's test suite to ensure the patch doesn't break existing functionality. MR Agent: Generates a comprehensive summary and opens a Merge Request in GitLab, complete with an explanation of the fix and proof of validation. Users can monitor the entire process in real-time via the Nova Dashboard, a futuristic interface that provides high-resolution telemetry on every action taken by the agents.

How we built it

SecureFlow was built with a high-performance, Modern-Stack approach:

Frontend: Built with React 18 and Vite, featuring a glassmorphism design system ("Nova UI") with real-time streaming updates from the backend via NDJSON. Backend: A high-concurrency FastAPI server managing the asynchronous execution of Python-based AI agents. AI Core: Claude 3.5 Sonnet serves as the primary reasoning engine for complex code analysis and patch generation. Infrastructure: Designed to integrate directly with GitLab’s API for seamless pipeline monitoring and Merge Request management. Orchestration: A custom-built sequential agent runner that manages state and hand-offs between specialized security agents.

Challenges we ran into

One of the biggest hurdles was ensuring that AI-generated code was not just "syntactically correct" but also "production-safe." We had to iterate heavily on the Validation Agent to ensure that if a fix failed the test suite, the Remediation Agent received the error logs to self-correct and try again.

Another challenge was managing the real-time feedback loop. We wanted the user to see the AI "thinking" and "working" in real-time, which required us to implement a sophisticated streaming architecture between our Python agents and the React frontend.

Accomplishments that we're proud of

We are incredibly proud of achieving a fully autonomous loop. Seeing the system take a raw SQL Injection warning, understand the vulnerable code, rewrite it using prepared statements, verify the fix with tests, and open a Merge Request without any human intervention felt like witnessing the future of DevOps.

We’re also proud of the Nova Dashboard. We didn't want a "boring" security tool; we wanted an interface that felt as modern and advanced as the AI powering it.

What we learned

Building SecureFlow taught us that the real power of LLMs in security isn't just in their knowledge, but in their ability to reason through context. We learned how to structure "Multi-Agent" systems where agents "triple-check" each other’s work, significantly reducing the risk of bad patches. We also gained deep experience in building real-time, event-driven web applications that handle complex background processes.

What's next for SecureFlow

SecureFlow is only at the beginning. Our roadmap includes:

Multi-Platform Support: Expanding beyond GitLab to GitHub and Bitbucket. Wider Language Support: Adding specialized remediation agents for Go, Rust, and C++. Human-In-The-Loop (HITL) Mode: Allowing security engineers to "approve" or "edit" AI patches through the dashboard before they are pushed. Infrastructure-as-Code (IaC) Remediation: Automatically fixing misconfigured Kubernetes manifests and Terraform scripts.

Built With

bash
ci/cd
claude
docker
fastapi
git
gitlab
google-cloud
langchain
pydantic
python
react
rechart
sql
tailwindcss
typescript
uvicorn

Submitted to

GitLab AI Hackathon

Created by

Solo-built SecureFlow end-to-end from architecting the multi-agent pipeline and coding all four AI agents (Triage, Remediation, Validation, MR) in Python, to designing the real-time Nova Dashboard in React, integrating Claude 3.5 Sonnet as the AI core, and deploying the full stack to Google Cloud Run. Every line of code, every design decision, and every deployment was done individually within the hackathon timeline.

Sarfraj Khan
Creative and detail-oriented software developer skilled in building full-stack apps with modern web technologies and clean code.

Updates

Sarfraj Khan started this project — Mar 25, 2026 01:47 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.