🎯 Inspiration
Every day, developers merge vulnerable code into production — not because they don't care, but because manual code review is slow, inconsistent, and expensive. Teams wait hours for reviewers who are already overloaded. Security engineers can't be everywhere. Critical vulnerabilities like SQL injection and hardcoded secrets slip through.
I wanted to build something that acts like a senior security engineer available 24/7 — one that doesn't just flag problems but actually fixes them.
🛡️ What It Does
Security Sentinel is a 3-agent AI pipeline built on the GitLab Duo Agent Platform that automatically reviews every Merge Request for security vulnerabilities and code quality issues.
When triggered on an MR, three specialized AI agents work in sequence:
- 🔍 Security Scanner — Scans for all OWASP Top 10 vulnerabilities with line-level precision and severity ratings
- 📏 Quality Analyst — Analyzes code complexity, missing error handling,
resource leaks, and maintainability issues
- 🔧 Fix Suggester — Writes the actual fixed code — not just flags the problem
Result: A complete security audit posted as an MR comment in under 90 seconds.
🏗️ How I Built It
The architecture uses GitLab Duo Agent Platform's multi-agent flow system with full context chaining between agents:
MR Trigger
↓
Agent 1: Security Scanner (OWASP Top 10)
↓ passes findings
Agent 2: Quality Analyst (complexity + maintainability)
↓ passes all findings
Agent 3: Fix Suggester (writes actual fixed code)
↓
Posts complete review comment on MR
Each agent is specialized with a focused system prompt, preventing overlap and ensuring depth. Agent 3 receives the full output of both previous agents as context before generating fixes.
Built using:
- GitLab Duo Agent Platform — agent + flow YAML configuration
- Anthropic Claude AI — powering all 3 agents via GitLab Duo
- OWASP Top 10 — security scanning framework
- GitLab AI Catalog — published and available for any team to install
🚧 Challenges
Schema validation was the biggest hurdle — the GitLab AI Catalog validator has strict requirements for toolset format, and I went through multiple iterations before getting the exact format right. The CI pipeline became my best friend for rapid iteration.
Context chaining between agents required careful prompt engineering to ensure Agent 2 doesn't repeat Agent 1's findings, and Agent 3 has enough context to write meaningful fixes.
Trigger mechanism — understanding exactly how the flow bot gets triggered on MR mentions required deep diving into the platform documentation.
📚 What I Learned
- GitLab Duo Agent Platform's flow architecture is incredibly powerful for multi-step AI workflows
- Specialized single-purpose agents outperform general-purpose agents for complex tasks
- Context chaining between agents unlocks capabilities impossible with a single agent
- The GitLab AI Catalog makes AI agents genuinely distributable to teams
🏆 Impact
Security Sentinel targets the critical "AI Paradox" bottleneck in the SDLC:
- Reduces MR review time from hours to 90 seconds
- Catches OWASP Top 10 vulnerabilities automatically on every MR
- Eliminates the need for dedicated security review for routine changes
- Scales security expertise across unlimited teams via the catalog
Any GitLab team can install Security Sentinel from the AI Catalog and get instant security reviews on every merge request — no setup, no cost, no waiting.
---
## Built With:
Add these one by one:
GitLab Duo Agent Platform Anthropic Claude AI Python OWASP Top 10 GitLab CI/CD YAML
---
## Try It Out Links:
Link 1 — Label: GitLab Repository
https://gitlab.com/gitlab-ai-hackathon/participants/jmadhan1
Link 2 — Label: AI Catalog - Security Sentinel Flow
https://gitlab.com/gitlab-ai-hackathon/participants/jmadhan1/-/blob/main/flows/flow.yml
Link 3 — Label: AI Catalog - Security Sentinel Agent
https://gitlab.com/gitlab-ai-hackathon/participants/jmadhan1/-/blob/main/agents/agent.yml
Built With
- 10
- agent
- ai
- anthropic
- ci/cd
- claude
- duo
- gitlab
- owasp
- platform
- python
- top
Log in or sign up for Devpost to join the conversation.