SecuritySentinel

Inspiration

Your CI pipeline finishes with 8 security findings. Most teams will ignore these for days or weeks. Developers are busy. Security reviews are manual. Vulnerabilities stay open. So I created the SecuritySentinel to fix that.

What it does

SecuritySentinel eliminates the gap between vulnerability detection and remediation. When a developer @mentions the SecuritySentinel service account on any merge request, four specialized AI agents chain together automatically:

Agent 1 — Triage: Reads pipeline security scan results, searches the codebase for vulnerable patterns, filters false positives, and classifies findings by severity (Critical/High/Medium/Low) with CWE references Agent 2 — Issue Creator: Creates structured GitLab issues for each confirmed vulnerability, automatically labeled with severity, CWE links, vulnerable code snippets, and remediation guidance Agent 3 — Fix Generator: Reads the actual vulnerable source files, writes production-safe security fixes in the correct language, and commits them to a fix branch Agent 4 — Reporter: Creates a remediation MR from the fix branch and posts a full security dashboard comment on the triggering MR

A companion SecuritySentinel Advisor agent provides on-demand interactive security reviews via GitLab Duo Chat — developers can ask it to review any file, explain a vulnerability, or confirm a fix is correct.

How we built it

Built entirely on the GitLab Duo Agent Platform using custom flows (YAML-defined multi-agent orchestration) and a custom agent. All agents are powered by Anthropic Claude Sonnet 4 via GitLab Duo. The flow is triggered via GitLab's mention and assign trigger system, runs on GitLab CI/CD compute, and uses GitLab's built-in tools to read code, create issues, commit fixes, and post merge request notes. The project includes a purpose-built vulnerable Node.js demo application (BookStore API) containing SQL injection, XSS, hardcoded secrets, path traversal, and known CVE dependencies — used as the test target to demonstrate the full remediation pipeline.

Challenges we ran into

The GitLab Duo Agent Platform is brand new (beta as of early 2026) and documentation on inter-agent data passing was limited. The correct format for passing outputs between agents (from: "context:agent_name.final_answer") was not documented and required debugging session logs and help from the GitLab Discord community. Tool name schemas also required validation against the platform's allowed tool list.

Accomplishments that we're proud of

Building a genuinely useful 4-agent orchestration that solves a real, painful problem every development team faces. The flow works across any language — Node.js, Python, Ruby, Java, Go, PHP — by detecting the project's language first and adapting all search patterns and fix templates accordingly. The SecuritySentinel Advisor agent is fully language-agnostic and useful to any GitLab project.

What we learned

How to design multi-agent flows where each agent produces structured JSON output that downstream agents consume. How to write system prompts that guide agents to use specific tools in a specific order and produce machine-readable output. How to debug agent sessions using GitLab's session logs and WebSocket trace output.

What's next for SecuritySentinel

Support for triggering automatically on pipeline completion (when GitLab enables pipeline event triggers in stable) Compliance mode — checking MRs against SOC2, GDPR, and HIPAA requirements Green Agent extension — tracking CI/CD energy consumption and suggesting efficiency improvements Publishing to the GitLab AI Catalog for any team to enable in one click

Built With

• ci/cd
• claude
• gitlab
• node.js
• sast