Sentinel Flow

An autonomous DevSecOps CLI agent that rewrites vulnerable code, tests it locally via a self-healing loop, and autonomously opens GitLab Merge Requests.

Comment

Inspiration -

Security scanners (SAST/DAST) are fantastic at finding vulnerabilities, but they create massive technical debt. Human engineers still have to context-switch, research the patch, rewrite the code, test it, and push an MR. I wanted to bridge the gap between "Alerting" and "Remediating" by building a truly autonomous agent that lives right inside the developer's terminal.

What it does -

Sentinel Flow is a globally installable Node.js CLI tool. When a developer runs sentinel heal , the agent reads the vulnerable local file and uses an LLM to rewrite it securely. Crucially, it doesn't blindly trust the AI. It features a "Self-Healing Verification Loop" that runs local syntax checks (node -c) on the newly generated code. If the AI introduced a syntax error, the agent catches the error, feeds the logs back to the LLM, and forces it to fix its own mistake. Once verified, it uses the GitLab API to autonomously branch, commit, and open a ready-to-review Merge Request.

How I built it -

The CLI is built using Node.js and Commander.js. The AI brain leverages gemini-2.5-flash for high-speed code refactoring. For the GitOps workflow, I used simple-git to manage local branch staging, and the official @gitbeaker/rest SDK to interface deeply with GitLab's architecture, allowing the agent to securely open fully formatted Merge Requests. The self-healing loop utilizes Node's native child_process to execute local verification commands.

Challenges I ran into -

The biggest challenge was "LLM Confidence." Initially, the AI would occasionally forget a closing bracket or comma when rewriting large files, which would break the build if pushed to GitLab. To solve this, I engineered the self-healing verification loop. This transformed the tool from a basic "API wrapper" into a true reasoning agent that catches and remediates its own hallucinations before interacting with the remote repository.

Accomplishments that I am proud of -

I am incredibly proud of achieving "Zero-Context-Switching." A developer can trigger a complex remediation, let the agent verify its own syntax, and have a secure GitLab MR waiting for them, all without leaving their IDE or opening a browser.

What I learned -

What's next for Sentinel Flow -

The next evolution is full CI/CD integration. I plan to integrate Sentinel Flow directly into GitLab CI Runners. If a GitLab SAST job fails during a pipeline run, Sentinel Flow will automatically trigger in the cloud, patch the vulnerability, and reply to the failed pipeline with an MR containing the fix, completely automating enterprise vulnerability management.

Built With

Share this project:

Updates