SentinelStream AI

Autonomous DevOps Governance Agent for GitLab Duo — Real-time dependency auditing, compliance verification, and AI-pushed remediation.

Comment

🛡️ SentinelStream AI: Autonomous DevOps Governance Agent

🌟 Inspiration

In the high-speed world of modern CI/CD, "Shift Left" security is often a bottleneck. Developers are overwhelmed by security scanners that generate noise but offer no solutions. We were inspired to build SentinelStream AI to bridge the gap between "knowing there's a bug" and "fixing it automatically." We wanted to create a governance layer for GitLab Duo that doesn't just scan—it remediates, verifies, and merges.

🧠 What it does

SentinelStream AI is an autonomous DevOps governance agent that sits at the center of your Merge Request (MR) flow. It acts as a tireless security engineer that:

  1. 🕵️ Scout (Multi-Ecosystem Scanning): Instantly identifies every dependency change across 8+ ecosystems including npm, PyPI, Go, Maven, Cargo, RubyGems, composer, and NuGet.
  2. ⚖️ Lawyer (Compliance & CVE Audit): Queries the Google Cloud OSV API and cross-references multi-registry metadata against your custom POLICY.md. It detects recursive vulnerabilities and license conflicts.
  3. 🔧 Fixer (Automated Remediation): Self-generates code fixes, identifies the "Next-Safe-Version," and posts GitLab-native inline suggestions directly on the MR.
  4. 🦾 Agent-Coder (API Refactoring): When a critical security fix requires a major version upgrade, Agent-Coder scans your codebase to identify and propose the necessary refactoring (e.g., migrating from Express 3.x to 4.x).
  5. 🟢 Pipeline-Aware Auto-Merge: Monitors CI/CD pipeline signals. If a Sentinel-generated security patch passes all tests, the agent automatically merges the fix, achieving Zero-Click Governance.

🏗️ How we built it

  • Backend: FastAPI with an asynchronous Plan-and-Execute (P&E) DAG orchestrator.
  • Intelligence Layer (Logic Gating): Optimized routing between Gemini 1.5 Flash (for high-speed patches) and Claude-3 Sonnet (for deep architectural refactoring).
  • Frontend: A high-end Next.js Analytics Command Center featuring Tailwind CSS, Framer Motion glassmorphism, and Recharts for real-time vulnerability telemetry.
  • Knowledge Base: A RAG-ready structure within .gitlab/agents/ allowing for dynamic ingestion of corporate security standards.

🚧 Challenges we faced

  • Transitive Dependency Graphs: Designing a parser that could accurately resolve deep recursive vulnerabilities in lockfiles like go.sum and package-lock.json.
  • Logic Gating Latency: Balancing the model routing logic to ensure developers receive audit feedback in under 5 seconds while still leveraging heavy-hitting LLMs for major breaking changes.
  • Universal Parser Logic: Creating a unified dependency model that works seamlessly across XML, JSON, TOML, and YAML-based build systems.

📈 What we learned

  • The critical importance of "Self-Verification"—ensuring the AI's proposed fixes are compliant before they reach the human reviewer.
  • How to leverage Google Cloud's OSV API for precise, multi-platform vulnerability intelligence.
  • That autonomous agents are most effective when they provide rich, reasoned context (Reasoning Logs) alongside their actions.

🚀 What's next for SentinelStream AI

  • 3D Threat Galaxy: A WebGL-powered 3D visualization of an entire company's code security health.
  • Global Policy Mesh: Support for complex policy inheritance across thousands of GitLab subgroups.
  • Predictive Patching: Using historical remediation data to predict and resolve vulnerabilities before they are even reported.

Built With

  • claude-3-sonnet
  • fastapi
  • framer-motion
  • gemini-1.5-flash
  • gitlab-api
  • google-cloud-osv-api
  • next.js
  • pydantic
  • python
  • recharts
  • tailwind-css
Share this project:

Updates