Supply Chain Security Agent

An agent to detect deeply nested supply‑chain risks and compliance violations, suggests safe automated fixes, and creates MRs for those fixes while logging detailed issues for complex violations.

Comment

Inspiration

A single library install can pull in hundreds of nested packages developers never inspect, and attackers often hide malicious or non-compliant code deep inside. Fixes typically involved long chains of prompts, manual doc review, and tedious dependency sleuthing to identify what broke, then creating tickets — a slow, error-prone flow that turns quick deploys into hours of firefighting. That experience inspired me to create an agent that automatically remediates safe, non‑breaking issues and creates clear, actionable issues (with steps, context, and references) so team can keep shipping without losing velocity.

What it does

With simple prompt, it automates dependency security and compliance: it finds outdated and vulnerable packages, risks in nested packages, prioritizes those that matter based on business context, fixes safe issues automatically, and generates actionable issues for the complex violations that can lead to breaking changes.

  • Project Context Identification: It starts by identifying project context.
  • Scans Dependencies: It then analyzes project's entire dependency tree for security vulnerabilities.
  • Assesses Risk: It performs reachability analysis to prioritize exploitable vulnerabilities and suppress noise.
  • Maps to Standards: Correlates findings with relevant standards, and compliance frameworks.
  • Auto-Remediation: It applies safe fixes for low-risk vulnerabilities automatically via MR creation.
  • Creates Issues: It documents complex violations with remediation guidance for your team

How I built it

I built the project with GitLab web IDE. For prompt modifications i took inspiration from Chatgpt-4o mini model and for Readme suggestions from GitLab Duo agent. I divided the development of project in two phases:

Detection Phase: In this phase the focus was entirely on getting correct project and code context and correctly identifying the vulnerabilities without generic details. To test this I created a separate branch with only dependency files, but that did not provide entire project context to agent, so I switched to testing agent on publicly available GitLab repositories.

Remediation Phase: In this phase the focus was on auto fixing vulnerabilities with non breaking changes by auto creating commits and then creating MRs or generating detailed issues with proper context. I initially tested on my dependency only branch where it created separate branches and commits, then i tested it on my older project and fork of a public repository where it created detailed issues.

Challenges I ran into

The most significant technical hurdle was controlling the agent's output format. Initially, the agent would produce verbose, unrelated information that was not relevant and generic. I had to iteratively refine the system prompt to constrain the output to strictly relevant, actionable data.

Another challenge was agent syncing with AI catalog and agent testing. However, the GitLab team was incredibly helpful, and we were able to resolve the syncing issues to ensure smooth operation.

Accomplishments that I am proud of

The magic moment was watching the agent work end-to-end: it reads project context, creates branches, makes commits with code changes, and opens Merge Requests and Issues on its own with a simple prompt. I avoided auto-merging for safety, but automating the entire pipeline up to MR and issue creation—saving hours of manual security work—was a major win.

What I learned

  • About GitLab Duo Ecosystem.
  • Clear, unambiguous system prompts improve relevance and reduce hallucinations; small wording changes can change response quality and safety checks.
  • The agent can reliably run analysis, perform Git steps (branching, commits, MRs), and generate documentation, and can fall back to alternative remediation options or detailed issue creation when automatic fixes aren’t safe, reducing context-switching for reviewers.

What's next for Supply Chain Security Agent

I have some features planned for the next iteration: - Deep Container Scanning: Extending capabilities to analyze container images deeply. - Deep Dependency Analysis: Testing the agent’s ability to auto generate Software Bill of Materials (SBOM) and perform dependency graph analysis for more accurate responses. - Flows: Implementing GitLab flows that trigger only on dependency updates. - Intelligent Triage: Using pattern analysis to identify similar issues and auto-assign them to the right developers based on past history.

Built With

  • claudehaiku4.5
  • duoagent
  • gitlabide
Share this project:

Updates