The Compliance Sentinel

• 

  The Compliance Sentinel: simple, integrated, automated.

The Compliance Sentinel Inspiration

AI writing code is no longer revolutionary.

The real bottlenecks in modern software teams are elsewhere: security reviews, compliance validation, infrastructure governance, audit preparation.

Engineering teams move fast. Compliance teams move carefully. Security checks often happen too late — after deployment, after incidents, after audits.

This creates friction.

The Compliance Sentinel was built to remove that friction.

What if compliance wasn’t a manual review? What if every Merge Request automatically became a compliance checkpoint?

Not as a suggestion. As enforcement.

What It Does

The Compliance Sentinel is an event-driven compliance enforcement agent built on the GitLab Duo Agent Platform.

It reacts to GitLab events and takes real action.

When a Merge Request is created or updated, the agent:

• Analyzes the code diff for security risks and sensitive data exposure • Detects infrastructure changes (Terraform, cloud configs) • Validates encryption and cloud policies • Calculates a compliance risk score • Generates structured, audit-ready findings • Posts actionable feedback on the Merge Request • Adds compliance labels • Blocks the merge if critical violations are detected

Every Merge Request becomes a self-enforcing security and compliance gate.

This is not a chatbot. It is a digital compliance teammate embedded inside the workflow.

How We Built It

The architecture is fully event-driven.

GitLab Webhooks trigger the workflow on Merge Request events.

A custom public GitLab Duo Agent orchestrates the flow.

Claude 3.5 Sonnet analyzes code diffs and returns structured JSON.

Deterministic components validate findings and compute a compliance score.

Infrastructure policies are validated using Google Cloud APIs.

The agent writes back to GitLab via REST APIs:

Comments

Labels

Merge blocking decisions

The system is built around:

• Tool-calling • Structured AI outputs • Policy enforcement logic • Workflow orchestration

Not conversational AI.

Why It Matters

Compliance today is reactive and manual.

The Compliance Sentinel shifts compliance left by embedding enforcement directly into the SDLC.

Before:

Security reviews were manual

Compliance was documentation-heavy

Violations were found late

After:

Violations are caught at Merge Request time

Compliance status is visible instantly

Risk is measurable

Enforcement is automatic

It transforms compliance from a bottleneck into an automated workflow primitive.

Challenges We Solved

• Designing a true event-driven agent (not chat-based) • Forcing structured, machine-actionable JSON outputs • Connecting AI reasoning to deterministic enforcement logic • Translating regulatory requirements into programmable rules • Maintaining performance in a hackathon environment

What We’re Proud Of

• Building a multi-agent orchestration architecture • Combining AI reasoning with cloud policy validation • Implementing automated merge blocking based on compliance scoring • Creating audit-ready structured outputs • Aligning deeply with GitLab Duo Agent Platform capabilities

Most importantly:

We built an agent that acts.

What We Learned

• How to design trigger-based agents inside GitLab • How to structure prompts for reliable tool orchestration • How compliance frameworks can be translated into automated checks • How AI can augment — not replace — deterministic policy enforcement

We learned that the future of AI in DevOps is not just code generation.

It is workflow enforcement.

What’s Next

• Compliance scoring per Merge Request • Cross-cloud policy validation • Integration with SAST/DAST correlation • Compliance trend dashboard • Production-grade SaaS deployment

The long-term vision:

Make compliance invisible. Built directly into development workflows. Always enforced. Never forgotten.

Built With

• ai-catalog
• anthropic-claude
• gitlab-ambient-environment
• gitlab-api
• gitlab-duo
• google-vertex-ai
• rest-api
• yaml