Inspiration

Every dev has approved a "small" diff that broke something three files away. The diff looked fine. The code wasn't. GitLab Orbit actually understands how code connects, not just what changed — so we built something that uses that, right at the moment a human is about to hit approve.

What it does

Assign Tripwire as a reviewer on any MR. It traces the real dependency chain through Orbit's knowledge graph — not just your diff — and posts back a risk report: what actually breaks downstream, past instability in those files, open security findings, and who should really be reviewing this. It caught a real bug while we were testing it. A function's return type went from bool to dict. Looks harmless. But in Python, any non-empty dict is truthy — so every place that checked if validate_card(...) would now always pass, even for invalid cards. Silent payment bypass. We didn't plant that bug to make a good demo — Tripwire just found it.

How we built it

Custom GitLab Duo agent + a custom flow, both using GitLab's actual pre-built Orbit tools (Query Graph, Get Graph Schema) instead of hand-rolling API calls. Triggered by assigning Tripwire as reviewer. We built a small real codebase with a genuine dependency chain just to test it honestly, then broke something on purpose and watched if it caught it.

Challenges we ran into

Half the assumptions we started with were wrong. There's no "MR opened" trigger — that doesn't exist yet. Custom agents aren't defined in a repo file, they're built in the UI. The Orbit API isn't a set of clean REST routes, it's one generic graph query endpoint. We kept hitting docs that didn't match the actual product and had to rebuild around what's really there instead of what we assumed. Accomplishments that we're proud of It found a real bug. Not a staged one for the demo — we wrote the broken code, ran Tripwire, and it caught the exact silent failure we were testing for, plus a second issue (AmEx cards getting rejected) we hadn't even been thinking about.

What we learned

Building on a beta platform means the docs lag the product. You verify against the live UI or you ship something broken. We also learned how much Orbit actually knows once you ask it the right question.

What's next for Tripwire

Flagging missing test coverage on changed code, catching CODEOWNERS gaps automatically, and eventually tracing risk across multiple repos, not just one.

Built With

  • gitlab-ai-catalog
  • gitlab-custom-flows
  • gitlab-duo-agent-platform
  • gitlab-orbit
  • python
  • yaml
Share this project:

Updates