VibeShield — AI Senior Engineer for Vibe-Coded Projects

• 

  VibeShield

Inspiration

AI writes 80% of code now. Claude, Cursor, Copilot, v0 — millions of developers ship faster than ever. But faster isn't better. Vibe-coded projects go to production with hardcoded secrets, SQL injection vectors, bloated dependencies, and zero input validation. GitLab calls this the AI Paradox: AI accelerates authoring but security and quality reviews become the bottleneck. We built VibeShield to close that gap — an AI senior engineer that doesn't just find problems but fixes them.

What it does

Assign VibeShield as reviewer on any MR. Four specialized agents run in sequence:

Security Scanner reads GitLab's vulnerability reports (real CVEs) AND performs semantic analysis to catch injection, secrets, and auth bypasses scanners miss Optimization Advisor maps the full codebase via Knowledge Graph, traces actual library usage across all files, recommends lighter alternatives with measured sustainability impact Best Practices Auditor detects the project's stack, then recommends improvements consistent with existing patterns Auto-Fixer generates corrected code, commits to a new branch, and opens a fix MR — one click to merge

Every review produces a Production Readiness Score (0-100), a certification label on the MR, and updates a Project Health Dashboard tracking quality over time. Drift Detection — the feature no other tool has. VibeShield reads your entire merged MR history and catches patterns invisible in any single review: dependency sprawl, security decay, test erosion, performance creep.

How we built it

Entirely on the GitLab Duo Agent Platform. A custom YAML flow orchestrates four agents sequentially with 12+ GitLab tools (Read File, Grep, List Repository Tree, Create Commit, Create Merge Request, List Vulnerabilities, Update Merge Request). Five SKILL.md knowledge bases teach agents analysis methodology — not hardcoded pattern lists. A standalone VibeShield Ask agent enables interactive code quality conversations. All reasoning powered by Anthropic Claude.

Challenges we ran into

Multi-agent context passing was the hardest — each agent builds on the previous agent's output, so we designed a structured finding format the Auto-Fixer can reliably parse from three different agents. Drift Detection initially sampled only 10 MRs — I realized drift only appears across the full project history and expanded to analyze all merged MRs. My first SKILL.md files were hardcoded lookup tables that go stale — I rewrote all five to teach methodology instead.

Accomplishments that we're proud of

The full scan → fix → MR loop. VibeShield doesn't post suggestions in comments — it commits corrected code and opens a merge request. No other GitLab-native tool does this. Drift Detection is genuinely novel — it's only possible because GitLab centralizes the entire SDLC in one platform. The dual-source security approach (scanner data + Claude reasoning) catches more than either alone.

What we learned

The GitLab Duo Agent Platform is more powerful than it appears — tools like Create Commit and Create Merge Request enable agents that take real action, not just analyze. SKILL.md files are the key to agent quality — methodology-driven skills produce dramatically better results than pattern-matching rules. And we experienced the AI Paradox firsthand: AI generated our demo code instantly, but reviewing and securing it took 10x longer.

What's next for VibeShield — AI Senior Engineer for Vibe-Coded Projects

Auto-fix verification — trigger CI/CD on the fix MR and verify it passes before posting the report Pipeline Doctor — trigger on pipeline failures, trace root cause via Knowledge Graph, auto-fix Production Healer — production errors create GitLab issues, VibeShield auto-diagnoses and fixes Fix Chain — VibeShield reviews its own fix MR, creating a self-verifying quality loop Team learning — track which issue types each developer introduces most and generate personalized coaching

Built With

• agentduo
• claude
• gitlab
• yaml