Skip to content

AndresRJ18/Issue2Secure

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
agents
agents
 
 
flows
flows
 
 
src
src
 
 
tests
tests
 
 
.ai-catalog-mapping.json
.ai-catalog-mapping.json
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Issue2Secure

From a GitLab issue to production-ready code with an automatic security audit — no manual steps required.

Issue2Secure is a multi-agent AI system built on the GitLab Duo Agent Platform. It coordinates two specialized flows that take a plain-text feature request and turn it into reviewed, security-scanned code ready for merge — without a developer writing a single line.

The Problem

The cycle every developer knows:

  1. Write a ticket
  2. Context-switch to implement it
  3. Open a PR
  4. Get flagged for security issues in review
  5. Fix, repeat

The gap between "I have an idea" and "this is ready to merge securely" is filled with manual, repetitive work. Issue2Secure closes that gap.

How It Works

Issue2Secure runs two coordinated AI flows triggered by mentioning them in a GitLab issue.

Flow 1 — Feature to Deploy Orchestrator

Triggered by mentioning @ai-feature-to-deploy-orchestrator-gitlab-ai-hackathon in an issue.

Planner Agent — reads the issue, analyzes the existing codebase, and posts a structured implementation plan as a comment including complexity estimate, step-by-step breakdown, and files to create or modify.

Code Generator Agent — reads the plan and generates complete, production-ready code for every required file. Opens a Merge Request automatically, linked to the original issue.

Flow 2 — Security Scanner

Triggered by mentioning @ai-security-scanner-gitlab-ai-hackathon in the same issue after code generation.

Security Scanner Agent — reads all generated code from issue comments and performs a full security audit. Posts a detailed report with severity levels, affected files, line references, and concrete remediation steps. Blocks the MR automatically if Critical or High vulnerabilities are found.

Usage

Step 1 — Create an issue

Title: Add JWT authentication endpoint
Description:
Create POST /api/auth/login that accepts email/password
and returns a JWT token. Use FastAPI + PostgreSQL.

Step 2 — Trigger Flow 1

@ai-feature-to-deploy-orchestrator-gitlab-ai-hackathon analyze this issue and generate the implementation code

The Planner posts the implementation plan. The Code Generator writes the code and opens an MR.

Step 3 — Trigger Flow 2

@ai-security-scanner-gitlab-ai-hackathon please scan the generated code in this issue for security vulnerabilities

The Security Scanner posts a full audit report and approves or blocks the MR.

Security Checks

The Security Scanner audits generated code for:

  • Hardcoded secrets and API keys
  • SQL injection vulnerabilities
  • Missing authentication and authorization
  • Insecure password handling
  • Race conditions and thread safety issues
  • Memory exhaustion vectors
  • IP spoofing in rate limiting implementations
  • Missing input validation
  • Insecure JWT configuration
  • Information disclosure via public endpoints
  • Missing HTTPS enforcement
  • CORS misconfiguration

Example Security Report

Risk Level: CRITICAL

Vulnerabilities Found:
[CRITICAL] Missing Authentication on Logs Endpoint
           File: src/routers/logs.py
           Fix: Add JWT token validation via Depends(verify_token)

[HIGH] No Rate Limiting on Public Endpoints
       File: src/main.py
       Fix: Implement slowapi with per-IP limits

[HIGH] Database Session Leak Risk
       File: src/middleware.py
       Fix: Use context manager to ensure session cleanup

Passed Checks:
- SQL Injection Protection: SQLAlchemy ORM used correctly
- Input Validation: Pydantic schemas enforce type safety
- Pagination Limits: Maximum enforced to prevent resource exhaustion

Verdict: BLOCKED

Agents and Tools

Agent Role Tools
Planner Analyzes issue and generates implementation plan get_issue, find_files, read_file, create_issue_note
Code Generator Generates code and opens MR get_issue, list_issue_notes, create_issue_note, create_merge_request
Security Scanner Audits code and blocks or approves MR get_issue, list_issue_notes, create_issue_note, get_merge_request, update_merge_request

Project Structure

.
├── agents/
│   └── agent.yml                    # Issue2Secure Feature Planner standalone agent
├── flows/
│   ├── flow.yml                     # Feature to Deploy Orchestrator
│   └── security-scanner.yml         # Security Scanner
├── src/
│   ├── main.py                      # FastAPI base application
│   ├── auth.py                      # Authentication utilities
│   └── ...                          # Code generated by the agents
├── tests/
│   └── test_auth.py
├── requirements.txt
└── README.md

Stack

  • GitLab Duo Agent Platform
  • Claude via GitLab AI infrastructure
  • Python + FastAPI
  • PostgreSQL
  • SQLAlchemy

License

MIT

About

Multi-agent AI system that turns a GitLab issue into production-ready code with automatic security scanning. Built on GitLab Duo Agent Platform + Claude.

gitlab.com/gitlab-ai-hackathon/participants/35015819

Topics

python security devops automation gitlab ai-agents claude fastapi llm anthropic

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

10 tags

Packages

 
 
 

Contributors

Languages