Feedback issue: Security Analyst Agent (GA)

Welcome to the Security Analyst Agent (GA)! 🔒

The purpose of this feedback Issue is to collect your experiences with the Security Analyst Agent (GA), a new AI-powered Security Analyst Agent for GitLab. Our goal is to understand how the Security Analyst Agent (GA) is helping (or hindering) your vulnerability management workflows, identify bugs and improvement areas, and prioritize enhancements based on real usage. Your feedback will directly influence how we evolve this agent.

The Security Analyst Agent is GA as of %18.8. More information in the below release post:

https://about.gitlab.com/releases/2026/01/15/gitlab-18-8-released/#gitlab-duo-security-analyst-agent-now-generally-available

What is the Security Analyst Agent? The Security Analyst Agent is a specialized security analyst agent available in the Duo Chat side panel that acts like a security teammate. It combines security expertise with context-awareness of GitLab security features (vulnerability reports, security dashboards, and compliance tools).

🎯 Feedback we're especially interested in

  1. Accuracy: Does the Security Analyst Agent correctly identify and assess vulnerabilities?
  2. Usefulness: Which security responses save you time vs. create more work?
  3. Risk Assessment: Are severity evaluations and EPSS score interpretations helpful and accurate?
  4. Tone: Is the security expertise voice appropriate for your team?
  5. Missing capabilities: What security tasks can't you accomplish?
  6. False Positives: How well does the agent distinguish genuine threats from benign findings?

📝 How to give feedback

  1. Check existing feedback: Review threads below to see if your issue is already reported. Add a 👍 or comment to show support.
  2. Start a new thread: Use a descriptive title like "Incorrect EPSS score interpretation" or "Missing container vulnerability context"
  3. Include context:
    • Your prompt to the Security Analyst Agent
    • The response you received
    • What you expected vs. what happened
    • URLs or screenshots (sanitized as needed)
    • Vulnerability IDs or security scan types involved
  4. Rate the response: On a scale of 1-5, how useful was it?
Example feedback format
  • Title: Incorrect severity assessment for SQL injection vulnerability
  • Prompt: "Analyze the severity of vulnerability ID 12345 and recommend next steps"
  • Context: [Link to vulnerability or description]
  • What happened: Security Analyst Agent recommended dismissing a critical SQL injection as low severity
  • Expected: Should recognize SQL injection patterns and assess appropriate severity
  • Usefulness: 1/5 - Could have led to security incident if followed
  • Screenshots: [If applicable]

🤝 What you can expect from us

  1. We will read all feedback during the Beta period
  2. We will prioritize fixes for GA based on feedback patterns
  3. We will create issues for reproducible problems with severity/priority labels
  4. We may reach out for clarification on complex security issues

🐛 Known Beta Issues

  • Security Analyst Agent may occasionally reference capabilities it doesn't have (e.g., "I'll patch this vulnerability")
  • May not recognize all custom security labels or compliance frameworks
  • Complete list of known Security Analyst Agent bugs here

🛡️ 🔒 🔑 Thank you for helping us make the Security Analyst Agent an indispensable part of your security workflow! Your feedback during this Beta period is crucial for delivering a GA release that truly acts like a security teammate. 🕵️ 🔍 🔐

Edited by Matthew Macfarlane