Feedback issue: Agentic SAST Vulnerability Resolution (Beta)
Welcome to the Beta for Agentic SAST Vulnerability Resolution!
The purpose of this feedback issue is to collect your experiences with the AI-powered vulnerability resolution feature for SAST vulnerabilities. Our goal is to understand how this feature is helping (or hindering) your security workflows, identify bugs and improvement areas, and prioritize enhancements based on real usage. Your feedback will directly influence how we evolve this feature from Beta to GA.
Limited Beta Availability
- Available in SaaS, Self-managed and Dedicated in 18.9
- Accessible via Vulnerability Report and Vulnerability Details page
- Requires Ultimate tier with GitLab Duo add-on subscription
What is the Agentic SAST Vulnerability Resolution Feature?
The Agentic SAST Vulnerability Resolution feature is a GitLab Duo-powered capability that helps security teams automatically generate merge requests to fix SAST (Static Application Security Testing) vulnerabilities. It analyzes vulnerabilities and generates context-aware code fixes, enabling faster remediation and reducing manual security work.
Current Beta capabilities (18.9)
Current Beta capabilities
Automated Fix Generation
- Analyze SAST vulnerabilities and generate fixes automatically
- Create merge requests with context-aware code changes
- Provide readiness scores for generated fixes
- Display fix quality confidence metrics
Vulnerability Resolution Workflow
- Trigger vulnerability resolution from Vulnerability Report
- Trigger vulnerability resolution from Vulnerability Details page
- Review AI-generated merge requests before merging
- Track resolution status and metrics
- Limited to Ultimate tier with Duo add-on subscription
- Vulnerability resolution focuses on High and Critical severity SAST vulnerabilities
- Limited to supported vulnerability types
Feedback we're especially interested in
- Fix Quality: Does the AI generate correct and production-ready fixes?
- Usefulness: Does the feature save you time in vulnerability remediation?
- User Experience: How intuitive is the interface for reviewing and merging fixes?
- Integration: How well does this fit into your existing security workflows?
- Coverage: What types of vulnerabilities can't the feature fix?
- Performance: Are there any performance issues with the feature?
- Confidence Scoring: Are the readiness scores helpful and accurate?
How to give feedback
-
Check existing feedback: Review threads below to see if your issue is already reported. Add a
👍 or comment to show support. - Start a new thread: Use a descriptive title like "AI generates incorrect fix for SQL injection" or "MR review interface is confusing"
-
Include context:
- What you were trying to do
- The response or behavior you received
- What you expected vs. what happened
- URLs or screenshots (sanitized as needed)
- Vulnerability IDs or project information
- Rate the response: On a scale of 1-5, how useful was it?
Example feedback format
- Title: AI generates incomplete fix for XSS vulnerability
- Context: Triggered vulnerability resolution for XSS finding in my project
- What happened: Generated MR fixed the immediate issue but missed related vulnerable code paths
- Expected: Should generate comprehensive fix addressing all instances of the vulnerability
- Usefulness: 3/5 - Required manual follow-up to complete the fix
- Screenshots: [If applicable]
What you can expect from us
- We will read all feedback during the Beta period
- We will prioritize fixes for GA based on feedback patterns
- We will create issues for reproducible problems
- We may reach out for clarification on complex security issues