Feedback issue for Security Review Agent beta
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
About Security Review Agent
GitLab Security Review Agent is an AI-powered agent that detects business logic vulnerabilities in merge requests. Unlike SAST tools that scan for known patterns, it reasons about the intent of your code, identifying vulnerabilities that emerge from incorrect assumptions about authorization, data access, and control flow. It posts findings directly on the MR as diff threads, each with a CWE classification, severity rating, and a one-click suggested fix.
Vulnerability classes covered: authorization bypass (BOLA/IDOR, CWE-639), missing authorization (CWE-862), improper access control (CWE-284), information disclosure (CWE-200), business logic errors (CWE-840), mass assignment (CWE-915), and race conditions/TOCTOU (CWE-362/367).
Availability: GitLab Ultimate · GitLab.com, Self-managed, GitLab Dedicated · Beta
How to enable it
Security Review Agent requires the same prerequisites as the Code Review foundational flow:
- GitLab Duo is turned on for your instance or group.
- The Agent Platform is turned on (GitLab 18.8+), or beta and experimental features are turned on (GitLab 18.7 and earlier).
- Allow foundational flows and Code Review are turned on for the top-level group.
- You have at least the Developer role for the project.
Once prerequisites are met, trigger a review in one of two ways:
- Assign as reviewer — add
@duo-security-reviewerin the Reviewers section of the MR sidebar. - @mention in a comment — type
@duo-security-reviewerin any MR comment.
Share your feedback
We want to hear from you. Please comment on this issue with:
- The type of codebase reviewed (language, size of diff)
- Whether findings were accurate, actionable, or false positives
- How you acted on findings (applied fix, dismissed, created follow-up issue)
- Any unexpected behavior or edge cases
- General impressions on cost relative to value