## Executive Summary This epic covers the Beta release of Agentic SAST Vulnerability Resolution, scoped specifically to the Vulnerability Report. This is a focused release that enables AI-driven vulnerability remediation for SAST findings that appear in the Vulnerability Report, allowing GitLab Duo to automatically generate merge requests with context-aware code fixes. The Beta release will validate the core agentic approach to vulnerability resolution with a limited scope before expanding to other surfaces (MR widget, pipeline security tab). #### Engineering Assessment This beta release leverages the existing GitLab Duo Vulnerability Resolution infrastructure and upgrades it to use the Duo Agentic platform. The scope is limited to the Vulnerability Report interface to validate the approach and gather user feedback before broader rollout. Key technical components: - Upgrade existing single-shot AI solution to multi-shot agentic solution - Automatically generate fix MR for new High and Critical vulnerabilities - Implement MR generation and quality scoring - Integration with Vulnerability Report and Details UI only #### Dependencies - Team dependencies: - Sec AI Experiments team (primary development) - Static Analysis group (handoff planning) - Duo Workflow team (agentic infrastructure) - Epic/Issue dependencies - Link to dependent epics/issues via the linked items widget below for ease of drill down - External dependencies: None #### DRIs - **PM**: @khornergit - **EM**: @nrosandich - **UX/PDM**: @acummins9 - **Group(s)**: ~"group::compliance" - **Engineering Owner**: @nrosandich #### Initiative Driver - Product or Engineering? - [x] **Product-driven initiatives (P1/P2/P3)** - Customer-facing features or improvements driven by Product teams that require engineering resources and commitment - These initiatives require a Product Priority label (P1/P2/P3) - They may also receive GTM tier labels (T1/T2/T3) for external communication - [ ] **Engineering-driven initiatives (E1/E2/E3)** - Internal technical improvements that may not have customer-facing components - These initiatives require an Engineering Priority label (E1/E2/E3) - They have internal visibility only and are not externally communicated - Examples include: technical debt reduction, infrastructure improvements, refactoring, dependency upgrades #### Sizing and Funding (Optional) - **Size**: L - **Funding Status**: Funded --- ### Hygiene Guidelines :bulb: See additional details about this process at https://handbook.gitlab.com/handbook/product-development/r-and-d-interlock/ ##### :one: Pre-Interlock - [x] Update epic description with all relevant information - [x] Ensure all dependencies are identified - [x] Apply appropriate labels (see below) - [x] Apply target delivery Milestone - [ ] Update interlock status as discussions progress (via label) ##### :two: Post-Interlock: once quarter begins - Update health status weekly (via label) - Document any newly identified risks or dependencies - Link to implementation epics/issues as work begins - Flag any scope or timeline changes immediately --- ## Related Work - Parent Epic: https://gitlab.com/groups/gitlab-org/-/work_items/17889 (Agentic SAST Vulnerability Resolution) - Experiment Phase: https://gitlab.com/groups/gitlab-org/-/work_items/18233