## Executive Summary This epic covers the implementation of AI-powered bulk vulnerability resolution that intelligently groups related SAST findings and resolves them in a single merge request. This feature builds upon the existing Agentic SAST Vulnerability Resolution work to address systematic code quality issues where the same vulnerability pattern appears multiple times across a codebase. Instead of creating individual MRs for each instance of the same vulnerability type, GitLab Duo will identify patterns in SAST findings, group them by shared root causes or remediation strategies, and generate a single comprehensive MR that addresses all related vulnerabilities - dramatically reducing review fatigue and improving remediation efficiency. #### Engineering Assessment This feature extends the Agentic SAST Vulnerability Resolution infrastructure to support pattern recognition and bulk remediation. The implementation uses AI to identify similar vulnerabilities, group them intelligently, and generate consolidated fixes in a single MR. Key technical components: - Pattern recognition for identifying similar SAST vulnerabilities - Intelligent grouping by root cause or fix pattern - Bulk MR generation with multiple vulnerability fixes - Visual clustering of related findings in MR interface - Fix readiness detection (F1-score > 80% target) - Individual review capability for each grouped finding #### Dependencies - Team dependencies: - Static Analysis group (SAST integration) - Duo Workflow team (agentic infrastructure) - Epic/Issue dependencies - Link to dependent epics/issues via the linked items widget below for ease of drill down - Builds on: https://gitlab.com/groups/gitlab-org/-/epics/20150 (Agentic SAST Vulnerability Resolution) - External dependencies: None #### DRIs - **PM**: @mclausen35 - **EM**: @ajbiton - **UX/PDM**: @acummins9 - **Group(s)**: ~"group::security insights" - **Engineering Owner**: @ajbiton #### Initiative Driver - Product or Engineering? - [x] **Product-driven initiatives (P1/P2/P3)** - Customer-facing features or improvements driven by Product teams that require engineering resources and commitment - These initiatives require a Product Priority label (P1/P2/P3) - They may also receive GTM tier labels (T1/T2/T3) for external communication - [ ] **Engineering-driven initiatives (E1/E2/E3)** - Internal technical improvements that may not have customer-facing components - These initiatives require an Engineering Priority label (E1/E2/E3) - They have internal visibility only and are not externally communicated - Examples include: technical debt reduction, infrastructure improvements, refactoring, dependency upgrades #### Sizing and Funding (Optional) - **Size**: L - **Funding Status**: Funded --- ### Hygiene Guidelines :bulb: See additional details about this process at https://handbook.gitlab.com/handbook/product-development/r-and-d-interlock/ ##### :one: Pre-Interlock - [x] Update epic description with all relevant information - [x] Ensure all dependencies are identified - [x] Apply appropriate labels (see below) - [x] Apply target delivery Milestone - [ ] Update interlock status as discussions progress (via label) ##### :two: Post-Interlock: once quarter begins - [ ] Update health status weekly (via label) - [ ] Document any newly identified risks or dependencies - [ ] Link to implementation epics/issues as work begins - [ ] Flag any scope or timeline changes immediately --- ## Related Work - Parent Epic: https://gitlab.com/groups/gitlab-org/-/work_items/18167 (Agentic Bulk Vulnerability Resolution) - Foundation Work: https://gitlab.com/groups/gitlab-org/-/work_items/17889 (Agentic SAST Vulnerability Resolution) - Design Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/566624