正式なドキュメントは英語版であり、この日本語訳はAI支援翻訳により作成された参考用のものです。日本語訳の一部の内容は人間によるレビューがまだ行われていないため、翻訳のタイミングにより英語版との間に差異が生じることがあります。最新かつ正確な情報については、英語版をご参照ください。

Agentic SAST Vulnerability Resolution

  • Tier: Ultimate
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
  • Status: Beta

The availability of this feature is controlled by a feature flag. For more information, see the history.

GitLab Duo automatically analyzes SAST vulnerabilities and generates merge requests with context-aware code fixes. This agentic approach uses multi-shot reasoning to resolve vulnerabilities with minimal human intervention, reducing remediation time and improving security outcomes.

Unlike the single-shot vulnerability resolution, agentic vulnerability resolution uses iterative reasoning to:

  • Analyze vulnerability context across the codebase.
  • Generate high-quality fixes that address root causes.
  • Validate fixes through automated testing.
  • Provide confidence scoring for proposed solutions.

Agentic SAST vulnerability resolution can run automatically, or you can run it manually.

Automatic resolution

When a SAST security scan completes on the main branch, GitLab Duo automatically completes the following actions:

  1. Analyzes each High and Critical severity SAST vulnerability.
  2. Checks if false positive detection has run.
  3. If the vulnerability is not a likely or possible false positive, GitLab Duo creates a merge request with the proposed fix.
  4. Runs the pipeline to validate that the fix resolves the vulnerability.

The process runs in the background with no manual triggering required. Results appear in the vulnerability report once processing is complete.

Manual resolution

You can manually trigger agentic vulnerability resolution for any SAST vulnerability at any time, regardless of severity. See manual trigger for instructions.

Automatic resolution conditions

Automatic agentic vulnerability resolution runs when all of the following conditions are met:

  • A SAST security scan completes successfully on the main branch.
  • The scan detects high or critical severity vulnerabilities.
  • False positive detection has run and determined the vulnerability is a likely or possible false positive.
  • GitLab Duo features are enabled for the project.
  • The vulnerability is from a supported SAST analyzer.

The analysis happens in the background and results appear in the vulnerability report after processing is complete.

Manual trigger

To manually run agentic vulnerability resolution for any existing SAST vulnerability:

  1. On the top bar, select Search or go to and find your project.
  2. Select Secure > Vulnerability report.
  3. Select the vulnerability you want to resolve.
  4. In the upper-right corner, select AI vulnerability management > Resolve with AI.

GitLab Duo analyzes the vulnerability and generates a merge request if a fix can be produced. Manual resolution works on any SAST vulnerability regardless of severity.

Configuration

To use agentic vulnerability resolution, you must have the following requirements configured:

  • A GitLab Duo Enterprise add-on subscription.
  • GitLab Duo enabled in your project or group.
  • Use Duo Agentic SAST Vulnerability Resolution enabled for your project in Settings > General > GitLab Duo.
  • GitLab 18.9 or later.

No additional configuration is required. The feature works automatically with your existing SAST scanners.

Reviewing generated merge requests

The following occurs when GitLab Duo generates a merge request for a vulnerability:

  1. The merge request is created with the proposed fix.
  2. The description includes the following:
    • The vulnerability details and severity
    • Explanation of the fix approach
    • Links to relevant security resources
    • Confidence score for the proposed solution
  3. The pipeline runs automatically to validate the fix.
  4. Reviewers review the changes and pipeline results.
  5. Users with the ability to merge the merge request do so according to your workflow.

Troubleshooting

Agentic vulnerability resolution sometimes cannot generate a suggested fix. Common causes include:

  • Insufficient context: The vulnerability occurs in complex code patterns that require additional context or manual intervention.
  • False positive detected: The AI model assesses whether the vulnerability is valid. The model may decide that the vulnerability is not a true vulnerability, or isn’t worth fixing.
  • Temporary or unexpected error: The error message may state that an unexpected error has occurred, the upstream AI provider request timed out, something went wrong, or a similar cause.
    • These errors may be caused by temporary problems with the AI provider or with GitLab Duo.
    • A new request may succeed, so you can try to resolve the vulnerability again.
    • If you continue to see these errors, contact GitLab for assistance.

Providing feedback

Agentic vulnerability resolution is a beta feature and we welcome your feedback. If you encounter issues or have suggestions for improvement, please provide feedback in issue 585626.