Security Review Flow
- Tier: Ultimate
- Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated
- Status: Beta
Security Review Flow detects business logic vulnerabilities in merge requests. Unlike static analysis tools that scan for known patterns, Security Review Flow reasons about the intent of your code. It identifies vulnerabilities that emerge from incorrect assumptions about authorization, data exposure, and control flow.
Security Review Flow is a foundational flow built on the GitLab Duo Agent Platform. It works alongside GitLab Duo Code Review and posts findings as threaded diff comments, each with a CWE classification, severity rating, explanation, and where possible, an inline suggested fix you can apply with one action.
Use Security Review Flow when you need help with:
- Access control review: Identify missing or misconfigured authorization checks on state-changing operations.
- Authorization gap detection: Surface broken object-level and function-level authorization issues.
- Business logic analysis: Detect flaws in application workflows that could be exploited, such as race conditions in financial or stateful operations.
- Information disclosure: Identify code paths that can leak sensitive data to unauthorized callers.
- Mass assignment risk: Flag endpoints or models that can expose unintended fields to user input.
Prerequisites
To use Security Review Flow:
- Have the Developer, Maintainer, or Owner role for the project.
- Turn on Foundational flows and Security Review for the top-level group.
- Turn on GitLab Duo for the group or instance.
- If you do not have GitLab Duo Pro or Enterprise, turn on GitLab Duo Core for the top-level group or instance.
- For GitLab Self-Managed, configure GitLab Duo for the instance.
- In GitLab 18.8 and later, turn on Agent Platform for the top-level group. In GitLab 18.7 and earlier, turn on beta and experimental features.
Cost
Security Review Flow uses GitLab Credits each time it performs a review. Credit usage scales with diff complexity and the model you select.
The following estimates apply to the default model:
| Review complexity | Approximate LLM calls | Estimated credits |
|---|---|---|
| Small diff or a few changed files | ~16 | ~8 |
| Standard feature branch | ~28 | ~14 |
| Large or logic-heavy multi-file change | ~40 | ~20 |
During the beta release, you always start reviews manually. This lets you assess typical credit usage in your codebase before broader adoption.
Use Security Review Flow
Request a review
You can request a review at any time after a merge request is created. When you request a review, the flow analyzes the merge request diff and its surrounding context.
To request a review:
- In the left sidebar, select Search or go to and find your project.
- Select Code > Merge requests and open your merge request.
- In the Reviewers section of the right sidebar, select Edit.
- Search for and select
duo-security-reviewer. This service account is automatically created when the Security Review flow is turned on for your group.
When the review is complete, the flow posts an internal note. The note summarizes any findings and the review scope. If the review produces no findings, the flow states this in the internal note.
For each finding, the flow opens a diff thread at the relevant line. If you reply to a thread (for example, to accept the risk or disagree with the assessment), the flow reads your reply and responds accordingly. On public projects, findings are posted in the internal note only, with no inline diff comments. Posting findings privately avoids exposing security details.
The flow sets the reviewer state based on the severity of findings. The flow never sets the Approve state, even when it finds no issues:
| Severity | Reviewer state |
|---|---|
critical or high | Request changes |
medium or low | Comment |
| None | Comment |
Respond to a finding
Mention the flow in a thread to ask clarifying questions about a finding, discuss remediation approaches, or flag a finding as a false positive. The flow does not perform a full re-review when mentioned.
To respond to a finding:
- In the left sidebar, select Search or go to and find your project.
- Select Code > Merge requests and open your merge request.
- In any comment thread, type
@duo-security-reviewerfollowed by your message, then submit.
Security Review Flow reads the thread context and replies directly.
Review a finding
Security Review Flow focuses on logic-level vulnerabilities frequently missed by static analyzers. Each finding is posted as a diff thread on the changed code. Each thread includes:
- The vulnerability type (CWE) with a link to the MITRE definition.
- A severity rating:
critical,high,medium, orlow. - A tier classification: Tier 1 (Exploitable), Tier 2 (Logic Flaw), or Tier 3 (Design Issue).
- An explanation of the logic flaw.
- A suggested fix, where possible.
Findings are not tracked in the Vulnerability Report and do not count toward merge request approval policies. They complement, but do not replace, static analysis (SAST) findings.
The following CWE classifications can appear in findings:
| CWE | Description |
|---|---|
| CWE-639 | Authorization bypass through user-controlled key (BOLA / IDOR) |
| CWE-862 | Missing authorization |
| CWE-284 | Improper access control |
| CWE-200 | Exposure of sensitive information |
| CWE-840 | Business logic errors |
| CWE-915 | Improperly controlled modification of dynamically-determined object attributes (mass assignment) |
| CWE-362 | Race conditions and time-of-check / time-of-use (TOCTOU) |
Resolve a finding
To resolve a finding:
- To apply the fix, select Apply suggestion. To commit the suggestion to a new branch instead, select the dropdown list next to Apply suggestion.
- To dismiss the finding, select Resolve thread if you reviewed the finding and determined it is a false positive or accepted risk.
- To track the vulnerability for future remediation, use the standard GitLab thread actions to create an issue from the finding.
- To rate the finding’s usefulness, select thumbs up or thumbs down. This feedback helps improve the model. You can also share detailed feedback in the feedback issue.
To request another review after you resolve the findings, reassign the flow as a reviewer. The flow analyzes the updated diff and performs an action depending on the state of the finding:
- Resolved findings: The flow confirms the fix and resolves the original thread.
- Incorrect or incomplete fixes: The flow identifies any additional required changes in the original thread.
- Unaddressed findings: The original thread remains open with no additional comment.
- New findings: The flow detects any new vulnerabilities introduced by the fix and creates new comment threads for them.
Troubleshooting
When you use Security Review Flow, you might encounter the following issues.
The flow is not available to assign
The duo-security-reviewer service account is automatically created when the flow is turned on for your group.
Confirm the status of the Security Review flow.
The flow does not provide findings
Confirm you meet all prerequisites, then check that the flow was correctly assigned.
- Verify that you mentioned
@duo-security-reviewerexactly, with no spaces or capital letters. - Verify Allow foundational flows and Code Review settings are turned on for the top-level group.
- For GitLab Self-Managed, verify your instance is configured for GitLab Duo.
The flow does not review every merge request
Small merge requests without any changes to code logic might produce no findings. For example, documentation-only changes can produce no findings.
Suggested changes do not apply cleanly
Suggestions are generated against the diff at review time. If you pushed new commits after the review, line numbers might have shifted. Request a new review to get updated suggestions against the current diff.
I received an error about GitLab Credits
Your instance or group might have exhausted the GitLab Credits for the current billing period. Contact your administrator to purchase additional credits, or wait for the credits to reset at the start of the next billing period.