ContextQMD
Back to Gitlabhq

Agentic SAST Vulnerability Resolution

doc/user/application_security/vulnerabilities/agentic_vulnerability_resolution.md

18.11.27.3 KB
Original Source

{{< details >}}

  • Tier: Ultimate
  • Add-on: GitLab Duo Core, Pro, or Enterprise
  • Offering: GitLab.com, GitLab Self-Managed, GitLab Dedicated

{{< /details >}}

{{< history >}}

{{< /history >}}

GitLab Duo automatically analyzes SAST vulnerabilities and generates merge requests with context-aware code fixes. This agentic approach uses multi-shot reasoning to resolve vulnerabilities with minimal human intervention, reducing remediation time and improving security outcomes.

Unlike the single-shot vulnerability resolution, agentic vulnerability resolution uses iterative reasoning to:

  • Analyze vulnerability context across the codebase.
  • Generate high-quality fixes that address root causes.
  • Validate fixes through automated testing.
  • Provide confidence scoring for proposed solutions.

Agentic SAST vulnerability resolution can run automatically, or you can run it manually.

For a click-through demo, see Agentic SAST Vulnerability Resolution.

<!-- Demo published on 2026-03-05 -->

Automatic resolution

When a SAST security scan completes on the main branch, GitLab Duo automatically completes the following actions:

  1. Analyzes each High and Critical severity SAST vulnerability.
  2. Checks if false positive detection has run.
  3. If the vulnerability is not a likely or possible false positive, GitLab Duo creates a merge request with the proposed fix.
  4. Runs the pipeline to validate that the fix resolves the vulnerability.

The process runs in the background with no manual triggering required. Results appear in the vulnerability report once processing is complete.

Manual resolution

You can manually trigger agentic vulnerability resolution for any SAST vulnerability at any time, regardless of severity. See manual trigger for instructions.

Automatic resolution conditions

Automatic agentic vulnerability resolution runs when all of the following conditions are met:

  • A SAST security scan completes successfully on the main branch.
  • The scan detects high or critical severity vulnerabilities.
  • False positive detection has run and determined the vulnerability is not a false positive.
  • Agentic SAST Vulnerability Resolution flow is enabled for the project.
  • GitLab Duo features are enabled for the project.
  • The vulnerability is from a supported SAST analyzer.

The analysis happens in the background and results appear in the vulnerability report after processing is complete.

Manual trigger

To manually run agentic vulnerability resolution for any existing SAST vulnerability:

  1. In the top bar, select Search or go to and find your project.
  2. Select Secure > Vulnerability report.
  3. Select the vulnerability you want to resolve.
  4. In the upper-right corner, select AI vulnerability management > Resolve with AI.

GitLab Duo analyzes the vulnerability and generates a merge request if a fix can be produced. Manual resolution works on any SAST vulnerability regardless of severity.

Configuration

To use agentic vulnerability resolution, you must have the following requirements configured:

  • A GitLab Duo add-on subscription (GitLab Duo Core, Pro, or Enterprise).
  • A default GitLab Duo namespace set in your user preferences.
  • GitLab 18.9 or later.
  • Turn on experiment and beta GitLab Duo features is enabled in your top-level group.
  • Agentic vulnerability resolution allowed for the group and turned on for the project.
  • SAST False Positive Detection flow enabled for the top-level group and project.

Allow foundational flow for a group

You can allow all the projects in a top-level group to use the foundational flow. Individual projects must still turn on the feature in their project settings.

To allow agentic vulnerability resolution for all projects in a top-level group:

  1. In the left sidebar, select Search or go to and find your top-level group.
  2. Select Settings > GitLab Duo.
  3. Turn on the Allow flow execution toggle (enabled by default).
  4. Under Allow foundational flows, select the Resolve SAST Vulnerability checkbox.
  5. Select Save changes.

Turn on for a project

To turn on the feature for a specific project:

  1. In the left sidebar, select Search or go to and find your project.
  2. Select Settings > General.
  3. Expand GitLab Duo.
  4. Turn on the Turn on SAST vulnerability resolution workflow toggle.
  5. Select Save changes.

When you allow agentic vulnerability resolution for the top-level group and turn it on for the project, the feature works automatically with your existing SAST scanners.

Reviewing generated merge requests

The following occurs when GitLab Duo generates a merge request for a vulnerability:

  1. The merge request is created with the proposed fix.
  2. The description includes the following:
    • The vulnerability details and severity
    • Explanation of the fix approach
    • Links to relevant security resources
    • Confidence score for the proposed solution
  3. The pipeline runs automatically to validate the fix.
  4. Reviewers review the changes and pipeline results.
  5. Users with the ability to merge the merge request do so according to your workflow.

Troubleshooting

Agentic vulnerability resolution sometimes cannot generate a suggested fix. Common causes include:

  • Insufficient context: The vulnerability occurs in complex code patterns that require additional context or manual intervention.
  • False positive detected: The AI model assesses whether the vulnerability is valid. The model may decide that the vulnerability is not a true vulnerability, or isn't worth fixing.
  • Temporary or unexpected error: The error message may state that an unexpected error has occurred, the upstream AI provider request timed out, something went wrong, or a similar cause.
    • These errors may be caused by temporary problems with the AI provider or with GitLab Duo.
    • A new request may succeed, so you can try to resolve the vulnerability again.
    • If you continue to see these errors, contact GitLab for assistance.

Providing feedback

We welcome your feedback on agentic vulnerability resolution. If you encounter issues or have suggestions for improvement, please provide feedback in issue 585626.