Back to Gitlabhq

Security Review Flow (beta)

doc/releases/19/gitlab-19-2-released/security-review-flow.md

19.2.0831 B
Original Source
<!-- DAP Code Review -->

Security Review Flow detects business logic vulnerabilities directly in merge requests. Unlike static analysis tools that scan for known patterns, Security Review Flow reasons about the intent of your code and identifies authorization bypasses, data exposure, and logic errors that pattern-based scanners routinely miss.

To request a review, assign the Duo Security Review service account as a reviewer on your merge request. The flow analyzes the diff and posts findings as threaded comments at the exact lines where vulnerabilities occur, each with a Common Weakness Enumeration (CWE) classification, severity rating, and where possible, an inline suggested fix you can apply without leaving the merge request.

Each review consumes GitLab Credits based on the complexity of the merge request diff.