ARCA: Autonomous Reliability & Compliance Agent

Architecture
Pipeline
AI comment
Audit Security Claude

Inspiration

Modern DevSecOps is fast, but the "human-in-the-loop" for security and compliance remains a major bottleneck. I built ARCA (Autonomous Reliability & Compliance Agent) to bring autonomous security auditing directly into GitLab's Duo Agent Platform — eliminating the gap between vulnerability detection and the moment a developer sees the problem, before any code gets merged.

What it does

ARCA is a fully autonomous AI agent integrated into the GitLab Duo Agent Platform that:

Autonomous MR Auditing: Instantly analyzes every Merge Request diff for hardcoded secrets, security vulnerabilities, and unsafe coding patterns — triggered automatically, zero human input required.
Dual AI Engine: Uses both Anthropic Claude and OpenAI GPT-4o for cross-validated security analysis — the first hackathon submission with multi-model security auditing.
Duo Agent Platform Native: Custom Agent in the AI Catalog, custom /security-audit Skill via SKILL.md, custom Code Review instructions, and AGENTS.md project context.
AI-Generated Security Reports: Posts structured audit reports with severity levels (CRITICAL/HIGH/MEDIUM/LOW) directly as MR comments before code is merged.
Live K3s Deployment: Closes the full DevSecOps loop by deploying to a real Kubernetes cluster.

How we built it

Duo Agent Platform Integration: Custom Agent registered in the AI Catalog with DevSecOps system prompt, SKILL.md for /security-audit slash command, .gitlab/duo/mr-review-instructions.yaml for custom Code Review Flow rules, and AGENTS.md for full project context.
Core Orchestration: Python with the python-gitlab SDK to authenticate, extract MR diffs, and post comments back as a bot identity.
Dual Intelligence: Anthropic Claude (primary) and OpenAI GPT-4o (secondary) acting as senior DevSecOps auditors with configurable engine selection.
Automation: GitLab CI/CD pipeline triggered on every merge_request_event.
Infrastructure: K3s lightweight Kubernetes on a VPS as a live deployment target, registered via the GitLab Agent for Kubernetes (arca-guardian).

Challenges we ran into

The biggest challenge was integrating deeply with the Duo Agent Platform while maintaining backward compatibility with the CI/CD pipeline approach. I solved this by creating a dual-mode orchestrator that detects whether it's running as a Duo external agent (via AI_FLOW_CONTEXT) or as a CI pipeline job, seamlessly supporting both execution paths.

A second challenge was implementing the dual AI engine. Different models catch different vulnerability patterns — getting both Claude and GPT-4o to produce consistent, structured severity-based reports required careful prompt engineering.

Accomplishments that we're proud of

Creating a truly "hands-off" security workflow where critical vulnerabilities are detected and a full audit report is posted inside the Merge Request before a human even opens the notification email — now powered by Anthropic Claude through the Duo Agent Platform.

ARCA even audited its own codebase and found real vulnerabilities in its own code — proving the agent works exactly as intended.

What we learned

I learned how to build custom agents and skills for the GitLab Duo Agent Platform, how to leverage multiple AI backends (Anthropic + OpenAI) for cross-validated security analysis, and how AGENTS.md and SKILL.md files extend the platform's capabilities for team-specific workflows.

What's next for ARCA

Self-healing remediation: Auto-generate fix branches and open remediation MRs
Duo Chat integration: Full interactive security analysis via GitLab Duo Chat
SARIF output: Integration with GitLab Security Dashboard
Auto-block merge: Prevent merging on CRITICAL severity findings
Historical trends: Track security posture across MRs over time ```

Step 4 — Update "Built with" tags on Devpost

Replace the current tags with:

python, gitlab-api, anthropic-claude, openai-gpt-4o, gitlab-ci-cd, gitlab-duo-agent-platform, docker, kubernetes, devsecops, automation

Built With

anthropic-claude
devsecops
docker
gitlab-api
gitlab-ci/cd
gitlab-duo-agent-platform
kubernetes
openai-gpt-4o
python

Submitted to

GitLab AI Hackathon

Created by

I served as the sole developer and architect for ARCA. I built the entire Python-based orchestrator from scratch using the python-gitlab SDK to interface with GitLab's API. I designed and implemented the AI logic using OpenAI's GPT-4o, creating a custom validation layer to ensure all code remediations were syntactically correct for the project's environment.

On the infrastructure side, I configured the K3s cluster on a private VPS and integrated it with the GitLab Agent for Kubernetes to enable true end-to-end autonomous deployment. This was my first time bypassing Enterprise-tier restrictions using custom API orchestration, which taught me the deep power of GitLab's extensibility.

Makabeez Gabbani
Web3 master

Updates

Makabeez Gabbani started this project — Feb 20, 2026 04:45 AM EST

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.