Securie for GitLab — maintain every merge request

live

The Securie GitLab App installs at the group or project level. Securie maintains every merge request the way the GitHub App maintains pull requests: reads the diff, checks the codebase across the maintenance loop, verifies repairs against your existing test suite where available, surfaces on-demand replay for Business+ disputed findings, posts MR-thread repair comments, and signs the verdict with the same DSSE / in-toto envelope chain.

Updated

What it does

Reads your code at merge-request time on GitLab.com or self-managed GitLab. Runs the same Securie maintenance loop as GitHub: codebase-aware finding, tested repair where available, DSSE-signed evidence, and repo-host-agnostic dashboard routes for KB API, monitor, dossier, ROI, and supply-chain feed.

When to use it

Best fit: any team running GitLab.com or self-managed GitLab as the source-of-record, especially Scaleup / Business / Scale-tier teams whose source-control choice was made before the GitHub App existed. Particularly valuable for EU + Asia-Pacific teams that picked GitLab for data-residency reasons — Securie's enterprise tier ships sovereign-deploy (customer-VPC, on-prem, air-gapped) so the evidence layer matches the host's residency. Self-managed GitLab is supported the same way self-hosted Supabase is — point Securie at your instance URL during install.

Limitations

Managed rollout, mirroring the GitHub App rollout. Same coverage profile as GitHub at parity: TypeScript / JavaScript on Next.js + Supabase strongest, with baseline checks for long-tail languages. GitLab parity is tracked under R-GITLAB-PARITY and gated by dependency-parity tests.

Parity with the GitHub App

All four Ring-1 layers ship at parity. Each row maps to a phase of R-GITLAB-PARITY on the agent side.

  • Sandbox proof on GitLablive

    Every exploitable MR finding is replayed inside a Firecracker microVM seeded from the MR head SHA. The Proven verdict carries the same shape GitHub-origin proofs do — no per-host divergence (R-GITLAB-PARITY P1).

  • Auto-fix MR with regression testlive

    Patch-loop-v0 opens a follow-up MR with the fix + a regression test that fails on `main` and passes on the proposed branch. Same flow as the GitHub tested repair PR (R-GITLAB-PARITY P2).

  • DSSE attestation under matching predicateslive

    Every GitLab-origin finding + fix is sealed by the same Ed25519 + in-toto v1 + Sigstore rekor chain GitHub-origin verdicts use. `cosign verify-blob` works on either host's evidence with the same key (R-GITLAB-PARITY P3).

  • Inline MR review comments + check statuslive

    Findings render as inline diff-thread comments via the Discussions API; the overall verdict surfaces as a Commit Status (success / failed). Host-neutral `SuggestedChange` rendering keeps the UX identical to GitHub PR review (R-GITLAB-PARITY P4).

Supported GitLab events

The Securie GitLab App subscribes to these GitLab webhooks. Each maps to a Rust handler in services/gitlab-app/src/webhook.rs.

GitLab eventWhat it triggers
Merge Request Hook
services/gitlab-app/src/webhook.rs::handle_merge_request
Frontier-LLM finder + fix-verification review on every MR open / sync. Inline MR comments + Suggested Change attached to the diff thread.
Push Hook
services/gitlab-app/src/webhook.rs::handle_push
Per-commit scan on protected branches — backfills coverage for direct pushes that bypass the MR flow (R-GITLAB-PARITY P5.T1).
Note Hook
services/gitlab-app/src/webhook.rs::handle_note
Reads `/securie <verb>` chat commands posted as MR notes — re-scan, dismiss, mark as known-good (R-GITLAB-PARITY P5.T2).
System Hook
services/gitlab-app/src/webhook.rs::handle_system
Project install/uninstall under a self-managed GitLab — equivalent of GitHub's installation.created (R-GITLAB-PARITY P5.T3).
Pipeline Hook
services/gitlab-app/src/webhook.rs::handle_pipeline
Correlates failed GitLab CI pipelines back to the originating SecurityRun so the engineer-loop's runtime-aware planner can react (R-GITLAB-PARITY P5.T4).

Install

  1. Visit gitlab.com/-/profile/applications when your group is enabled and create the Securie OAuth application (or install Securie's pre-registered app from the GitLab Application Marketplace)
  2. Grant scopes: read_repository, read_user, api (needed for MR comments + DSSE attestation upload + check-run status)
  3. Authorize Securie on the GitLab groups + projects you want covered
  4. Push any commit — findings and repair comments appear on the MR within 60-180 seconds, same SLA as the GitHub side
  5. Click `Apply Suggestion` on any Securie repair comment to merge — same review shape as the GitHub `Commit suggestion`
Securie inline review on a GitLab merge-request showing a Suggested Change for a Supabase RLS bypass, with sandbox-proof attestation badge
Securie inline review on a GitLab merge-request — the Suggested Change carries the same DSSE envelope the GitHub side does.

Listed on

GitLab Application Marketplace