sork-queb 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. package/README.md +757 -0
  2. package/dist/bin/sork.d.ts +3 -0
  3. package/dist/bin/sork.d.ts.map +1 -0
  4. package/dist/bin/sork.js +123 -0
  5. package/dist/bin/sork.js.map +1 -0
  6. package/dist/lib/agents/keeper.d.ts +16 -0
  7. package/dist/lib/agents/keeper.d.ts.map +1 -0
  8. package/dist/lib/agents/keeper.js +91 -0
  9. package/dist/lib/agents/keeper.js.map +1 -0
  10. package/dist/lib/agents/remediation.d.ts +10 -0
  11. package/dist/lib/agents/remediation.d.ts.map +1 -0
  12. package/dist/lib/agents/remediation.js +99 -0
  13. package/dist/lib/agents/remediation.js.map +1 -0
  14. package/dist/lib/agents/triage.d.ts +10 -0
  15. package/dist/lib/agents/triage.d.ts.map +1 -0
  16. package/dist/lib/agents/triage.js +62 -0
  17. package/dist/lib/agents/triage.js.map +1 -0
  18. package/dist/lib/fixers/codeFixer.d.ts +14 -0
  19. package/dist/lib/fixers/codeFixer.d.ts.map +1 -0
  20. package/dist/lib/fixers/codeFixer.js +134 -0
  21. package/dist/lib/fixers/codeFixer.js.map +1 -0
  22. package/dist/lib/index.d.ts +9 -0
  23. package/dist/lib/index.d.ts.map +1 -0
  24. package/dist/lib/index.js +8 -0
  25. package/dist/lib/index.js.map +1 -0
  26. package/dist/lib/orchestrator.d.ts +19 -0
  27. package/dist/lib/orchestrator.d.ts.map +1 -0
  28. package/dist/lib/orchestrator.js +175 -0
  29. package/dist/lib/orchestrator.js.map +1 -0
  30. package/dist/lib/security/scanner.d.ts +18 -0
  31. package/dist/lib/security/scanner.d.ts.map +1 -0
  32. package/dist/lib/security/scanner.js +287 -0
  33. package/dist/lib/security/scanner.js.map +1 -0
  34. package/dist/lib/types/index.d.ts +75 -0
  35. package/dist/lib/types/index.d.ts.map +1 -0
  36. package/dist/lib/types/index.js +5 -0
  37. package/dist/lib/types/index.js.map +1 -0
  38. package/dist/lib/utils/logger.d.ts +13 -0
  39. package/dist/lib/utils/logger.d.ts.map +1 -0
  40. package/dist/lib/utils/logger.js +35 -0
  41. package/dist/lib/utils/logger.js.map +1 -0
  42. package/package.json +52 -0
package/README.md ADDED
@@ -0,0 +1,757 @@
1
+ ## What is SORK?
2
+
3
+ SORK automates your entire vulnerability lifecycle on GitLab Duo Agent Platform. Three AI agents work in sequence — **Triage** analyzes and dismisses false positives, **Remediation** generates code fixes and opens merge requests, **Keeper** verifies the fix passed security scans. Hours of manual work, done in minutes.
4
+
5
+ > *"SORK turns every GitLab security scan from a to-do list into a done list."*
6
+
7
+ ---> Made by Bhargav Kalambhe
8
+
9
+
10
+ ## The Problem
11
+
12
+ AI tools have made writing code **10x faster**. But that speed created a new bottleneck — the **AI Paradox**:
13
+
14
+ ```
15
+ More code written
16
+
17
+
18
+ More security scan findings
19
+
20
+
21
+ More manual triage needed ◄── This is where teams get stuck
22
+
23
+
24
+ More patches to write
25
+
26
+
27
+ More fixes to verify
28
+
29
+
30
+ Security backlog grows faster than teams can clear it
31
+ ```
32
+
33
+ Every vulnerability finding requires a developer to stop feature work, investigate the finding, decide if it's real, write a fix, open an MR, and wait for verification. **This takes 30-60 minutes per vulnerability.** Multiply by dozens of findings across multiple projects — security becomes the biggest drag on delivery speed.
34
+
35
+ **SORK eliminates this entire loop.**
36
+
37
+ ---
38
+
39
+ ## How SORK Works
40
+
41
+ ### The Name = The Architecture
42
+
43
+ Each letter in **SORK** maps directly to a capability:
44
+
45
+ ```
46
+ S ─── Security ──────── SORK Triage Agent ─── Analyze & classify threats
47
+ O ─── Orchestration ─┐
48
+ ├─ SORK Remediation Agent ─── Generate fixes & open MRs
49
+ R ─── Remediation ───┘
50
+ K ─── Keeping ───────── SORK Keeper Agent ─── Verify fixes & maintain security
51
+ ```
52
+
53
+ ### End-to-End Flow
54
+
55
+ ```
56
+ ┌─────────────────────────────────────────────────────────────────────┐
57
+ │ │
58
+ │ S O R K │
59
+ │ Security Orchestration, Remediation & Keeping │
60
+ │ │
61
+ │ ┌───────────────┐ │
62
+ │ │ TRIGGER │ │
63
+ │ │ │ │
64
+ │ │ • Pipeline │ │
65
+ │ │ security │ │
66
+ │ │ scan done │ │
67
+ │ │ │ │
68
+ │ │ • @mention │ │
69
+ │ │ in issue │ │
70
+ │ │ or MR │ │
71
+ │ └───────┬───────┘ │
72
+ │ │ │
73
+ │ ▼ │
74
+ │ ┌───────────────────────────────────────────────────────────┐ │
75
+ │ │ │ │
76
+ │ │ 🔍 AGENT 01: SORK TRIAGE [S] │ │
77
+ │ │ │ │
78
+ │ │ Responsibilities: │ │
79
+ │ │ • Pull full list of detected vulnerabilities │ │
80
+ │ │ • Read source code where each vuln was found │ │
81
+ │ │ • Assess reachability — is the code path used? │ │
82
+ │ │ • Dismiss false positives with documented reasoning │ │
83
+ │ │ • Confirm real threats with severity + CWE reference │ │
84
+ │ │ • Create prioritized triage report issue │ │
85
+ │ │ │ │
86
+ │ │ Tools: List Vulnerabilities · Get Vulnerability Details │ │
87
+ │ │ Dismiss Vulnerability · Confirm Vulnerability │ │
88
+ │ │ Read File · Grep · Create Issue · Link Vulnerability │ │
89
+ │ │ │ │
90
+ │ │ Output: "SORK Security Triage Report" issue │ │
91
+ │ │ │ │
92
+ │ └──────────────────────┬────────────────────────────────────┘ │
93
+ │ │ │
94
+ │ ▼ │
95
+ │ ┌───────────────────────────────────────────────────────────┐ │
96
+ │ │ │ │
97
+ │ │ 🔧 AGENT 02: SORK REMEDIATION [O+R] │ │
98
+ │ │ │ │
99
+ │ │ Responsibilities: │ │
100
+ │ │ • Read vulnerable files with full context │ │
101
+ │ │ • Search for other instances of same pattern │ │
102
+ │ │ • Generate the smallest possible fix │ │
103
+ │ │ • Follow project's existing code style │ │
104
+ │ │ • Create branch, commit fix, open merge request │ │
105
+ │ │ • Link all addressed vulnerabilities to the MR │ │
106
+ │ │ │ │
107
+ │ │ Tools: Read File · Edit File · Create Commit │ │
108
+ │ │ Create Merge Request · Link Vulnerability To MR │ │
109
+ │ │ Grep · Find Files · Run Command · CI Linter │ │
110
+ │ │ │ │
111
+ │ │ Output: Fix merge request with linked vulns │ │
112
+ │ │ │ │
113
+ │ └──────────────────────┬────────────────────────────────────┘ │
114
+ │ │ │
115
+ │ ▼ │
116
+ │ ┌───────────────────────────────────────────────────────────┐ │
117
+ │ │ │ │
118
+ │ │ ✅ AGENT 03: SORK KEEPER [K] │ │
119
+ │ │ │ │
120
+ │ │ Responsibilities: │ │
121
+ │ │ • Monitor the fix MR's CI/CD pipeline │ │
122
+ │ │ • Wait for security scans to re-run │ │
123
+ │ │ • Verify original vulns no longer appear │ │
124
+ │ │ • Check that no new vulns were introduced │ │
125
+ │ │ • Post verification report on the MR │ │
126
+ │ │ • Update triage issue with final outcome │ │
127
+ │ │ │ │
128
+ │ │ Tools: Get Merge Request · Get Pipeline Errors │ │
129
+ │ │ Get Job Logs · List Security Findings │ │
130
+ │ │ Create Merge Request Note · List Vulnerabilities │ │
131
+ │ │ │ │
132
+ │ │ Output: Verification report — SAFE TO MERGE / NOT │ │
133
+ │ │ │ │
134
+ │ └───────────────────────────────────────────────────────────┘ │
135
+ │ │
136
+ └─────────────────────────────────────────────────────────────────────┘
137
+ ```
138
+
139
+ ### Pipeline Flow (Simplified)
140
+
141
+ ```
142
+ SCAN TRIAGE REMEDIATE VERIFY DONE
143
+ │ │ │ │ │
144
+ ▼ ▼ ▼ ▼ ▼
145
+ ┌─────┐ ┌──────────┐ ┌─────────┐ ┌─────────┐ ┌──────┐
146
+ │ 15 │ │ 4 false │ │ Fix MR │ │ Pipeline│ │ 0 │
147
+ │vulns│───▶│ 3 real │───▶│ created │───▶│ passed │───▶│vulns │
148
+ │found│ │ 8 review │ │ 3 fixed │ │ verified│ │ left │
149
+ └─────┘ └──────────┘ └─────────┘ └─────────┘ └──────┘
150
+ ```
151
+
152
+ ---
153
+
154
+ ## Daily Impact
155
+
156
+ ```
157
+ ┌──────────────────────────────────────────────────────────────────┐
158
+ │ │
159
+ │ WITHOUT SORK │ WITH SORK │
160
+ │ │ │
161
+ │ 09:00 Push code │ 09:00 Push code │
162
+ │ 09:15 15 vulns found │ 09:15 15 vulns found │
163
+ │ 09:20 Stop feature work │ 09:15 SORK activates │
164
+ │ 09:25 Start investigating... │ 09:20 8 false positives │
165
+ │ 10:00 First vuln resolved │ dismissed │
166
+ │ 10:30 Second vuln resolved │ 09:22 3 fixes generated │
167
+ │ 11:00 Third vuln, writing fix │ 09:25 MR opened │
168
+ │ 11:30 Open MR, wait pipeline │ 09:35 Pipeline verified ✓ │
169
+ │ 12:00 Lunch. 0 features done. │ 09:36 Review MR → merge │
170
+ │ │ 09:40 Back to feature work │
171
+ │ TIME: 3+ hours │ TIME: 5 minutes │
172
+ │ FEATURES: 0 │ FEATURES: Full day │
173
+ │ │ │
174
+ └──────────────────────────────────────────────────────────────────┘
175
+ ```
176
+
177
+ ---
178
+
179
+ ## Agents in Detail
180
+
181
+ ### 🔍 SORK Triage — Agent 01 `[S]`
182
+
183
+ The first line of defense. Analyzes every vulnerability and separates real threats from noise.
184
+
185
+ **What it does:**
186
+
187
+ - Pulls all detected vulnerabilities from the pipeline
188
+ - Reads the actual source code at each vulnerability location
189
+ - Assesses reachability — is the vulnerable code path used in production?
190
+ - Dismisses false positives with documented reasoning
191
+ - Confirms real threats with severity ratings and CWE references
192
+ - Creates a summary issue: **SORK Security Triage Report**
193
+
194
+ **14 Tools:**
195
+ `List Vulnerabilities` · `Get Vulnerability Details` · `Get Security Finding Details` · `Dismiss Vulnerability` · `Confirm Vulnerability` · `Revert To Detected Vulnerability` · `Update Vulnerability Severity` · `Read File` · `Read Files` · `Create Issue` · `Create Issue Note` · `Link Vulnerability To Issue` · `Grep` · `Find Files`
196
+
197
+ **Example Output:**
198
+ ```
199
+ ╔══════════════════════════════════════════════════════╗
200
+ ║ SORK SECURITY TRIAGE REPORT ║
201
+ ╠══════════════════════════════════════════════════════╣
202
+ ║ ║
203
+ ║ Scan: Pipeline #4821 ║
204
+ ║ Total findings: 12 ║
205
+ ║ ║
206
+ ║ CONFIRMED ────────────────────────────── 3 found ║
207
+ ║ ║
208
+ ║ [CRITICAL] CVE-2024-1029 ║
209
+ ║ SQL Injection in auth.py:42 ║
210
+ ║ → User input directly concatenated into query ║
211
+ ║ → Code path reachable via /api/login endpoint ║
212
+ ║ ║
213
+ ║ [CRITICAL] CWE-798 ║
214
+ ║ Hardcoded API key in config.py:15 ║
215
+ ║ → Production API key committed to source ║
216
+ ║ → Key is actively used in payment processing ║
217
+ ║ ║
218
+ ║ [HIGH] CVE-2024-3841 ║
219
+ ║ XSS in templates/user.html:8 ║
220
+ ║ → User input rendered without sanitization ║
221
+ ║ → Accessible to unauthenticated users ║
222
+ ║ ║
223
+ ║ DISMISSED ────────────────────────────── 4 cleared ║
224
+ ║ ║
225
+ ║ [DISMISSED] CVE-2023-1234 ║
226
+ ║ lodash prototype pollution ║
227
+ ║ → Reason: lodash imported but pollutable methods ║
228
+ ║ are never called with user-controlled input ║
229
+ ║ ║
230
+ ║ [DISMISSED] CVE-2023-5678 ║
231
+ ║ axios SSRF vulnerability ║
232
+ ║ → Reason: axios only used for internal API calls ║
233
+ ║ with hardcoded URLs, no user input in URL params ║
234
+ ║ ║
235
+ ║ [DISMISSED] CWE-327 ║
236
+ ║ Weak cryptographic algorithm ║
237
+ ║ → Reason: MD5 usage found in test file only ║
238
+ ║ (test_helpers.py), not in production code ║
239
+ ║ ║
240
+ ║ [DISMISSED] CWE-22 ║
241
+ ║ Path traversal in file handler ║
242
+ ║ → Reason: Input is validated by sanitize_path() ║
243
+ ║ at line 38 before reaching file open at line 52 ║
244
+ ║ ║
245
+ ║ NEEDS REVIEW ─────────────────────────── 5 pending ║
246
+ ║ ║
247
+ ║ Recommended remediation order: ║
248
+ ║ 1. CVE-2024-1029 (Critical — exploitable SQLi) ║
249
+ ║ 2. CWE-798 (Critical — exposed production key) ║
250
+ ║ 3. CVE-2024-3841 (High — public-facing XSS) ║
251
+ ║ ║
252
+ ║ — SORK Triage 🔍 ║
253
+ ╚══════════════════════════════════════════════════════╝
254
+ ```
255
+
256
+ ---
257
+
258
+ ### 🔧 SORK Remediation — Agent 02 `[O+R]`
259
+
260
+ The fix engine. Generates targeted code patches for every confirmed vulnerability.
261
+
262
+ **What it does:**
263
+
264
+ - Reads the vulnerable file with full context (imports, functions, data flow)
265
+ - Searches for other instances of the same vulnerability pattern
266
+ - Generates the smallest possible fix — no unnecessary refactoring
267
+ - Follows the project's existing code style
268
+ - Creates a branch, commits the fix, opens a merge request
269
+ - Links all addressed vulnerabilities to the MR
270
+
271
+ **15 Tools:**
272
+ `Read File` · `Read Files` · `Get Repository File` · `Find Files` · `Grep` · `Edit File` · `Create File With Contents` · `Create Merge Request` · `Create Merge Request Note` · `Create Commit` · `Link Vulnerability To Merge Request` · `Create Vulnerability Issue` · `Run Command` · `CI Linter` · `Get Issue`
273
+
274
+ **Example Fix:**
275
+ ```diff
276
+ # auth.py — SORK Fix for CVE-2024-1029 (SQL Injection)
277
+
278
+ - def get_user(user_id):
279
+ - query = f"SELECT * FROM users WHERE id = {user_id}"
280
+ - cursor.execute(query)
281
+ + def get_user(user_id):
282
+ + # SORK: Fixed CWE-89 — Use parameterized query to prevent SQL injection
283
+ + query = "SELECT * FROM users WHERE id = ?"
284
+ + cursor.execute(query, (user_id,))
285
+ return cursor.fetchone()
286
+ ```
287
+
288
+ ```diff
289
+ # config.py — SORK Fix for CWE-798 (Hardcoded Secret)
290
+
291
+ - API_KEY = "sk-proj-abc123realkey456"
292
+ - DB_PASSWORD = "admin123"
293
+ + import os
294
+ + # SORK: Fixed CWE-798 — Move secrets to environment variables
295
+ + API_KEY = os.environ.get("API_KEY")
296
+ + DB_PASSWORD = os.environ.get("DB_PASSWORD")
297
+ ```
298
+
299
+ **Example Merge Request:**
300
+ ```
301
+ ╔══════════════════════════════════════════════════════╗
302
+ ║ MERGE REQUEST !247 ║
303
+ ╠══════════════════════════════════════════════════════╣
304
+ ║ ║
305
+ ║ Title: SORK: Fix critical vulnerabilities ║
306
+ ║ in auth.py and config.py ║
307
+ ║ ║
308
+ ║ Branch: sork/fix-cve-2024-1029-cwe-798 ║
309
+ ║ ║
310
+ ║ Vulnerabilities addressed: ║
311
+ ║ • CVE-2024-1029 (Critical) — SQL injection ║
312
+ ║ auth.py:42 → parameterized query ║
313
+ ║ • CWE-798 (Critical) — Hardcoded API key ║
314
+ ║ config.py:15 → environment variables ║
315
+ ║ • CVE-2024-3841 (High) — XSS ║
316
+ ║ templates/user.html:8 → escaped output ║
317
+ ║ ║
318
+ ║ Changes: 3 files modified, 12 lines changed ║
319
+ ║ ║
320
+ ║ Testing recommendations: ║
321
+ ║ • Verify login flow still works (auth.py change) ║
322
+ ║ • Set API_KEY and DB_PASSWORD env vars in CI ║
323
+ ║ • Check user profile page renders correctly ║
324
+ ║ ║
325
+ ║ Linked: Triage Report #142 ║
326
+ ║ ║
327
+ ║ — SORK Remediation 🔧 ║
328
+ ╚══════════════════════════════════════════════════════╝
329
+ ```
330
+
331
+ ---
332
+
333
+ ### ✅ SORK Keeper — Agent 03 `[K]`
334
+
335
+ The verifier. Watches the fix pipeline and confirms vulnerabilities are resolved.
336
+
337
+ **What it does:**
338
+
339
+ - Monitors the fix MR's CI/CD pipeline
340
+ - Waits for security scans to re-run on the patched code
341
+ - Verifies original vulnerabilities no longer appear
342
+ - Checks that no new vulnerabilities were introduced
343
+ - Posts a verification report directly on the merge request
344
+
345
+ **13 Tools:**
346
+ `Get Merge Request` · `Get Pipeline Errors` · `Get Pipeline Failing Jobs` · `Get Job Logs` · `List Security Findings` · `List Merge Request Diffs` · `List All Merge Request Notes` · `Create Merge Request Note` · `Update Merge Request` · `List Vulnerabilities` · `Get Vulnerability Details` · `Create Issue Note` · `Get Issue`
347
+
348
+ **Example Verification Report:**
349
+ ```
350
+ ╔══════════════════════════════════════════════════════╗
351
+ ║ SORK VERIFICATION REPORT ✅ ║
352
+ ╠══════════════════════════════════════════════════════╣
353
+ ║ ║
354
+ ║ Merge Request: !247 ║
355
+ ║ Pipeline: #4835 — PASSED ║
356
+ ║ ║
357
+ ║ VULNERABILITY STATUS ║
358
+ ║ ───────────────────────────────────────── ║
359
+ ║ ✅ CVE-2024-1029 SQL Injection → RESOLVED ║
360
+ ║ ✅ CWE-798 Hardcoded Secret → RESOLVED ║
361
+ ║ ✅ CVE-2024-3841 XSS → RESOLVED ║
362
+ ║ ║
363
+ ║ REGRESSION CHECK ║
364
+ ║ ───────────────────────────────────────── ║
365
+ ║ New vulnerabilities introduced: 0 ║
366
+ ║ Existing tests: ALL PASSING ║
367
+ ║ Security scans: CLEAN ║
368
+ ║ ║
369
+ ║ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ║
370
+ ║ RECOMMENDATION: SAFE TO MERGE ✅ ║
371
+ ║ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ ║
372
+ ║ ║
373
+ ║ — SORK Keeper ✅ ║
374
+ ╚══════════════════════════════════════════════════════╝
375
+ ```
376
+
377
+ ---
378
+
379
+ ## Quick Start
380
+
381
+ ### Prerequisites
382
+
383
+ - GitLab Premium or Ultimate account
384
+ - GitLab Duo Agent Platform enabled ([setup guide](https://docs.gitlab.com/user/duo_agent_platform/))
385
+ - Security scanning templates in your CI/CD pipeline
386
+ - VS Code with [GitLab extension](https://marketplace.visualstudio.com/items?itemName=GitLab.gitlab-workflow) (v6.15.1+) or JetBrains IDE with GitLab plugin
387
+
388
+ ### Step 1 — Enable Security Scanning
389
+
390
+ Add this to your `.gitlab-ci.yml`:
391
+
392
+ ```yaml
393
+ include:
394
+ - template: Security/SAST.gitlab-ci.yml
395
+ - template: Security/Dependency-Scanning.gitlab-ci.yml
396
+ - template: Security/Secret-Detection.gitlab-ci.yml
397
+
398
+ stages:
399
+ - build
400
+ - test
401
+ - security
402
+ ```
403
+
404
+ ### Step 2 — Enable SORK Agents
405
+
406
+ 1. Go to **Explore → AI Catalog → Agents**
407
+ 2. Search for `SORK Triage` → click **Enable in group** → select your group
408
+ 3. Repeat for `SORK Remediation` and `SORK Keeper`
409
+ 4. In your project: **Automate → Agents** → enable all three
410
+
411
+ ### Step 3 — Add Project Configuration
412
+
413
+ Create `AGENTS.md` in your project root:
414
+
415
+ ```markdown
416
+ # SORK — Security Orchestration, Remediation & Keeping
417
+
418
+ ## Security Conventions
419
+ - All security fixes must include inline comments referencing CWE IDs
420
+ - Never suppress security warnings without documentation
421
+ - Prefer patched dependency versions over workarounds
422
+ - Fixes should be minimal — don't refactor unrelated code
423
+ - Hardcoded secrets must be replaced with environment variables
424
+ - Input validation must use allowlists, not blocklists
425
+ ```
426
+
427
+ Create `.gitlab/duo/mr-review-instructions.yaml`:
428
+
429
+ ```yaml
430
+ instructions:
431
+ - name: SORK Security Standards
432
+ fileFilters:
433
+ - "**/*.py"
434
+ - "**/*.js"
435
+ - "**/*.ts"
436
+ - "**/*.rb"
437
+ - "**/*.go"
438
+ - "**/*.java"
439
+ instructions: |
440
+ 1. Security fixes must include inline comments referencing CWE IDs
441
+ 2. Never suppress security warnings without documentation
442
+ 3. Prefer patched dependency versions over workarounds
443
+ 4. All fixes should be minimal — don't refactor unrelated code
444
+ 5. Hardcoded secrets must be replaced with environment variables
445
+ 6. Input validation must use allowlists, not blocklists
446
+ ```
447
+
448
+ ### Step 4 — Done
449
+
450
+ SORK activates automatically on your next pipeline security scan.
451
+
452
+ ### Usage
453
+
454
+ **Automatic** — Push code → pipeline runs → security scan completes → SORK activates
455
+
456
+ **Manual via @mention** — In any issue or MR:
457
+ ```
458
+ @sork-triage analyze all vulnerabilities in this project
459
+ ```
460
+
461
+ **Manual via Chat** — Open GitLab Duo Chat (Agentic mode):
462
+ ```
463
+ @SORK Triage — run a full vulnerability analysis on this project
464
+ ```
465
+
466
+ ---
467
+
468
+ ## Tech Stack
469
+
470
+ ### Architecture Diagram
471
+
472
+ ```
473
+ ┌──────────────────────────────────────────────────────────────────┐
474
+ │ GITLAB INSTANCE │
475
+ │ │
476
+ │ ┌────────────────┐ ┌──────────────────────────────────┐ │
477
+ │ │ │ │ GitLab Duo Agent Platform │ │
478
+ │ │ CI/CD │ │ │ │
479
+ │ │ Pipeline │ │ ┌──────────┐ ┌────────────┐ │ │
480
+ │ │ │ │ │ Anthropic │ │ AI Catalog │ │ │
481
+ │ │ ┌─────────┐ │ │ │ Claude │ │ │ │ │
482
+ │ │ │ SAST │ │ │ └─────┬────┘ └─────┬──────┘ │ │
483
+ │ │ │ DepScan │──│──────▶│ │ │ │ │
484
+ │ │ │ SecDet │ │ │ ▼ ▼ │ │
485
+ │ │ └─────────┘ │ │ ┌──────────────────────────┐ │ │
486
+ │ │ │ │ │ SORK FLOW │ │ │
487
+ │ └────────────────┘ │ │ │ │ │
488
+ │ │ │ ┌────────┐ │ │ │
489
+ │ │ │ │Triage │ │ │ │
490
+ │ │ │ │Agent 01│ │ │ │
491
+ │ │ │ └───┬────┘ │ │ │
492
+ │ │ │ │ │ │ │
493
+ │ │ │ ▼ │ │ │
494
+ │ │ │ ┌──────────┐ │ │ │
495
+ │ │ │ │Remediate │ │ │ │
496
+ │ │ │ │Agent 02 │ │ │ │
497
+ │ │ │ └───┬──────┘ │ │ │
498
+ │ │ │ │ │ │ │
499
+ │ │ │ ▼ │ │ │
500
+ │ │ │ ┌────────┐ │ │ │
501
+ │ │ │ │Keeper │ │ │ │
502
+ │ │ │ │Agent 03│ │ │ │
503
+ │ │ │ └────────┘ │ │ │
504
+ │ │ │ │ │ │
505
+ │ │ └──────────────────────────┘ │ │
506
+ │ │ │ │
507
+ │ └──────────────────────────────────┘ │
508
+ │ │ │
509
+ │ ▼ │
510
+ │ ┌────────────────┐ ┌──────────────────────────────────┐ │
511
+ │ │ │ │ │ │
512
+ │ │ Issues │ │ Merge Requests │ │
513
+ │ │ (Triage │ │ (Fix Patches + │ │
514
+ │ │ Reports) │ │ Verification Reports) │ │
515
+ │ │ │ │ │ │
516
+ │ └────────────────┘ └──────────────────────────────────┘ │
517
+ │ │
518
+ └──────────────────────────────────────────────────────────────────┘
519
+ ```
520
+
521
+ ### Stack Breakdown
522
+
523
+ | Layer | Technology | Role |
524
+ |-------|-----------|------|
525
+ | **Platform** | GitLab Duo Agent Platform | Hosts and runs all agents and flows |
526
+ | **AI Model** | Anthropic Claude | Powers all 3 agents (default in GitLab Duo) |
527
+ | **Agent Registry** | GitLab AI Catalog | Create, publish, and manage SORK agents |
528
+ | **Orchestration** | GitLab Flows | Chains agents: Triage → Remediation → Keeper |
529
+ | **CI/CD** | GitLab CI/CD + Runner | Runs security scans, triggers SORK, verifies fixes |
530
+ | **Security Scanning** | GitLab SAST | Finds code vulnerabilities (SQLi, XSS, etc.) |
531
+ | **Security Scanning** | GitLab Dependency Scanning | Finds CVEs in dependencies |
532
+ | **Security Scanning** | GitLab Secret Detection | Finds hardcoded secrets and keys |
533
+ | **Configuration** | YAML | Agent configs, flow configs, CI pipeline, review rules |
534
+ | **Documentation** | Markdown | AGENTS.md, README, system prompts |
535
+ | **Test Project** | Python + Flask | Sample vulnerable app for demonstration |
536
+ | **Containers** | Docker | Flow execution environment |
537
+
538
+ ### Tools Usage Map
539
+
540
+ ```
541
+ SORK TRIAGE (14 tools) SORK REMEDIATION (15 tools) SORK KEEPER (13 tools)
542
+ ────────────────────── ─────────────────────────── ─────────────────────
543
+ List Vulnerabilities Read File / Read Files Get Merge Request
544
+ Get Vulnerability Details Get Repository File Get Pipeline Errors
545
+ Get Security Finding Details Find Files Get Pipeline Failing Jobs
546
+ Dismiss Vulnerability Grep Get Job Logs
547
+ Confirm Vulnerability Edit File List Security Findings
548
+ Revert To Detected Create File With Contents List Merge Request Diffs
549
+ Update Vuln Severity Create Merge Request List All MR Notes
550
+ Read File / Read Files Create MR Note Create MR Note
551
+ Create Issue Create Commit Update Merge Request
552
+ Create Issue Note Link Vulnerability To MR List Vulnerabilities
553
+ Link Vulnerability To Issue Create Vulnerability Issue Get Vulnerability Details
554
+ Grep Run Command Create Issue Note
555
+ Find Files CI Linter Get Issue
556
+ Get Repository File Get Issue / List Issue Notes
557
+
558
+ Total unique tools used: 25+
559
+ ```
560
+
561
+ ---
562
+
563
+ ## Before & After
564
+
565
+ ```
566
+ ┌───────────────────────────────┬───────────────────────────────┐
567
+ │ WITHOUT SORK │ WITH SORK │
568
+ ├───────────────────────────────┼───────────────────────────────┤
569
+ │ │ │
570
+ │ Manual triage per vuln: │ Automated triage per vuln: │
571
+ │ 30-45 minutes │ 1-2 minutes │
572
+ │ │ │
573
+ │ False positive handling: │ False positive handling: │
574
+ │ Manual investigation │ Auto-dismissed with reason │
575
+ │ │ │
576
+ │ Fix writing: │ Fix writing: │
577
+ │ 30-60 minutes │ 2-5 minutes │
578
+ │ │ │
579
+ │ Fix verification: │ Fix verification: │
580
+ │ 15-30 minutes │ 2-3 minutes (automated) │
581
+ │ │ │
582
+ │ Full vuln lifecycle: │ Full vuln lifecycle: │
583
+ │ 2-4 hours │ 10-15 minutes │
584
+ │ │ │
585
+ │ Audit trail: │ Audit trail: │
586
+ │ Partial, manual │ Complete, automatic │
587
+ │ │ │
588
+ │ Developer time on security: │ Developer time on security: │
589
+ │ 3-5 hours/week │ 30 min/week (review only) │
590
+ │ │ │
591
+ │ Security backlog: │ Security backlog: │
592
+ │ Growing │ Cleared automatically │
593
+ │ │ │
594
+ └───────────────────────────────┴───────────────────────────────┘
595
+ ```
596
+
597
+ ---
598
+
599
+ ## Project Structure
600
+
601
+ ```
602
+ sork/
603
+
604
+ ├── README.md # This file
605
+ ├── LICENSE # MIT License
606
+ ├── AGENTS.md # Project-level agent instructions
607
+ ├── CHANGELOG.md # Version history
608
+ ├── CONTRIBUTING.md # Contribution guidelines
609
+
610
+ ├── .gitlab-ci.yml # CI/CD pipeline with security scanning
611
+
612
+ ├── .gitlab/
613
+ │ └── duo/
614
+ │ ├── agent-config.yml # SORK flow execution configuration
615
+ │ └── mr-review-instructions.yaml # Security-focused code review rules
616
+
617
+ ├── agents/
618
+ │ ├── sork-triage-prompt.md # Triage agent system prompt
619
+ │ ├── sork-remediation-prompt.md # Remediation agent system prompt
620
+ │ └── sork-keeper-prompt.md # Keeper agent system prompt
621
+
622
+ ├── assets/
623
+ │ ├── sork-logo.png # SORK logo (full)
624
+ │ └── sork-avatar.png # SORK logo (square avatar)
625
+
626
+ ├── test-project/
627
+ │ ├── app.py # Flask app with intentional vulns
628
+ │ ├── config.py # Hardcoded secrets (for testing)
629
+ │ ├── requirements.txt # Outdated dependencies with CVEs
630
+ │ └── templates/
631
+ │ └── user.html # XSS-vulnerable template
632
+
633
+ └── docs/
634
+ ├── architecture.md # Detailed architecture documentation
635
+ ├── tech-stack.md # Full technology stack details
636
+ └── demo-script.md # Demo video recording script
637
+ ```
638
+
639
+ ---
640
+
641
+ ## Use Cases
642
+
643
+ ### 1. Weekly Security Sweep
644
+ Your team runs scans weekly. Without SORK, security engineer spends Monday morning triaging 40+ findings. With SORK, they arrive to 3 ready-to-merge MRs and a clean triage report.
645
+
646
+ ### 2. Compliance Audit
647
+ Auditor asks: "Show me how you handle vulnerabilities." With SORK, open any project — every finding has a documented triage decision, a linked fix MR, and a verification report. Complete audit trail.
648
+
649
+ ### 3. Critical CVE Response
650
+ A critical CVE drops. Trigger SORK across all projects. It identifies which are actually affected, generates patches, and verifies fixes — hours instead of days.
651
+
652
+ ### 4. Developer Onboarding
653
+ Junior dev pushes code with a security flaw. SORK catches it immediately, generates the secure pattern as a fix, and the developer learns the correct approach from SORK's patch.
654
+
655
+ ---
656
+
657
+ ## Demo
658
+
659
+ <p align="center">
660
+ <a href="YOUR_YOUTUBE_LINK_HERE">
661
+ <img src="https://img.shields.io/badge/▶_Watch_Full_Demo_(3_min)-YouTube-white?style=for-the-badge&labelColor=000000" alt="Watch Demo"/>
662
+ </a>
663
+ </p>
664
+
665
+ **What you'll see:**
666
+
667
+ | Timestamp | Scene |
668
+ |-----------|-------|
669
+ | 0:00 | SORK project overview |
670
+ | 0:15 | The problem — 12 vulnerabilities in security dashboard |
671
+ | 0:35 | SORK Triage — analyzing, dismissing false positives, confirming threats |
672
+ | 1:10 | SORK Remediation — generating fixes, opening merge request |
673
+ | 1:50 | SORK Keeper — verifying pipeline passed, posting report |
674
+ | 2:25 | Results — before/after security dashboard comparison |
675
+ | 2:50 | Closing — project built on GitLab Duo + Anthropic Claude |
676
+
677
+ ---
678
+
679
+ ## Future Roadmap
680
+
681
+ ```
682
+ v1.0 (Current — Hackathon)
683
+ ├── Three custom agents: Triage, Remediation, Keeper
684
+ ├── Flow orchestration: Triage → Fix → Verify
685
+ ├── Auto-trigger on pipeline security scan completion
686
+ └── Manual trigger via @mention and Chat
687
+
688
+ v1.1 (Planned)
689
+ ├── Multi-project scanning across GitLab groups
690
+ ├── Severity-based routing (critical = immediate, medium = batched)
691
+ └── Custom dismissal rules per project
692
+
693
+ v2.0 (Vision)
694
+ ├── Pattern learning from historical dismissals
695
+ ├── Compliance report generation (SOC 2, ISO 27001)
696
+ ├── MCP integration (Jira, Slack, PagerDuty notifications)
697
+ └── Security posture scoring per project
698
+ ```
699
+
700
+ ---
701
+
702
+ ## Hackathon
703
+
704
+ **Competition:** [GitLab Duo Agent Platform Challenge](https://gitlab.devpost.com)
705
+
706
+ **Category:** Most Impactful on GitLab & Anthropic
707
+
708
+ **Team:**
709
+
710
+ | Member | Role | Responsibility |
711
+ |--------|------|---------------|
712
+ | [Your Name] | Architect | Agent design, flow orchestration, system prompts |
713
+ | [Teammate A] | Lab Builder | Test infrastructure, vulnerability scenarios, demo video |
714
+ | [Teammate B] | Documenter | README, Devpost submission, compliance, documentation |
715
+
716
+ ---
717
+
718
+ ## Built With
719
+
720
+ `GitLab Duo Agent Platform` · `Anthropic Claude` · `GitLab AI Catalog` · `GitLab Flows` · `GitLab CI/CD` · `GitLab SAST` · `GitLab Dependency Scanning` · `GitLab Secret Detection` · `Python` · `Flask` · `Docker` · `YAML`
721
+
722
+ ---
723
+
724
+ ## License
725
+
726
+ This project is licensed under the [MIT License](LICENSE).
727
+
728
+ ```
729
+ MIT License
730
+
731
+ Copyright (c) 2026 SORK Team
732
+
733
+ Permission is hereby granted, free of charge, to any person obtaining a copy
734
+ of this software and associated documentation files (the "Software"), to deal
735
+ in the Software without restriction, including without limitation the rights
736
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
737
+ copies of the Software, and to permit persons to whom the Software is
738
+ furnished to do so, subject to the following conditions:
739
+
740
+ The above copyright notice and this permission notice shall be included in
741
+ all copies or substantial portions of the Software.
742
+
743
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
744
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
745
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
746
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
747
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
748
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
749
+ SOFTWARE.
750
+ ```
751
+
752
+ ---
753
+
754
+ <p align="center">
755
+ <strong>S O R K</strong><br>
756
+ Security Orchestration, Remediation & Keeping<br><br>
757
+ <em>Keeping your code secure — automatically.