DEV Community

Yarra Vivek
Yarra Vivek

Posted on

I built an AI agent that found a critical bug a human reviewer would've missed published: true

#gitlab #ai #devops #opensource

The diff looked harmless

A teammate changes a function's return type. bool becomes dict.
Looks like a minor improvement — more detail in the response, why not?

Three files away, that one-line change quietly breaks payment validation.

This is the exact scenario I built Tripwire to catch.

What Tripwire does

Tripwire is a GitLab Duo agent + custom flow built on GitLab Orbit
GitLab's knowledge graph that maps real relationships across your
codebase, not just file contents.

Assign Tripwire as a reviewer on any merge request, and it:

  • Traces the actual dependency chain of every changed function
  • Finds downstream callers that aren't even part of the diff
  • Checks for open security findings in those code paths
  • Posts a structured risk report directly on the MR
  • Suggests who should actually review it, based on code ownership

No chat window. No copy-pasting a prompt. Assign it like a teammate,
and it runs.

The bug it actually caught

I built a tiny test codebase with a real dependency chain:
notifications.py → payments.py → validation.py

Then I opened an MR that changed validate_card()'s return type from
bool to dict. The MR looked clean. One file changed. Reasonable-looking diff.

Tripwire flagged it CRITICAL and said: don't merge this.

Here's why. In Python, any non-empty dict is truthy — regardless
of what's inside it. So this code:

if validate_card(card_number):
    process_payment(...)
Enter fullscreen mode Exit fullscreen mode

...now always evaluates to True. Even for an invalid card. Silently.
No exception. No test failure unless you specifically assert on the
return type. Just a payment that should have been rejected, going
through anyway.

It also caught a second, smaller issue I hadn't even been thinking
about: the new logic only accepts 16-digit cards. American Express
(15 digits) got silently dropped, with zero mention in the MR description.

Building on a beta platform means assumptions break constantly

Half of what I assumed going in turned out to be wrong:

  • There's no merge_request:opened trigger (yet) — flows trigger on mention, assignment, or being assigned as reviewer
  • Custom agents aren't defined in a repo file — they're created through the AI Catalog UI directly
  • Orbit's API isn't a set of clean REST routes per resource type — it's one generic graph query endpoint

Every one of these required throwing out an assumption and rebuilding
against what the platform actually does, not what seemed like the
obvious design.

Try it

Built for the GitLab Transcend Hackathon, powered by GitLab Orbit.

Top comments (0)