Published on: July 16, 2026
4 min read
Use AI-driven security reasoning to detect authorization gaps, business-logic errors, and race conditions while code is still under review.

Static scanners excel at catching vulnerabilities that fit a known pattern, like unsanitized query inputs, hardcoded secrets, and unsafe deserialization. They struggle against flaws in your application’s logic, where there is no pattern to match — only valid code doing the wrong thing for your domain. Undetected, these flaws surface late and cost more to fix.
Security Review Flow, now in public beta, scrutinizes code changes the way a security engineer would. It traces intent rather than matching signatures to catch logic flaws before they hit production. It's a major step toward uncovering dangerous flaws that scanners usually miss.
The most damaging application vulnerabilities often look correct line by line, but violate context the code doesn't contain, like your authorization model, data sensitivity rules, and intended workflows. Consider three of the most common vulnerability classes:
Access and authorization: Whether a user may read or change a resource is defined by your authorization model, not any language construct. Broken object level authorization (accessing another user's data by changing an ID) has topped the OWASP API Security Top 10 since 2019.
Data exposure: Serializing an object and returning it is ordinary, correct-looking code. Whether it leaks depends on which fields are sensitive and who receives them — facts about your domain, not your syntax.
Control flow and workflow: Business-logic and race-condition flaws occur when valid operations run in the wrong order, repeat unexpectedly, or get manipulated. Examples include checkout reachable without payment, a state re-entered under a race, or a parameter tweaked to change a price.
Catching these flaws has previously required manual security review, which is expensive to scale across every merge request (MR), or penetration testing and bug bounties, which arrive too late. The result is a growing gap between the pace of development and how quickly security expertise can be applied.
Security Review Flow, a foundational flow on GitLab Duo Agent Platform, closes that gap by reasoning about what your code is meant to do. It detects exactly the classes of flaws described above: Broken object level authorization and function level authorization, missing authorization on state-changing operations, information disclosure, mass assignment, business logic errors, and race conditions in stateful workflows.
It complements traditional scanners and human analysis rather than replacing them, and it reviews code at the point of change, when a fix is cheapest. GitLab's own application security team has used Security Review Flow across internal MRs throughout its development.
See Security Review Flow in action:
When your MR is ready, request a review from Duo Security Review, the same way you would from a person. It analyzes the diff in context: the original files, changed lines, MR discussion, and related code. Its reasoning is optimized for precision, and an independent validation pass examines each finding to filter out likely false positives.
Findings appear as diff threads on the relevant lines, along with a summary in an internal note. On public projects, they’re confined to the internal note, so security details aren’t exposed.
Each finding arrives with the context reviewers need:
Severity determines the reviewer state: A critical or high finding sets it to Request changes, while medium or low findings result in Comment. The flow never approves, even when it finds nothing — a human always owns the final call.
From there, mention your organization’s Duo Security Review service account in a comment thread to ask a question, discuss remediation, or challenge a finding. Resolve each finding by applying the fix as a standard MR suggestion, dismissing it as a false positive, or accepting the risk. After committing your fixes, request a fresh review to check what changed.
Security Review Flow is in public beta for GitLab Ultimate customers. It is available on GitLab.com, GitLab Self-Managed, and GitLab Dedicated.
Learn how to get started in the Security Review Flow documentation.
You can get access to Security Review Flow with a free trial of GitLab Duo Agent Platform. Already a GitLab Ultimate subscriber? Turn on Duo Agent Platform and use the GitLab Credits included with your subscription.
Cost varies with the complexity of the diff and the model you select, so try it on a few MRs before running it broadly. Pricing may be updated at general availability.
Share what you find in our feature feedback issue, so your input shapes what we build.
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback