AI security guardrail | 2026
ReachGate
A vulnerability-reachability triage tool that checks whether a scanner finding can actually be reached from an application's entry points.
Project snapshot
- Type
- AI security guardrail
- Period
- 2026
- Source
- GitLab Transcend Hackathon 2026
Problem
Security scanners can mark many findings as critical without proving that the vulnerable code is reachable. ReachGate turns that question into an auditable graph search with deterministic verdicts.
Outcomes
Built a 14,000-line hackathon tool with 422 tests
Reduced noisy scanner findings by proving actual reachability
Kept verdicts auditable through signed artifacts and offline verification
What I built
Bounded BFS over GitLab Orbit code graph data
Reachability verdicts for vulnerable code paths
Deterministic rule engine where AI only explains the result
UNKNOWN verdict when a search exceeds its budget
OpenVEX and SARIF exports for security tooling
sha256 manifest generation
Optional Ed25519 signature support
Offline verifier that needs no token and no network
CLI workflow for local checks
GitLab CI merge request bot with duplicate-comment prevention
GitLab Duo AI agent integration over the Orbit MCP server
422-test suite for the core behavior
Tech stack
PythonGitLab Orbit graph APIBFSGitLab CI/CDOpenVEXSARIFEd25519MCPpytest
Private client work
This project is described as a case study because the client implementation is not published as a public repository.