AuditFlow AI

AI-driven compliance & code-quality scanner for GitLab—detect SOC-2, OWASP & style violations, generate actionable reports & integrate seamlessly into your CI/CD pipeline.

Comment

Inspiration

We’ve all been there—facing SOC-2 or internal audits under tight deadlines, juggling static scanners, manual reviews, and endless checklists. We realized that compliance and code quality checks are often an afterthought, delayed until it’s too late. AuditFlow AI was born from the idea of making compliance proactive, automated, and developer-friendly—bringing AI into the workflow to catch violations early and often.

What it does

AuditFlow AI connects to your GitLab repository, scans the codebase on demand or during CI/CD events, and performs automated checks for:

  • SOC-2 and OWASP compliance
  • Secure coding principles
  • Code maintainability and style violations
  • AI-generated summaries and risk scores

It then generates detailed reports, control-level insights, and suggestions for remediation—making it easy for devs, auditors, and managers to stay aligned.

How we built it

  • Backend: FastAPI app deployed on Google Cloud Run handles repository scans, parses files to ASTs, performs diffs, and runs compliance rule checks using LLMs.
  • Frontend: Built with Next.js and hosted on Firebase. Displays dashboards, scan history, violation breakdowns, and risk scores.
  • AI Layer: Used Gemini with structured prompts and function-calling to generate consistent, actionable output.
  • Storage: Used Google Cloud Storage for AST caching, Pinecone for vector search, and MongoDB Atlas for metadata and reports.
  • CI/CD: GitLab push triggers re-scan jobs and deploy updates with zero downtime.

Challenges we ran into

  • TLS/SSL handshake issues with MongoDB Atlas on Cloud Run.
  • Ensuring cold-start readiness and proper PORT binding on Cloud Run.
  • Chunking large codebases efficiently for LLM input.
  • Designing structured JSON schemas for AI-generated rule enforcement.
  • Avoiding full repo re-scans with smart diffing and file hashing.

Accomplishments that we're proud of

  • Successfully integrated AI into a real-time compliance pipeline.
  • Deployed a robust system that auto-scales and maintains performance.
  • Created a modular rule framework that supports new standards and updates.
  • Built a frontend UI that’s simple, fast, and informative for developers.

What we learned

  • How to combine AST parsing, vector embeddings, and LLMs for static analysis.
  • Efficient ways to chunk, diff, and cache file scans to save time and tokens.
  • Best practices for Google Cloud Run, GCS, and secure multi-service deployment.
  • Designing reliable prompts that return structured JSON output for downstream use.

What's next for AuditFlow AI

  • Extend rules to include GDPR, HIPAA, ISO-27001, and NIST checks.
  • Add Slack and email alerting for violations.
  • Let users define custom rules with natural language and AI assistance.
  • Launch audit-ready PDF exports and SOC dashboard summaries.

AuditFlow AI is just getting started—our goal is to make code compliance effortless, intelligent, and continuous.

Built With

Share this project:

Updates