Codex AI

• 

  Logo

• 

  Dashboard

• 

  PR Review & Summary

• 

  Flaw Capture

1. About the project

Codex AI ✦ — The Living Guardian for Bitbucket

Inspiration Security in modern software development is often reactive—we find out about exposed secrets or vulnerabilities only after the code is merged, or worse, after a breach. We were inspired by the concept of "Shift Left" security, but we wanted to push it further: what if the repository itself was alive and aware? We envisioned a system that doesn't just scan code but understands the intent behind changes, acting as an intelligent partner that catches mistakes (like hardcoded API keys or sensitive file commits) the moment they happen, effectively "guarding" the codebase in real-time.

What it does Codex AI is an intelligent security companion embedded directly into Bitbucket. It acts as an omnipresent guardian that:

• Monitors Real-time: Instantly scans every Pull Request, commit, and comment.
• Detects Threats: Identifies 14+ types of secrets (AWS keys, Stripe tokens) and vulnerable dependencies (CVEs).
• Understands Context: Uses Google Gemini 2.5 Flash to analyze why a change was made, not just what changed, providing human-like summaries and risk assessments.
• Manages Lifecycle: Tracks issues from detection to resolution with a dedicated state machine, ensuring nothing gets lost in the noise.
• Collaborates: Features an interactive chat bot (@codex) that developers can query directly in PR comments for instant feedback.

How we built it We architected Codex AI as a serverless event-driven application using the Atlassian Forge platform.

• Core Engine: Built on Node.js, harnessing the avi:bitbucket:created:pullrequest and avi:bitbucket:repo:push triggers to initiate immediate scans.
• Intelligence Layer: We integrated Google Gemini 2.5 Flash via the external fetch API to perform semantic analysis of code diffs, generating risk scores (

) and quality metrics.

• State Management: We utilized Forge Storage to build a custom issue tracking system that persists security findings across sessions, allowing us to calculate real-time "Health Scores" for the repository.
• Frontend: The dashboard was crafted using React and Atlaskit, ensuring a seamless, native look and feel within the Bitbucket UI, optimized for dark mode visibility.
• Security Logic: We implemented a custom regex engine for high-performance secret detection, capable of diffing removed vs. added lines to automatically resolve issues when fixed.

Challenges we faced

• Infinite Event Loops: Our bot's actions (updating PR titles) triggered new webhooks, creating potential infinite loops. We engineered a dual-layer defense system that tracks analyzed commit hashes and filters self-generated events.
• LLM Determinism: Getting consistent JSON output from Generative AI was tricky. We solved this through rigorous prompt engineering and a robust parsing layer with regex fallbacks.
• Forge Sandbox Constraints: The iframe environment restricted our ability to use certain CSS injection techniques. We refactored our frontend to use inline styles and native Atlaskit primitives to maintain visual fidelity without violating CSP.
• Rate Limiting: To prevent API quotas from halting development, we built a "graceful degradation" system that falls back to regex-based static analysis if the AI service becomes unavailable.

What we learned We gained a deep appreciation for the power of the Atlassian Forge ecosystem—specifically how seamless it is to bridge backend logic with frontend UI. We also learned that "security" isn't just about finding bugs; it's about the developer experience. By adding an interactive chat and clear, actionable dashboards, we transformed security from a blocker into a helpful teammate.

Built With

• atlaskit
• atlassian-forge
• bitbucket-api
• forge-storage
• google-gemini-api
• javascript
• node.js
• react
• regex