GitGuard

Inspiration

Compliance violations in code are one of the most expensive problems in software—a single exposed credential or HIPAA violation can cost millions. Yet most teams still rely on manual code reviews to catch these issues, which means violations slip through at the worst possible time. We asked: what if every merge request was automatically analyzed against your compliance policies, and critical violations triggered an immediate phone call?

What it does

GitGuard is an AI-powered compliance monitoring agent that plugs directly into GitLab CI/CD pipelines. It analyzes every merge request diff against your organization's compliance policies (SOC2, HIPAA, PCI-DSS, GDPR, or custom policies) using Claude's advanced reasoning capabilities.

Violations are routed based on severity:

LOW → Inline MR comment with policy citation and fix suggestion
MEDIUM → MR comment + auto-created GitLab issue for tracking
CRITICAL → MR comment + GitLab issue + live phone call to the developer via Vapi AI

The voice escalation is powered by Claude—when a developer receives a critical violation call, they can respond with natural language commands like "Revert it," "Flag for review," or "Approve with exception," and GitGuard executes those actions through the GitLab API in real time.

How we built it

GitGuard is built as a zero-config CI scanner—a single Python file (gitguard_scan.py) that drops into any GitLab repository alongside a .gitlab-ci.yml configuration. The core analysis engine uses several advanced Anthropic API features:

Extended Thinking (10,000 token budget) for transparent, step-by-step compliance reasoning
Document Citations to reference exact policy clause text in every finding
PDF Support for native analysis of uploaded SOC2/HIPAA/PCI-DSS documents
Structured Outputs with a two-pass approach: deep thinking first, then guaranteed JSON schema compliance reports
Tool Use to orchestrate GitLab API actions (comments, issues, reverts) and Vapi API (phone calls)

The backend is Python 3.11 with FastAPI, using async SQLite for audit logging. Voice escalation uses Vapi AI with a Claude-powered assistant that understands compliance context and can execute remediation actions via voice commands.

GitGuard also integrates natively with the GitLab Duo Agent Platform as a Duo Agent, Duo Flow, and Duo Chat slash command skill.

Challenges we ran into

Designing the severity routing system required careful thought—we needed to balance between being too aggressive (calling developers for minor style issues) and too passive (letting critical violations slip through as comments). We solved this with configurable severity thresholds and a built-in default compliance policy framework covering Access Control, Data Protection, Security Controls, Audit & Monitoring, and Privacy & Regulatory categories.

Another challenge was making voice interactions feel natural while maintaining strict action boundaries. We implemented a constrained action set for voice commands to prevent unintended operations while still feeling conversational.

Accomplishments that we're proud of

End-to-end automation: From MR diff to phone call to remediation action, all without human intervention
Transparent reasoning: Extended Thinking shows exactly WHY something violates policy, not just that it does
Policy citations: Every finding references the exact compliance clause, making audit trails effortless
Zero-config deployment: Drop two files into any GitLab repo and compliance scanning is live

What we learned

Building GitGuard taught us how powerful Claude's Extended Thinking and Citations features are for compliance use cases. The ability to show transparent reasoning chains makes AI-generated compliance reports actually trustworthy—auditors can see the exact logic path. We also learned that voice as an escalation channel dramatically changes developer behavior around critical violations compared to notifications that get ignored.

What's next for GitGuard

Pattern memory across repositories: Track repeat violations and most-violated policies across an organization
Custom policy learning: Fine-tune detection based on an organization's specific codebase patterns
Slack/Teams integration: Add more escalation channels beyond voice
Compliance dashboard analytics: Trend analysis for violation patterns over time
Multi-language support: Expand beyond English for global compliance teams