GitGuard AI

An Intelligent GitLab Merge Request (MR) Review Agent that scrutinizes code changes, detects vulnerabilities, and outputs structured review payloads for GitLab, MongoDB, and Arize.

Comment

Inspiration

The inspiration for GitGuard AI stems from the inherent friction teams experience during production deployment workflows:

  • Human Oversight & Fatigue: Security vulnerabilities, bad patterns, and hidden credentials regularly slip past tired human reviewers during late-night code merges.
  • Disconnected Data Silos: Traditional static scanners lack the semantic understanding of full code contexts, and their logs are lost in temporary CI run histories rather than tracked durably.
  • The LLM "Black Box" Problem: While AI helps automate code reviews, teams lack observability into how those models execute, what properties they predict, and why they fail or hallucinate.

Want to build an intelligent, high-fidelity Merge Request Agent that acts as an elite, automated cyber-auditor. By combining the conversational scanning intelligence of Google's Gemini models, the robust persistence of MongoDB Atlas, and the contextual tracing power of Arize AI Phoenix, we closed the loop between automation, compliance storage, and continuous model health evaluation.

What it does

GitGuard AI intercepts GitLab Merge Request diff developments, performs high-fidelity semantic audits, and coordinates a multi-tier integration pipeline:

  1. Intelligent Cyber-Audits: Reads multi-file branch differences and checks for critical vulnerabilities like SQL injections, race conditions, and compromised production API keys.
  2. Structured Review Generation: Auto-writes clear Markdown reviews complete with side-by-side corrected diff recommendations and developer instructions.
  3. Persistent Logging & Audit Compliance: Synchronizes and archives all structured review outcomes directly to a MongoDB Atlas cluster for long-term audit logs tracking.
  4. Interactive Operator Dashboard: Features a beautiful dark UI designed in Inter and JetBrains Mono with preset vulnerability scenarios, a dynamic live terminal log simulation, and schema review boards.

How we built it

We implemented a full-stack architecture optimized for enterprise reliability and seamless developer exploration:

  • Frontend Showcase: Crafted an immersive, high-contrast dashboard in React 19 and Tailwind CSS. The UI contains interactive file selectors, customizable security threshold sliders, and real-time tabs rendering GitLab Comments, raw MongoDB BSON payloads, and Arize logging metadata.
  • Backend Core: Developed a modular Express.js proxy on port 3000 executing under Node.js runtime environment. All third-party secrets (Gemini API key, database credentials) are secured server-side.
  • Structured AI Inference: Leveraged the official @google/genai TypeScript SDK to target gemini-3.5-flash or gemini-2.5-flash models constrained by a rigid JSON schema declaration (responseSchema) to guarantee 100% pipeline reliability.
  • OTel Instrumenter: Designed a customized instrumentation.ts engine configured to route OpenTelemetry spans dynamically based on environmental contexts—supporting both local Arize Phoenix workspace traces and remote Arize Enterprise OTLP endpoints.
  • Self-Contained Bundling: Configured esbuild to compile our typescript backend into a target dist/server.js production package, resolving relative ES-module imports smoothly inside cloud run environments.

Challenges we ran into

During the deep-tier development phase, we resolved two highly technical hurdles:

  • **During diagnostic pipeline execution, the connection to the user's MongoDB Atlas cluster failed during connection/write phases. It threw a severe network error: MongoServerSelectionError: SSL routines:ssl3_read_bytes:tlsv1 alert internal error (SSL alert number 80)
  • **Tracing calls from the backend OpenTelemetry HTTP exporter (OTLPTraceExporter) to Arize were rejected with: Arize API rejected with status 403: {"code":7, "message":"invalid api-key", "details":[]}

Accomplishments that we're proud of

  • Reliable Arize Ingestion: Achieved 200 OK trace logging states dynamically feeding into Arize Enterprise's OTLP engine.
  • Zero Hallucination Pipeline: Achieved absolute structured payload stability under Gemini inference using raw TypeScript interfaces directly mapped to the model's native JSON schema constraints.
  • Highly Fluid Workspace Fallback: Programmed an interactive fallback simulation preset compiler. If users run GitGuard AI with unconfigured credentials, the platform seamlessly loads comprehensive, realistic vulnerability code structures, enabling immediate testing of the full dashboard experience.

What we learned

  • Native Type Definitions are Essential: Bypassing manual Regex LLM parsers in favor of SDK-native json rules increases system robustness by orders of magnitude.
  • Observability is the Core of Agentic UX: Having continuous OpenTelemetry insight into latency distribution and confidence rates makes debugging autonomous LLM workflows clear and scientific.

What's next for GitGuard AI

  • Dynamic Self-Healing: Expand downstream capabilities to auto-create fix-it development branches on GitLab, auto-pushing code corrections directly back to the active MR.

Built With

Share this project:

Updates