Inspiration + Idea

When brainstorming for this project, members of the team pulled on their own interest and experience in entrepreneurship. We decided that whatever we made, we wanted to focus on the solution for small business.

ResolvePR is a GitHub App that automatically reviews every pull request for security vulnerabilities the moment it's opened, using AST-aware code chunking and Claude AI for a detailed security review. This includes posting inline comments and a summary directly onto the pull request (PR) within seconds.

The reason why we decided to create it is that as coding becomes more and more accessible through the use of AI and more small businesses and founders venture into projects using it, there often isn’t someone who is a dedicated security engineer on the team (as thgere would be in a larger company), and often even though developers want to review carefully, PRs move fast. This can cause risky code to slip through simply because the disorganization kept them from looking closely enough, AI hallucinations that could mess up the entire project.

ResolvePR solves this problem by focusing security review specifically on exactly where the code changed. Instead of analyzing the whole repository, it focuses only on the code that actually changed, minimizing confusion and maximizing organization for small businesses.

Challenges + How we created it

We started by setting up the infrastructure before writing a single line of product code. The first thing we did was register a GitHub App, so that we could give ResolvePR an identity on GitHub so it can listen to webhook events and post comments on PRs with the right permissions.

From there we set up ngrok to tunnel GitHub's webhook events to our local machine during development, which let us test the full flow (PR opens, webhook fires, code review) without needing to deploy anything. Once we had the local loop working, we moved to Fly.io for production deployment. We containerized the Go backend using Docker, set up environment secrets securely so no credentials ever touched the codebase, and deployed to a live URL that GitHub now sends all webhook events to. The backend itself is written in Go. It receives the webhook, verifies the signature, fetches the changed files from the PR, runs them through AST-aware chunking to isolate exactly what changed, and sends that to Claude for security analysis. The findings come back as inline comments posted directly on the PR.

The hardest part honestly was getting all the pieces talking to each other. We used many different things in the creation of this project (GitHub, ngrok, Fly.io, the private key authentication, and Claude) and we had to ensure that the process was mostly seamless.