SecureMerge AI

SecureMerge AI: Intelligent code reviews that stop vulnerabilities before they reach production.

Comment

Inspiration

Modern software development moves fast, but security often lags behind. During collaborative development, insecure code like hardcoded secrets or vulnerable logic can easily slip into production through merge requests.

This inspired me to build SecureMerge AI, a system that brings real-time AI-powered security checks directly into the developer workflow, making security proactive instead of reactive.

What it does

SecureMerge AI automatically reviews code changes in GitLab merge requests using AI.

It analyzes code differences and:

  • Detects security vulnerabilities
  • Assigns severity levels (HIGH, MEDIUM, LOW, INFO)
  • Explains issues clearly
  • Suggests fixes and generates auto-fix patches
  • Makes a final decision (Block Merge, Review Required, Safe to Merge)

The final report is automatically posted back to the merge request.

How we built it

The project is built using:

  • FastAPI for handling GitLab webhooks
  • GitLab API to fetch merge request changes
  • Groq LLM (LLaMA 3.1) for AI-powered code analysis
  • Python for backend logic and decision-making

Workflow:

  1. A developer pushes code to a branch
  2. GitLab triggers a webhook
  3. The backend fetches the code diff
  4. The AI analyzes the changes
  5. A decision engine determines merge safety
  6. Results are posted back to GitLab automatically

Challenges we ran into

  • Consistent AI output: Ensuring the AI returned structured and reliable responses required careful prompt design.
  • Accurate severity classification: Balancing HIGH, MEDIUM, and LOW risk detection was challenging and needed tuning.
  • End-to-end integration: Connecting GitLab, FastAPI, and AI into a smooth workflow required debugging across multiple components.

Accomplishments that we're proud of

  • Built a fully working AI-powered code review system
  • Successfully automated merge decisions (Block, Review, Safe)
  • Integrated AI directly into a real developer workflow
  • Generated meaningful explanations and auto-fix suggestions
  • Demonstrated end-to-end functionality with multiple test cases

What we learned

  • How to integrate LLMs into practical developer tools
  • Building event-driven systems using webhooks
  • Designing decision engines based on AI outputs
  • Working with APIs like GitLab for automation
  • Improving prompt engineering for better AI responses

What's next for SecureMerge AI

  • Add support for multiple repositories and teams
  • Improve accuracy with hybrid AI + static analysis
  • Integrate into CI/CD pipelines
  • Add customizable security policies
  • Enhance performance for large-scale projects

Built With

Share this project:

Updates