Short, opinionated reads on diff-only security review, GitLab-native workflows, and what continuous code review actually changes — for engineering, for AppSec, and for the audit conversation that always comes later.
What it actually takes to wire automated security review into every merge request on a GitLab project — token scopes, webhook, severity tuning, and how to keep the noise down on the first week.
Read noteWhole-tree scanners have their place, but day-to-day they overload the team with old findings. Diff-only review stays focused on the change being shipped — fast, cheap, and close to the merge request.
Read noteA short tour of the bug classes that show up clearly in the diff but slip past traditional static scanners — with annotated examples from real merge requests and the prompt patterns CodeGuards uses to catch them.
Read noteAudit prep usually means someone reconstructing months of review history from chat threads. If every change already gets a recorded security review, half of that work is just… already done.
Read noteEvery codebase has its own rules. Generic suppressions don't survive a refactor. Per-repo memory does — accept once, leave a note about the internal policy, and the same pattern stops nagging the team forever.
Read note