CodeGuards v1
// how it works

How CodeGuards reviews your merge requests.

One bot, one comment, one click. CodeGuards reads every push, posts a verdict directly on the merge request, and waits for you to either fix it or tell it to back off — no extra dashboard to babysit.

1. The summary comment

Every push that opens or updates an MR triggers a scan. When it finishes, the bot drops a single comment with the verdict, the top findings, and a link to the full report. The same comment is updated on rescans — it never spams the discussion tab.

2. Inline notes on the diff

Critical and high-severity findings get an extra inline note, anchored to the exact line. When the AI is confident in the fix, the note carries a native suggestion block — one click in GitLab and the change is committed.

3. The buttons in the comment

  • Add to exceptions — silences this finding on this repo. Use it when the bot is wrong; we won't bother you with the same warning again.
  • Apply suggested fix — pushes the AI's patch to a side-branch codeguards/fix/.... Open a follow-up MR if you want to ship it.
  • Open full report — the per-scan dashboard with timeline, AI cost, and the suppression history.

4. Talking back to the bot

Reply in any CodeGuards thread with @codeguard followed by a question. The bot reads the surrounding diff plus the original finding and writes a focused answer. You can also use slash commands:

  • /codeguards suppress — same as the button.
  • /codeguards fix — same as Apply suggested fix.
  • /codeguards explain — make the bot expand the recommendation in plain English.
  • /codeguards help — list every command.

Each thread has a cap on how many AI replies we'll send so we never get into a "are you sure?" loop with an impatient reviewer.

5. Tuning the bot per repository

Open Integrations, find your repo, and click the small balanced · low+ · professional pill next to the stack chip. Three knobs, no config files:

  • Review stylechill reports only HIGH and CRITICAL. balanced (default) skips pure-style nits but keeps everything that matters. strict is the loud, exhaustive mode.
  • Minimum severity — anything below this floor is silenced in the MR/PR comment. The full report dashboard still shows it, so nothing is lost.
  • Toneprofessional (neutral, factual), friendly (peer reviewer), or blunt (no hedging). Affects both the inline notes and the AI dialog replies.

Changes apply to the next scan and the next dialog reply — no re-deploy, no migration, no scan to re-run by hand.

6. Zero-config setup

Connect GitLab once on the Integrations page. CodeGuards registers the webhook for you, seeds a baseline ruleset for your stack, and starts reviewing the very next push. There is nothing to add to .gitlab-ci.yml — the bot is purely event-driven.

FAQ

Will it spam my MR?

No. There is exactly one summary comment per scan, plus one inline note per anchored finding, capped per scan. Subsequent rescans update the existing notes in place.

Does it ever push code to my MR branch?

Never. Auto-applied fixes always go to a fresh codeguards/fix/... branch — you decide whether to merge them.

What about GitHub?

The same bot ships for GitHub PRs. The buttons, slash commands, and dialogue all work identically across the two platforms.