Ship the next commit without a silent exploit.

What "automated security review" actually means

Traditional security scanning tools work against the entire codebase. They produce a backlog of findings — many of which are false positives, old issues that pre-date the team, or patterns that are "accepted risk" for the specific project. Triaging that backlog takes time and engineers learn to ignore the noise.

CodeGuards.io takes a different approach: it reviews only the changed lines in each commit or merge request. Every time a developer pushes code or opens an MR, CodeGuards.io receives the diff, analyses the specific changes in context, and produces a focused set of findings.

The result is a short, actionable list of real issues in the code that is about to ship — not a historical audit of the entire codebase.

How a review works in practice

1. Receiving the change

When you push a commit or open a merge request, GitLab fires a webhook that CodeGuards.io is listening on. The platform retrieves the diff from your GitLab instance using the access token you provided during setup.

2. Reviewing in context

CodeGuards.io analyses the changed lines against a library of security patterns — injection sinks, authorization gaps, unsafe deserialization, secret exposure, insecure cryptography, and more. The analysis is focused on what changed, not the full file. This keeps noise low and keeps each finding directly relevant to the work in front of the developer.

3. Delivering findings

Within seconds, findings are written back to the GitLab merge request as a structured comment. Each finding includes:

• A severity label — Critical, High, Medium, or Info.
• The exact file path and line number where the issue was introduced.
• A plain-English explanation of why the pattern is a risk.
• A concrete, diff-ready remediation suggestion.
• A reference to the relevant CWE and OWASP category.

The same findings are available in the CodeGuards.io dashboard and in exportable security reports for leadership or auditors.

What CodeGuards.io catches well

• Injection vulnerabilities — SQL injection, command injection, LDAP injection, and template injection introduced in new query-building or input-handling code.
• Broken access control — missing authorization checks, direct object reference issues (IDOR/BOLA), and privilege escalation paths introduced by new routes or controller logic.
• Mass assignment and unsafe data binding — Laravel $request->all() patterns, unguarded Eloquent models, and similar framework-specific pitfalls.
• Sensitive data exposure — credentials, API keys, or PII written to logs, responses, or error messages in newly changed code.
• Insecure deserialization — unsafe unserialize calls, unsafe YAML/JSON parsing with object instantiation, and similar patterns.
• Cryptographic mistakes — weak algorithms, hardcoded IVs, improper key derivation, and insecure random number generation.
• Security misconfigurations — CSRF token bypasses, missing security headers, and permissive CORS introduced in changed configuration.

Example finding: SQL injection

CRITICAL — SQL Injection

File:   app/Http/Controllers/OrderController.php · line 52
CWE:    CWE-89 · OWASP A03:2021

// What was found
User input passed directly to DB::select() via string concatenation.
An attacker can manipulate the query to read or modify any database row.

- $results = DB::select("SELECT * FROM orders WHERE user = " . $request->input('user'));
+ $results = DB::select("SELECT * FROM orders WHERE user = ?", [$request->input('user')]);

What CodeGuards.io is not trying to replace

CodeGuards.io is a commit-level review layer, not a full application security platform. It does not replace:

• Whole-repository SAST tools (SonarQube, Semgrep) — which are useful for auditing an existing codebase.
• Software composition analysis (SCA) — which tracks known CVEs in third-party dependencies.
• Runtime security monitoring — which detects attacks in production.
• Manual penetration testing — which explores attack surface holistically.

CodeGuards.io works best as the first line of review — catching newly introduced vulnerabilities at the diff level before they land in the main branch. Teams typically run it alongside existing tooling rather than as a standalone solution.

Low noise from day one

Because CodeGuards.io reviews only what changed, the initial finding volume is naturally low. There is no historical backlog to triage. The first scan shows issues introduced in the current commit — nothing more.

For patterns that are intentional or acceptable in your codebase — internal conventions, known trade-offs, compensating controls — you can mark a finding as accepted with a short policy note. CodeGuards.io scopes the suppression to that repo and silences the same pattern on future scans there. The same pattern in any other connected project still gets reported.

Audit trail and compliance evidence

Every scan produces a timestamped, immutable record: which commit was reviewed, when, the verdict, every finding, and any acceptance decisions with author and rationale. This audit trail is available for export and maps to the evidence requirements of SOC 2 CC7.1/CC8.1, ISO 27001 A.14.2, and PCI-DSS 6.3 — without any extra process or manual documentation.

Frequently asked questions

Does CodeGuards.io scan the whole repository on the first connect?

No. CodeGuards.io reviews diffs, not the full tree. When you connect a repo, no historical scan runs. The first review covers the next commit or merge request after the webhook is registered.

How long does a review take?

The median time from diff receipt to findings posted on the merge request is around 9 seconds. Review time scales with diff size, not project size, so even large codebases get fast feedback on small changes.

Can I tune what gets flagged?

Each connected repo has its own review settings: you can adjust the severity threshold, mute specific finding categories, or mark individual patterns as accepted for that codebase. Changes apply to future scans on that project only.

Does it work on legacy codebases?

Yes. Because CodeGuards.io only reviews what changes, connecting a ten-year-old codebase does not produce an overwhelming backlog. Teams working in legacy code often find this particularly useful — they get review on new changes without having to fix years of historical issues first.

What languages does it support?

CodeGuards.io works well on PHP (including Laravel), TypeScript, JavaScript, Python, Go, and Ruby. The platform is framework-aware for common patterns — Laravel, Express, Django, FastAPI, and similar.