Short, opinionated reads on repository memory, architecture drift, review noise, historical context, GitLab-native workflows, and audit evidence — from production merge requests, not slide decks.
What it actually takes to wire automated security review into every merge request on a GitLab project — token scopes, webhook, severity tuning, and how to keep the noise down on the first week.
Read noteWhole-tree rule engines have their place, but day-to-day they overload the team with old findings. Diff-only, repository-aware review stays on the change being shipped — predictable cost and close to the merge request.
Read noteBug classes that show up clearly in the diff but slip past signature-based tools — annotated examples from real merge requests, including broken fixes and repository-specific context.
Read noteAudit prep usually means someone reconstructing months of review history from chat threads. If every change already gets a recorded security review, half of that work is just… already done.
Read noteEvery codebase has its own rules. Generic suppressions don't survive a refactor. Per-repo memory does — accept once, leave a note about the internal policy, and the same pattern stops nagging the team forever.
Read noteMost teams that try a PR-review bot mute it by sprint two. The reason is almost always the same: the bot drops a top-level essay on every PR. Here's the design choices that make a code-review bot survive the third week — verdicts that mean something, threads anchored to lines, suppressions with a memory, and threads that close themselves.
Read noteThe architecture rules a team agreed on in some kickoff meeting — "controllers don't talk to Eloquent", "Services never inject other Services" — almost always live in a Confluence page nobody opens. The bypass merges because nobody remembered the rule. Here's how the per-repo rulebook (.codeguards/review.yml) turns those agreements into something the bot enforces on every PR, with a one-line citation of the rule.
The same per-repo memory that handles security false positives applies on the Code review side: click "Suppress" once with a one-line reason, and the same fingerprint stops nagging this repo. Category-path fallback means a rephrased AI output still hits the same rule — you don't suppress the same nit twelve times.
Read noteEach product is €189/mo + €0.50/run. The bundle is €289/mo + €0.75 per "combined run" — meaning when both pipelines fire on the same diff you pay €0.75 once, not 2 × €0.50. The €89 base discount and the €0.25 saved on every double-run aren't a marketing trick — they reflect the real overhead saving of running both pipelines on shared infrastructure. Here's how it adds up, what counts as a combined run, and where the bundle breaks even.
Read noteTopics we're writing next — same engineering tone, same repository-context lens: