// product overview

Repository-aware review that stays focused on the change.

CodeGuards reviews every commit and merge request through two pipelines: Security scans and Code review. Security scans catch vulnerabilities, broken fixes and exploitability. Code review catches quality regressions, missing tests, naming issues and architecture-boundary bypasses. Both use repository context, per-repo memory, and audit-grade records.

// product · security scans

Security scans

Repository-context security analysis. Reasoning across files, not regex. Verdicts you can gate CI on.

  • Vulnerabilities, secrets, exploitability — across file boundaries
  • Verdicts: pass · warn · fail
  • Audit trail mapped to SOC 2 / ISO 27001 / PCI-DSS
  • Per-repo memory of accepted false positives
See Security scans
// product · code review

Code review

Style, structure, architecture, naming, error handling — automatic feedback on the diff before a human reviewer opens the MR.

  • Inline diff comments — one per remark, not a wall of text
  • Verdicts: clean · remarks
  • Catches architecture-boundary bypasses your team has agreed on
  • Auto-resolves the GitLab thread when your team agrees a remark is fine
See Code review

What you get out of the box

  • GitLab + GitHub integration — cloud and self-hosted GitLab.
  • Automatic review on push, merge/pull request, manual run, or CI trigger — for whichever product you have enabled on that repo.
  • Inline comments on the diff with severity, file, line, explanation, and next step.
  • Per-repository memory — mark a finding (or a review remark) as accepted once with a short note about your internal rule, and CodeGuards silences the same pattern on that repo from then on.
  • Workspace dashboard, security report, per-review history — one timeline that surfaces both products side-by-side.
  • A setup that stays lightweight for developers and readable for leadership.

Works with Cursor, Claude, and any MCP client

Every workspace ships a built-in MCP server at /api/mcp. Connect Cursor or any MCP-compatible agent, generate a personal API token, and your AI assistant can read your repository rulebook, inspect security profiles, and create or update custom rules — without leaving the editor.

  • Generate a scoped API token in Settings → MCP & Tokens
  • Paste the endpoint and token into your mcp.json
  • Your agent can read, write, and toggle rules via cg_get_rulebook, cg_create_custom_rules_bulk, and more
  • Every MCP call is logged in the workspace audit trail

not in scope

  • Whole-codebase SAST replacement — CodeGuards is focused on the change being shipped, not historical backlog on connect.
  • Dependency or package scanning.
  • IDE plugins or local agents.

One trigger model, two pipelines

Both products share the same four entry points and the same idempotency lock per (repo, sha, MR iid), so a single push event can fan out into a security review run and a code review run without double-billing or duplicate comments:

  • push events from a GitLab/GitHub webhook.
  • merge_request / pull_request open and update events.
  • Manual "Review now" from the Repositories page.
  • POST /api/scans/ci and POST /api/reviews/ci from a pipeline.

Per-repo toggles let you run Security scans on some repositories, Code review on others, or both on a single repo. Same workspace, same Stripe invoice, two independent meters.

What each run includes

For every scan and every review, CodeGuards works with:

  • Commit metadata — sha, branch, author, message.
  • The diff being reviewed.
  • Changed file paths and related codebase context for the active product (security context for scans; per-repo rulebook for reviews).
  • The active settings for that project — severity floor, tone, suppression history.

Results are stored as structured findings and reports inside your workspace, so teams can review trends over time instead of losing context in chat threads and MR comments.

Architecture you can show your CTO

Both products are bounded contexts in the same Laravel monolith — separate Eloquent models, separate repositories, separate jobs (ExecuteScanJob / ExecuteReviewJob), but they share the SCM connection layer, the unified diff line mapper, the LLM driver layer, the Stripe meter wiring, and the suppression engine. Adding a third product (or swapping the LLM provider, or pointing at a self-hosted SCM) is a one-bounded-context change — not a rewrite.

Inline comments are anchored to diff lines via the same line mapper on both sides. Suppressions are per-repo, per-fingerprint, with a category-path fallback so a rephrased Claude output still hits the same rule. Stale review threads on GitLab auto-resolve when the team agrees a remark is a known false positive. The same audit-grade record shape is produced by every run, regardless of which product fired.

What CodeGuards remembers

Accumulated project knowledge per repo — suppressions, conventions, fixes and exceptions your team already decided. CodeGuards applies that history on the next diff.

accepted suppressions
architecture conventions
historical fixes
repository structure
known exceptions
team decisions

Used in active engineering workflows

2,000+
code changes reviewed monthly
49+
repositories analyzed
130+
adversarial tests
~9s
median feedback
Start with one connected repo, both products on. 14 days free. See which side your team leans on before you commit.
Start free trial
Read more: Security scans · Code review · How it works · Why us · Pricing