AI code review for teams that are careful with repository access.

Choose the connection model your security team allows

• Managed SaaS — fastest setup. CodeGuards stores the SCM token, registers webhooks, reads diffs, posts comments, resolves stale GitLab threads, and powers slash commands.
• Local Guard CLI — developer-local review before commit or push. It reads the local git diff, sends the diff bundle to CodeGuards, prints findings in the terminal, and lets the developer ask follow-up questions from the console.
• CI runner — minimal local runtime. Your pipeline sends the MR diff, changed files, metadata, and requested products to CodeGuards. GitLab credentials stay in CI and are used locally to publish comments.
• CI runner + realtime relay — privacy-first with realtime replies. A small Docker service receives GitLab Note Hook events, sends only discussion text and finding context to CodeGuards, then posts the returned answer back to GitLab.
• Customer-hosted compute instance — one long-running Docker worker in your network. It receives GitLab MR and Note webhooks, fetches diffs with your GitLab token, sends review/security bundles to CodeGuards Cloud, and publishes comments back to GitLab.

What leaves your network in local modes?

CodeGuards Cloud receives the context needed to produce the review: the MR diff, changed file metadata, commit/MR metadata, requested products, and discussion text when a developer asks a follow-up question.

GitLab tokens, webhook secrets, project webhooks, SCM API calls, and comment publishing stay on your side in CI runner, relay, and compute modes. CodeGuards Cloud does not need a standing repository token for those setups.

Recommended path by buyer concern

• “We want the best UX quickly.” Use Managed SaaS.
• “We cannot let a vendor store a GitLab token.” Use Compute Instance.
• “We want developers to check local changes before commit.” Use Local Guard CLI.
• “We only want review on CI runs.” Use CI Runner.
• “We want local credentials but realtime thread replies.” Use CI Runner + Realtime Relay, or Compute Instance if you prefer one service.

Before you start

• Generate a CodeGuards CI API key in Integrations.
• Copy the workspace organization slug.
• Copy the repository connection id from the repository row, or prepare a GitLab project id → repository connection id map for group-level webhooks.
• Create a GitLab project access token with api scope for the projects the runner, relay, or compute instance will publish to.
• Generate one long random webhook secret and use the same value in GitLab and CODEGUARDS_GITLAB_WEBHOOK_SECRET.

Install paths

Before installing, generate a CodeGuards CI API key in Integrations, copy the workspace organization slug, and copy the repository connection id from the repository row.

For the developer-local setup, use the step-by-step Local CLI guide.

Local CLI for developers

curl -fsSL https://codeguards.io/dist/codeguards-install.sh | sh

codeguards init
codeguards review --mode=all --report-html
codeguards chat --finding=1

Composer package for CI runner and relay

composer config repositories.codeguards composer https://codeguards.io/dist/composer
composer require codeguards/ci-runner

vendor/bin/codeguards-review
vendor/bin/codeguards-gitlab-relay serve

Docker relay for realtime replies

docker pull ghcr.io/codeguards/ci-runner:latest
curl -fsSLO https://codeguards.io/dist/self-hosted/docker-compose.relay.yml
curl -fsSLo .env.relay https://codeguards.io/dist/self-hosted/relay.env.example
# edit .env.relay: API key, organization slug, repository connection id, GitLab token, webhook secret
docker compose -f docker-compose.relay.yml up -d
curl -fsS http://localhost:8080/healthz

Docker image for compute instance

docker pull ghcr.io/codeguards/compute-instance:latest
curl -fsSLO https://codeguards.io/dist/self-hosted/docker-compose.compute.yml
curl -fsSLo .env.compute https://codeguards.io/dist/self-hosted/compute.env.example
# edit .env.compute: API key, organization slug, repository connection id, GitLab token, webhook secret
docker run --rm --env-file .env.compute ghcr.io/codeguards/compute-instance:latest doctor
docker compose -f docker-compose.compute.yml up -d

Webhook and operational checks

For compute instance, add a GitLab project or group webhook pointing to https://compute.example.com/gitlab_webhooks. Enable Merge request events and Comments events. Use the same secret token as CODEGUARDS_GITLAB_WEBHOOK_SECRET.

• GET /healthz — liveness probe.
• GET /readyz — readiness probe, including config and writable local state.
• doctor — validates environment variables before exposing the webhook.
• JSON logs include GitLab event, request id, result, finding counts, and warning count without printing tokens.