A minimal FastAPI implementation:
- Listen for merge request webhooks
- Fetch diffs and old file contents
- Build a prompt and ask model for a review
- Post the review as a Markdown note on the merge request
| Platform | Status |
|---|---|
| GitLab | ✅ Supported |
| GitHub | ✅ Supported |
- Python 3.13
These instructions will get the project running locally for development and testing purposes.
-
Create a
.envfile and set your secrets:touch .env # Edit .env and set the required environment variables below -
Create and activate a virtual environment (recommended):
python3 -m venv venv # macOS / Linux source venv/bin/activate # Windows (PowerShell) .\venv\Scripts\Activate.ps1
-
Install Python dependencies:
pip install --upgrade pip pip install -r requirements.txt
-
Run the app locally with Uvicorn:
uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload
-
(Optional) Expose your local server for webhooks (using ngrok):
For GitLab:
- Start ngrok:
ngrok http 8000 - Add a webhook in your GitLab project settings:
- URL:
https://<your-ngrok>/gitlab/webhook - Secret token: value of
GITLAB_WEBHOOK_SECRETin your.env - Trigger: Pull requests (or merge requests) events
- URL:
For GitHub:
- Start ngrok:
ngrok http 8000 - Add a webhook in your GitHub repository settings:
- URL:
https://<your-ngrok>/github/webhook - Content type:
application/json - Secret: value of
GITHUB_WEBHOOK_SECRETin your.env - Trigger: Pull requests (check "Pull requests" under "Let me select individual events")
- URL:
- Start ngrok:
-
(Optional) Run in Docker:
# build docker build -t ai-gitlab-code-review . # run (pass environment variables via --env-file or -e) docker run --env-file .env -p 8000:8000 ai-gitlab-code-review
OPENAI_API_KEYOROPENROUTER_API_KEY(at least one required)AI_MODEL(required - Tested with gpt-4o-mini, gpt-oss-20b, and qwen3-coder)
GITLAB_TOKEN(for GitLab support)GITLAB_API_URL(default:https://gitlab.com/api/v4)GITLAB_WEBHOOK_SECRET(required for GitLab webhooks)GITHUB_TOKEN(for GitHub support)GITHUB_API_URL(default:https://api.github.com)GITHUB_WEBHOOK_SECRET(required for GitHub webhooks)
PORT(default:8000)
Tips for local testing:
- Use throwaway projects for testing webhooks and comments so you don't spam production projects.
- For GitLab: POST merge request webhook JSON to
/gitlab/webhookwithX-Gitlab-Tokenheader - For GitHub: POST pull request webhook JSON to
/github/webhookwithX-Hub-Signature-256header - If you need to simulate webhook payloads, save example webhook JSON and use curl or Postman
- This implementation returns 200 quickly and processes AI work in background tasks.
- The OpenAI client uses the 1.x SDK with robust error handling and retry logic.
- Supports both OpenAI and OpenRouter APIs for maximum flexibility.
- Keep tokens secret and serve via TLS in production.
- Comment deduplication: Detect HTML markers
<!-- ai-gitlab-code-review -->or<!-- ai-github-code-review -->. - For large diffs, implement smarter chunking to fit token limits.
- The service is designed to be horizontally scalable with proper async/await patterns.
- GitLab:
/gitlab/webhook- Listens for merge request events - GitHub:
/github/webhook- Listens for pull request events
- Service receives webhook when PR/MR is created or updated
- Returns 200 immediately, processes review in background
- Fetches diff and file contents from the platform
- Sends code to AI model for review
- Posts review comments and summary back to the platform
- Inline comments: Specific line-by-line feedback
- Summary reviews: Overall assessment and recommendations
- Markdown formatting: Rich, readable review comments
- Error resilience: Robust handling of API failures
- Async processing: Non-blocking webhook responses
Example of AI-generated code review comments on a GitLab merge request
Example of AI-generated code review comments on a GitHub pull request