AI-powered git guardian — 4 specialized agents review your code locally on every git add and git push, powered by Ollama. Zero cost, fully private, blocks bad code before it ships.
Two-layer architecture: fast local review via Ollama (free, private) + deep cloud review via Claude in CI/CD on complex files only — saving ~75% on API tokens.
Traditional code review happens after you push — when context is lost and fixes are expensive. git-sentry shifts review left, catching issues the moment you stage or push code.
| Layer | Trigger | Model | Agents | Cost |
|---|---|---|---|---|
| Local | git-sentry add |
Ollama (qwen2.5-coder:14b) | Code Reviewer, Security Scanner | $0 |
| Local | git-sentry push |
Ollama (qwen2.5-coder:14b) | All 4 agents in parallel | $0 |
| Cloud CI | PR opened | Claude Sonnet | Smart review (complex files only) | ~$0.005/review |
┌─────────────────────────────────────────────────────────────────┐
│ Developer Machine (Layer 1 — Local, $0) │
│ │
│ git-sentry add ──┐ │
│ ├─→ Promise.all([ │
│ git-sentry push ─┘ Code Reviewer, │
│ Security Scanner (dual-phase), │
│ Test Gap Analyzer, ← push only │
│ Deploy Gatekeeper ← push only │
│ ]) │
│ │ │
│ ├─→ Terminal UI (chalk + log-update) │
│ ├─→ WebSocket :3301 → Dashboard :3300 │
│ └─→ SQLite ~/.git-sentry/reviews.db │
│ │
│ Score >= 6 + no criticals → PASS → git push │
│ Score < 6 or criticals → BLOCK │
└─────────────────────────────────────────────────────────────────┘
│
│ markers.json (complex files only)
▼
┌─────────────────────────────────────────────────────────────────┐
│ GitHub Actions (Layer 2 — Cloud, ~$0.005/review) │
│ │
│ ┌──────────────┐ ┌─────────────────┐ ┌───────────────────┐ │
│ │ Claude Review │ │ Secret Scanning │ │ Test Coverage Gate │ │
│ │ (smart mode) │ │ (regex + audit) │ │ (Vitest/Jest) │ │
│ └──────────────┘ └─────────────────┘ └───────────────────┘ │
│ │ │
│ └─→ Only reviews files in markers.json (~25% of diff) │
│ Saves ~75% Claude API tokens │
└─────────────────────────────────────────────────────────────────┘
| Agent | Icon | Role | Runs on |
|---|---|---|---|
| Code Reviewer | R |
Logic errors, bugs, anti-patterns, naming, performance | add, push |
| Security Scanner | S |
OWASP Top 10, hardcoded secrets, injection, XSS (dual-phase: regex + LLM) | add, push |
| Test Gap Analyzer | T |
Untested code paths, missing test files, coverage gaps | push |
| Deploy Gatekeeper | G |
Aggregates scores, zero-tolerance for criticals, pass/block decision | push |
Phase 1 — Static (no LLM, instant):
- Regex patterns for API keys, tokens, private keys (OpenAI, GitHub, AWS, Stripe)
- Vulnerability patterns:
eval(),innerHTML, SQL string concatenation, command injection
Phase 2 — LLM Analysis (deep):
- Context-dependent vulnerabilities regex can't catch
- Business logic security issues, auth/authz gaps
- OWASP Top 10 analysis with line-level findings
Each agent starts at 10/10. Deductions:
- Critical: -2 points
- Warning: -1 point
- Info: -0.3 points
Zero-tolerance rule: Even one critical finding = BLOCKED, regardless of score.
- Node.js 20+
- Ollama running locally with a code model:
# Install Ollama: https://ollama.ai ollama pull qwen2.5-coder:14b # recommended (RTX 4090) ollama pull qwen2.5-coder:7b # lighter alternative
# Clone
git clone https://github.com/aptsalt/git-sentry.git
cd git-sentry
# Install dependencies
npm install
# Build CLI
cd cli && npm run build && npm link && cd ..
# Start dashboard
cd dashboard && npm run dev
# Open http://localhost:3300
# In any repo — run a review
cd /path/to/your/repo
git-sentry add src/auth.ts # Stage + 2-agent review
git-sentry push # Full 4-agent review + push| Command | Description |
|---|---|
git-sentry add <files> |
Stage files + run Code Reviewer and Security Scanner |
git-sentry push [args] |
Run all 4 agents, push only if passed |
git-sentry push --force |
Bypass AI review and push directly |
git-sentry install |
Install git hooks (pre-push, prepare-commit-msg) |
git-sentry uninstall |
Remove hooks (restores backups) |
git-sentry status |
Show Ollama status, config, recent review stats |
git-sentry dashboard |
Open the web dashboard |
$ git-sentry add src/demo-vuln.ts
Reviewing 1 staged files with qwen2.5-coder:14b...
┌─ git-sentry add ──────────────────────────────────────┐
│ Branch: demo/security-audit │
├─ Agents ──────────────────────────────────────────────┤
│ [+] Code Reviewer ██████████████████████ 100% │
│ [+] Security Scanner ██████████████████████ 100% │
├─ Findings ────────────────────────────────────────────┤
│ X src/demo-vuln.ts:9 SQL injection (template lit) │
│ X src/demo-vuln.ts:6 Hardcoded password detected │
│ X src/demo-vuln.ts:21 innerHTML XSS vulnerability │
│ ! src/demo-vuln.ts:5 Hardcoded API key │
├────────────────────────────────────────────────────────┤
│ 12 critical 5 warning 18.4s | Score: 0/10 BLOCKED │
└────────────────────────────────────────────────────────┘Real-time monitoring dashboard built with Next.js 15, React 19, Tailwind CSS 4.
| Page | Description |
|---|---|
| Overview | Stats, local model performance analytics, CI/CD pipeline status, activity charts, top finding categories |
| Live Review | Real-time agent pipeline with animated progress, findings stream, architecture info |
| History | All past reviews with expandable detail — agent scores, file chips, findings by severity |
| Guide | Usage guide, CI/CD integration, agent docs, demo playbook |
The dashboard connects via WebSocket (port 3301) to the CLI. When you run git-sentry push, the dashboard shows real-time agent progress and findings streaming in.
cd dashboard && npm run dev # http://localhost:3300When a push passes locally, git-sentry generates markers.json — a complexity analysis of each file:
{
"complexFiles": [
{ "file": "src/auth/session.ts", "score": 8, "reason": "auth + crypto + async" },
{ "file": "src/payments/stripe.ts", "score": 7, "reason": "payment + external API" }
],
"totalFiles": 12,
"markedFiles": 2,
"estimatedTokensSaved": 45000
}In CI, only complex files are sent to Claude Sonnet. Simple utilities, configs, and styles are already covered by the local model. This saves ~75% on API costs.
| Signal | Weight | Examples |
|---|---|---|
| Auth/session code | +3 | login, JWT, OAuth |
| Payment/billing | +3 | Stripe, transactions |
| Crypto/hashing | +3 | encryption, keys |
| Async/concurrent | +2 | Promise.all, workers |
| Database queries | +2 | SQL, ORM calls |
| External APIs | +2 | fetch, HTTP clients |
The .github/workflows/ci-agent.yml runs 3 parallel jobs on every PR:
- Smart AI Review — Reads
markers.json, sends only complex files to Claude Sonnet - Security Scan — Regex-based secret detection +
npm audit - Test Coverage — Auto-detects Vitest/Jest, runs tests, checks coverage
# Set in your repo secrets
ANTHROPIC_API_KEY=sk-ant-...Config auto-created at ~/.git-sentry/config.json:
| Setting | Default | Description |
|---|---|---|
ollamaUrl |
http://localhost:11434 |
Ollama API endpoint |
ollamaModel |
qwen2.5-coder:14b |
Model for local review |
scoreThreshold |
6 |
Minimum score to allow push (0-10) |
dashboardPort |
3300 |
Web dashboard port |
wsPort |
3301 |
WebSocket port for live updates |
maxFileSize |
50000 |
Skip files larger than this (chars) |
| Component | Technology |
|---|---|
| CLI | TypeScript, Commander, simple-git, chalk, log-update |
| LLM (local) | Ollama API, Qwen2.5-Coder 14B on RTX 4090 |
| LLM (cloud) | Anthropic Claude Sonnet API |
| Agents | Fan-out/fan-in with Promise.all, structured LLM prompts |
| Storage | SQLite with WAL mode (better-sqlite3) |
| Real-time | WebSocket (ws library) |
| Dashboard | Next.js 15, React 19, Tailwind CSS 4 |
| CI/CD | GitHub Actions (3 parallel jobs) |
| Monorepo | npm workspaces + Turborepo |
git-sentry/
├── cli/ # CLI tool
│ └── src/
│ ├── cli.ts # Entry point, command routing
│ ├── orchestrator.ts # Agent orchestration (Promise.all fan-out)
│ ├── git.ts # Git operations (simple-git)
│ ├── types.ts # Zod schemas + shared types
│ ├── agents/
│ │ ├── base.ts # Abstract BaseAgent (LLM + progress)
│ │ ├── reviewer.ts # Code Reviewer Agent
│ │ ├── security.ts # Security Scanner (dual-phase)
│ │ ├── test-gap.ts # Test Gap Analyzer
│ │ ├── gatekeeper.ts # Deploy Gatekeeper (zero-tolerance)
│ │ └── complexity.ts # Complexity Analyzer (markers.json)
│ ├── llm/
│ │ ├── ollama.ts # Ollama client (local)
│ │ └── claude.ts # Claude client (cloud)
│ ├── store/db.ts # SQLite review storage
│ ├── server/ws.ts # WebSocket server
│ └── ui/terminal.ts # Terminal progress UI
├── dashboard/ # Next.js web dashboard
│ ├── app/
│ │ ├── page.tsx # Overview + analytics
│ │ ├── live/page.tsx # Real-time agent pipeline
│ │ ├── reviews/page.tsx # Review history
│ │ └── guide/ # Usage guide, CI/CD, demo playbook
│ ├── components/ # Score badges, review cards, feeds
│ └── lib/ # Types, hooks, SQLite reader
├── scripts/
│ └── seed-db.ts # Seed realistic review data
├── docs/
│ ├── architecture.md # System architecture
│ ├── agents.md # Agent design patterns
│ ├── interview-guide.md # Interview talking points
│ └── screenshots/ # Dashboard screenshots
├── .github/workflows/
│ └── ci-agent.yml # GitHub Actions CI pipeline
└── README.md
Each agent extends BaseAgent with a standardized review(files, diff) interface. The orchestrator runs agents in parallel using Promise.all(), broadcasting progress via WebSocket to the dashboard.
Prompts force the model to output findings in a parseable format:
SEVERITY|filepath:line|description|suggestion
The parseFindings() method extracts these with regex — no JSON parsing, no hallucination issues.
Local Ollama catches ~80% of issues for free. A Complexity Analyzer scores each file (0-10) based on weighted signals (auth +3, payment +3, crypto +3, async +2). Only files scoring >= 5 get sent to Claude in CI. Result: ~75% API cost savings.
If Ollama is offline, files stage/push normally. Security Scanner Phase 1 (regex) still runs without LLM. The system never blocks developer workflow due to infra issues.
MIT
Deepak Singh Kandari — github.com/aptsalt



