Skip to content

aptsalt/git-sentry

Repository files navigation

git-sentry

AI-powered git guardian — 4 specialized agents review your code locally on every git add and git push, powered by Ollama. Zero cost, fully private, blocks bad code before it ships.

Two-layer architecture: fast local review via Ollama (free, private) + deep cloud review via Claude in CI/CD on complex files only — saving ~75% on API tokens.


Screenshots

Overview — Local Model Analytics + CI/CD Pipeline

Overview

Review History — Expandable Detail Cards

Reviews

Live Review — Real-time Agent Pipeline

Live Review

Demo Playbook — In-App Interview Guide

Demo Playbook


Why git-sentry?

Traditional code review happens after you push — when context is lost and fixes are expensive. git-sentry shifts review left, catching issues the moment you stage or push code.

Layer Trigger Model Agents Cost
Local git-sentry add Ollama (qwen2.5-coder:14b) Code Reviewer, Security Scanner $0
Local git-sentry push Ollama (qwen2.5-coder:14b) All 4 agents in parallel $0
Cloud CI PR opened Claude Sonnet Smart review (complex files only) ~$0.005/review

Architecture

┌─────────────────────────────────────────────────────────────────┐
│  Developer Machine (Layer 1 — Local, $0)                        │
│                                                                 │
│  git-sentry add ──┐                                             │
│                   ├─→ Promise.all([                              │
│  git-sentry push ─┘     Code Reviewer,                          │
│                         Security Scanner (dual-phase),           │
│                         Test Gap Analyzer,     ← push only       │
│                         Deploy Gatekeeper      ← push only       │
│                       ])                                         │
│                       │                                          │
│                       ├─→ Terminal UI (chalk + log-update)       │
│                       ├─→ WebSocket :3301 → Dashboard :3300     │
│                       └─→ SQLite ~/.git-sentry/reviews.db       │
│                                                                 │
│  Score >= 6 + no criticals → PASS → git push                    │
│  Score < 6 or criticals   → BLOCK                               │
└─────────────────────────────────────────────────────────────────┘
                              │
                              │ markers.json (complex files only)
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  GitHub Actions (Layer 2 — Cloud, ~$0.005/review)               │
│                                                                 │
│  ┌──────────────┐ ┌─────────────────┐ ┌───────────────────┐    │
│  │ Claude Review │ │ Secret Scanning │ │ Test Coverage Gate │    │
│  │ (smart mode)  │ │ (regex + audit) │ │ (Vitest/Jest)     │    │
│  └──────────────┘ └─────────────────┘ └───────────────────┘    │
│         │                                                       │
│         └─→ Only reviews files in markers.json (~25% of diff)   │
│             Saves ~75% Claude API tokens                        │
└─────────────────────────────────────────────────────────────────┘

The 4 Agents

Agent Icon Role Runs on
Code Reviewer R Logic errors, bugs, anti-patterns, naming, performance add, push
Security Scanner S OWASP Top 10, hardcoded secrets, injection, XSS (dual-phase: regex + LLM) add, push
Test Gap Analyzer T Untested code paths, missing test files, coverage gaps push
Deploy Gatekeeper G Aggregates scores, zero-tolerance for criticals, pass/block decision push

Security Scanner: Dual-Phase Detection

Phase 1 — Static (no LLM, instant):

  • Regex patterns for API keys, tokens, private keys (OpenAI, GitHub, AWS, Stripe)
  • Vulnerability patterns: eval(), innerHTML, SQL string concatenation, command injection

Phase 2 — LLM Analysis (deep):

  • Context-dependent vulnerabilities regex can't catch
  • Business logic security issues, auth/authz gaps
  • OWASP Top 10 analysis with line-level findings

Scoring Algorithm

Each agent starts at 10/10. Deductions:

  • Critical: -2 points
  • Warning: -1 point
  • Info: -0.3 points

Zero-tolerance rule: Even one critical finding = BLOCKED, regardless of score.


Quick Start

Prerequisites

  • Node.js 20+
  • Ollama running locally with a code model:
    # Install Ollama: https://ollama.ai
    ollama pull qwen2.5-coder:14b   # recommended (RTX 4090)
    ollama pull qwen2.5-coder:7b    # lighter alternative

Installation

# Clone
git clone https://github.com/aptsalt/git-sentry.git
cd git-sentry

# Install dependencies
npm install

# Build CLI
cd cli && npm run build && npm link && cd ..

# Start dashboard
cd dashboard && npm run dev
# Open http://localhost:3300

# In any repo — run a review
cd /path/to/your/repo
git-sentry add src/auth.ts        # Stage + 2-agent review
git-sentry push                    # Full 4-agent review + push

CLI Commands

Command Description
git-sentry add <files> Stage files + run Code Reviewer and Security Scanner
git-sentry push [args] Run all 4 agents, push only if passed
git-sentry push --force Bypass AI review and push directly
git-sentry install Install git hooks (pre-push, prepare-commit-msg)
git-sentry uninstall Remove hooks (restores backups)
git-sentry status Show Ollama status, config, recent review stats
git-sentry dashboard Open the web dashboard

Example: Blocking a bad push

$ git-sentry add src/demo-vuln.ts

Reviewing 1 staged files with qwen2.5-coder:14b...

┌─ git-sentry add ──────────────────────────────────────┐
│  Branch: demo/security-audit                          │
├─ Agents ──────────────────────────────────────────────┤
│  [+] Code Reviewer        ██████████████████████ 100% │
│  [+] Security Scanner     ██████████████████████ 100% │
├─ Findings ────────────────────────────────────────────┤
│  X src/demo-vuln.ts:9   SQL injection (template lit)  │
│  X src/demo-vuln.ts:6   Hardcoded password detected   │
│  X src/demo-vuln.ts:21  innerHTML XSS vulnerability   │
│  ! src/demo-vuln.ts:5   Hardcoded API key             │
├────────────────────────────────────────────────────────┤
│  12 critical  5 warning  18.4s | Score: 0/10 BLOCKED  │
└────────────────────────────────────────────────────────┘

Web Dashboard

Real-time monitoring dashboard built with Next.js 15, React 19, Tailwind CSS 4.

Page Description
Overview Stats, local model performance analytics, CI/CD pipeline status, activity charts, top finding categories
Live Review Real-time agent pipeline with animated progress, findings stream, architecture info
History All past reviews with expandable detail — agent scores, file chips, findings by severity
Guide Usage guide, CI/CD integration, agent docs, demo playbook

The dashboard connects via WebSocket (port 3301) to the CLI. When you run git-sentry push, the dashboard shows real-time agent progress and findings streaming in.

cd dashboard && npm run dev    # http://localhost:3300

Smart Token Optimization

When a push passes locally, git-sentry generates markers.json — a complexity analysis of each file:

{
  "complexFiles": [
    { "file": "src/auth/session.ts", "score": 8, "reason": "auth + crypto + async" },
    { "file": "src/payments/stripe.ts", "score": 7, "reason": "payment + external API" }
  ],
  "totalFiles": 12,
  "markedFiles": 2,
  "estimatedTokensSaved": 45000
}

In CI, only complex files are sent to Claude Sonnet. Simple utilities, configs, and styles are already covered by the local model. This saves ~75% on API costs.

Signal Weight Examples
Auth/session code +3 login, JWT, OAuth
Payment/billing +3 Stripe, transactions
Crypto/hashing +3 encryption, keys
Async/concurrent +2 Promise.all, workers
Database queries +2 SQL, ORM calls
External APIs +2 fetch, HTTP clients

GitHub Actions CI

The .github/workflows/ci-agent.yml runs 3 parallel jobs on every PR:

  1. Smart AI Review — Reads markers.json, sends only complex files to Claude Sonnet
  2. Security Scan — Regex-based secret detection + npm audit
  3. Test Coverage — Auto-detects Vitest/Jest, runs tests, checks coverage
# Set in your repo secrets
ANTHROPIC_API_KEY=sk-ant-...

Configuration

Config auto-created at ~/.git-sentry/config.json:

Setting Default Description
ollamaUrl http://localhost:11434 Ollama API endpoint
ollamaModel qwen2.5-coder:14b Model for local review
scoreThreshold 6 Minimum score to allow push (0-10)
dashboardPort 3300 Web dashboard port
wsPort 3301 WebSocket port for live updates
maxFileSize 50000 Skip files larger than this (chars)

Tech Stack

Component Technology
CLI TypeScript, Commander, simple-git, chalk, log-update
LLM (local) Ollama API, Qwen2.5-Coder 14B on RTX 4090
LLM (cloud) Anthropic Claude Sonnet API
Agents Fan-out/fan-in with Promise.all, structured LLM prompts
Storage SQLite with WAL mode (better-sqlite3)
Real-time WebSocket (ws library)
Dashboard Next.js 15, React 19, Tailwind CSS 4
CI/CD GitHub Actions (3 parallel jobs)
Monorepo npm workspaces + Turborepo

Project Structure

git-sentry/
├── cli/                          # CLI tool
│   └── src/
│       ├── cli.ts                # Entry point, command routing
│       ├── orchestrator.ts       # Agent orchestration (Promise.all fan-out)
│       ├── git.ts                # Git operations (simple-git)
│       ├── types.ts              # Zod schemas + shared types
│       ├── agents/
│       │   ├── base.ts           # Abstract BaseAgent (LLM + progress)
│       │   ├── reviewer.ts       # Code Reviewer Agent
│       │   ├── security.ts       # Security Scanner (dual-phase)
│       │   ├── test-gap.ts       # Test Gap Analyzer
│       │   ├── gatekeeper.ts     # Deploy Gatekeeper (zero-tolerance)
│       │   └── complexity.ts     # Complexity Analyzer (markers.json)
│       ├── llm/
│       │   ├── ollama.ts         # Ollama client (local)
│       │   └── claude.ts         # Claude client (cloud)
│       ├── store/db.ts           # SQLite review storage
│       ├── server/ws.ts          # WebSocket server
│       └── ui/terminal.ts        # Terminal progress UI
├── dashboard/                    # Next.js web dashboard
│   ├── app/
│   │   ├── page.tsx              # Overview + analytics
│   │   ├── live/page.tsx         # Real-time agent pipeline
│   │   ├── reviews/page.tsx      # Review history
│   │   └── guide/                # Usage guide, CI/CD, demo playbook
│   ├── components/               # Score badges, review cards, feeds
│   └── lib/                      # Types, hooks, SQLite reader
├── scripts/
│   └── seed-db.ts                # Seed realistic review data
├── docs/
│   ├── architecture.md           # System architecture
│   ├── agents.md                 # Agent design patterns
│   ├── interview-guide.md        # Interview talking points
│   └── screenshots/              # Dashboard screenshots
├── .github/workflows/
│   └── ci-agent.yml              # GitHub Actions CI pipeline
└── README.md

How It Works (Technical Deep Dive)

1. Agent Orchestration

Each agent extends BaseAgent with a standardized review(files, diff) interface. The orchestrator runs agents in parallel using Promise.all(), broadcasting progress via WebSocket to the dashboard.

2. Structured LLM Prompts

Prompts force the model to output findings in a parseable format:

SEVERITY|filepath:line|description|suggestion

The parseFindings() method extracts these with regex — no JSON parsing, no hallucination issues.

3. Two-Layer Token Optimization

Local Ollama catches ~80% of issues for free. A Complexity Analyzer scores each file (0-10) based on weighted signals (auth +3, payment +3, crypto +3, async +2). Only files scoring >= 5 get sent to Claude in CI. Result: ~75% API cost savings.

4. Graceful Degradation

If Ollama is offline, files stage/push normally. Security Scanner Phase 1 (regex) still runs without LLM. The system never blocks developer workflow due to infra issues.


License

MIT

Author

Deepak Singh Kandarigithub.com/aptsalt

About

AI-powered git guardian — 4 specialized agents review your code locally via Ollama on every add/push. Zero cost, fully private. Real-time dashboard + smart CI/CD with Claude.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors