CodeRabbit GitHub builts AI code review agent with Cloud Run

CodeRabbit GitHub

CodeRabbit, a fast-growing AI code review platform, uses Google Cloud execute to safely execute untrusted code and cut code review time and mistakes in half.

CodeRabbit automates code reviews and improves code quality by comparing changes to the whole codebase and creating scripts for deeper analysis. Code hosting integration handles pull requests automatically.

To securely execute untrusted code, CodeRabbit needed a scalable, inexpensive, and secure execution environment to evaluate and run its clients' code.

You'll see how CodeRabbit utilised Google Cloud Run to construct an AI code review agent that can scale dynamically and safely manage massive amounts.

CodeRabbit integrates directly to GitHub and GitLab to automate pull request-triggered code reviews. Its interface with fundamental models analyses the whole change's impact, not just the updated files. This requires a sophisticated system that:

Clone the user's repository.

Install build environment requirements (npm install, go mod download, etc.).

Static analysis with 20+ linters and security scanners.

Run AI programs. Now things get really interesting. CodeRabbit's AI agent develops shell scripts to read the code, find patterns (using cat, grep, and ast-grep), and extract relevant information. Python code can be generated for analysis.

Use outside services. CodeRabbit generates and runs curl instructions to interact with Slack, Jira, and Linear.

Any solution must be safe, inexpensive, and scalable. By definition, analysed and run code is unreliable. It may have problems, be incomplete, or be dangerous.

The answer: Cloud Run

CodeRabbit seamlessly integrates many technologies to create a reliable and isolated execution environment:

Cloud Run services underpin CodeRabbit. First, a lightweight Cloud Run service validates subscriptions and invoicing and handles GitHub, GitLab, etc. webhook events. This service pushes a task to Google Cloud Tasks.

Google Cloud tasks: Serving as a queue isolates webhook handling from code execution. CodeRabbit now handles pull request surges without overloading.

The core of the system is Cloud Run execution service. Another Cloud Run service pulls tasks from Cloud Tasks. Every job requests code review. A 3600-second request timeout and 8 requests per instance allow this service to grow with CPU use. This setup is necessary since code reviews take 10–20 minutes. The Execution Service's in-memory volume mount holds the repository, build artefacts, and temporary files.

Sandboxing: A separate service identity lets you give all Cloud Run instances minimum IAM privileges. Both sandboxing levels are applied to all instances. CodeRabbit employs Cloud Run's second-generation Linux cgroup-capable microVM. CodeRabbit uses cgroups to restrict jailed processes and Jailkit to isolate processes within Cloud Run instances.

CodeRabbit prioritises sandboxing while running untrusted code, such as:

Rubocop and ESLint accept unique, unstable plugins.

LLM verification programs for codebase-wide analysis.

LLM CLI tasks like Jira or GitHub problem creation.

Python-based advanced analysis.

CodeRabbit scales dynamically using Cloud Run. During peak hours, over 200 Cloud Run computers submit 10 queries per second to CodeRabbit's Agentic PR Reviewer. Each big Cloud Run instance utilises 32GiB RAM and 8vCPUs. CodeRabbit's PR reviewer service on Cloud Run uses a lot of CPU, memory, and network traffic (downloading repositories and dependencies).

Try it yourself

CodeRabbit's use of Google Cloud Run shows how to build a secure, scalable, and affordable AI-powered code analysis platform. Their experience shows serverless technologies' promise, and their design can help developers solve similar difficulties. Cloud Run constantly adding features.