Overview
Gitar is an AI code review and CI fixing agent that works directly in your PR interface. It reads your code changes, analyzes CI failures, reviews for bugs and security issues, and pushes fixes — all without leaving the pull request. This page explains the internals: what data Gitar accesses, how it processes changes, and what guarantees it provides around privacy and safety.What Context Gitar Sees
When Gitar processes a PR, it pulls context in two ways: a baseline that is always loaded, and on-demand lookups the agent performs when it needs more information.Baseline context
- The diff (changed lines)
- Full contents of files touched by the diff
- CI logs (when CI fails)
- Repository rules (
.gitar/rules/*.md) - Custom review instructions (
.gitar/review/*.md) - AI instruction files (
AGENTS.md,CLAUDE.md,.cursorrules,.cursor/rules/*) - PR title, description, and comment history
- Linked issue context from Jira or Linear (when integrated)
On-demand, when the agent needs it
- Reads related files in the repo to understand callers, types, or config the diff depends on
- Greps or globs across the repo to find usages and patterns
- Runs read-only shell commands to inspect project structure
- Spawns a dedicated explorer sub-agent for deeper investigation on complex changes
- Pulls learned codebase knowledge from previous scans (conventions, architectural patterns)
Gitar does not read:
- Other branches
- Deployment configurations or infrastructure state
- Secrets or environment variables
- Files outside the repository being reviewed
Code Review Process
Gitar reviews code changes through multiple specialized lenses:- Security: Vulnerabilities, unsafe patterns, input validation issues
- Bugs: Logic errors, null pointer risks, unhandled edge cases
- Performance: Algorithm complexity, database query patterns, memory usage
- Code quality: Readability, maintainability, adherence to best practices
.gitar/review/*.md let you tailor what Gitar looks for in your specific codebase. See Repository Configuration for details.
CI Failure Fixing
When CI fails on a PR, Gitar:- Reads the full CI log output across all jobs and steps
- Identifies the failing step and extracts relevant error messages
- Determines the root cause by cross-referencing errors with the code diff
- Pushes a fix commit to the branch
| Failure Type | Examples |
|---|---|
| Build errors | Compilation failures, missing imports, type errors |
| Test failures | Broken assertions, missing setup, incorrect expected values |
| Linting errors | Code style violations, formatting issues, static analysis warnings |
| Flaky tests | Race conditions, timing issues, non-deterministic behavior |
Data Flow and Privacy
Gitar processes code in ephemeral, Gitar-managed containers with strong privacy guarantees:- Where code is processed: Ephemeral containers destroyed after each task
- Data retention: Zero — no source code stored beyond ephemeral processing
- AI provider agreements: Zero data retention with all providers (Google, Anthropic)
- Bring Your Own Model: Enterprise customers can route LLM calls through their own Anthropic API key
What Gitar Does NOT Do
- Does not store your code — processing is ephemeral with zero retention
- Does not train on your code — zero data retention agreements with all AI providers
- Does not force-push — all changes are new commits
- Does not merge PRs/MRs by default — merging only happens when you explicitly enable Auto-Merge, which relies on your code host’s native merge and your branch protection rules
- Does not access repositories it isn’t connected to — the agent is scoped to the repository being reviewed
- Does not access secrets or environment variables — processing environments are isolated from credentials