You push your code, open a pull request, and wait. Hours later, your teammate drops a comment: "Hey, you left an API key in line 42."
Your stomach sinks. You scroll down, and there it is api_key = "sk-live-abc123" , sitting right there in plain sight. How did you miss that?
This happened to me one too many times. Hardcoded secrets. SQL injection vulnerabilities. Code that worked but violated every guideline in our company docs. The worst part? We had a 30-page coding standards document that nobody actually checked against.
So I built CreoGuard - a hackathon project that turned into something actually useful.
The Problem Nobody Talks About
Code review is broken. Not the concept - the execution.
Here's what happens in most teams:
Developer writes code for 3 days
Opens a PR on Friday afternoon
Reviewer glances at it on Monday morning (200+ lines changed)
Catches maybe 60% of the issues
Back-and-forth comments for 2 more days
Code finally merges with some issues still lurking
The feedback loop is too slow. By the time someone spots a security vulnerability, the developer has moved on to three other tasks. Context is lost. Frustration builds.
And those company guidelines? The ones someone spent weeks writing? They collect dust in a Notion page nobody opens.
I needed two things:
Catch issues before they become PR comments (save the embarrassment)
Actually enforce coding standards (make the guidelines useful)
My Approach: Two Layers of Defense
I didn't want another linting tool that screams about missing semicolons. I wanted something that understands context - something that could read actual guidelines and apply them intelligently.
So I built CreoGuard with two components:
Layer 1: CreoGuard CLI (Pre-commit)
This runs locally, before you even commit. Think of it like a spell-checker for your code.
You see the problem immediately. No PR needed. No teammate's time wasted. Just you and your code.
Layer 2: CreoGuard App (GitHub Integration)
But what if something slips through? Or what if someone skips the pre-commit hook?
That's where the GitHub App comes in. It watches every pull request across your organization and reviews them automatically.
When someone opens a PR, CreoGuard:
Reads the code changes
Checks them against your company guidelines (yes, that PDF nobody reads)
Posts a review comment with specific issues and fixes
Sets a status check (green checkmark or red X)
The review shows up in seconds, not hours. And it never misses a day, never gets tired, and never forgets what's in your guidelines.
How I Actually Built It
Let me walk you through the technical bits. Nothing fancy here - just practical choices that work.
The GitHub App
I went with a GitHub App instead of a simple webhook + personal token. Why?
Personal Token
GitHub App
Comments as "you"
Comments as "CreoGuard[bot]"
Manual setup per repo
Install once for the entire org
Your rate limits
Higher rate limits
Token in your name
Dedicated bot identity
The app is a Flask server that listens for webhook events:
@app.route("/webhook", methods=["POST"])defgithub_webhook():
event_type = request.headers.get("X-GitHub-Event")
if event_type == "pull_request":
action = payload.get("action")
if action in ["opened", "synchronize", "reopened"]:
process_pull_request(payload)
return jsonify({"status": "ok"})
When a PR opens, the flow is:
Fetch the diff from GitHub
Pull relevant sections from the guidelines (more on this below)
Send it to GPT-4 for analysis
Post the review as a comment
Set the commit status
Simple flow. No magic.
Making Guidelines Actually Useful (RAG)
Here's where it gets interesting.
Most companies have some PDF or doc with coding standards. Nobody reads the whole thing before writing code. But what if the AI could?
I use RAG (Retrieval-Augmented Generation) to make this work:
Load the PDF - Parse it into text chunks
Create embeddings - Turn each chunk into a vector using OpenAI embeddings
Store in FAISS - A vector database for fast similarity search
Query at review time - When reviewing code, find the 5 most relevant guideline sections
So when someone writes authentication code, CreoGuard doesn't send all 30 pages to GPT-4. It sends just the sections about authentication, password handling, and session management.
defsearch_relevant_guidelines(self, code_diff: str, k: int = 5):# Find guidelines sections most relevant to this code
docs = self.vector_store.similarity_search(code_diff, k=k)
return"\n\n".join([doc.page_content for doc in docs])
This keeps the AI focused and the responses relevant.
The CLI Tool
The CLI is where "shift-left" actually happens. I integrated it with git hooks (like Husky) so it runs automatically.
Key design decisions:
BYOK (Bring Your Own Key) - You use your own OpenAI/Anthropic key. No data goes through external servers.
Works offline with Ollama - For teams with strict data policies, run everything locally.
Git-provider agnostic - Works with GitHub, GitLab, Bitbucket. The CLI doesn't care where your repo is hosted.
Configurable strictness - Block commits on critical issues, warn on minor ones.
# .creoguard.ymlseverity:security:block# Always block security issuesperformance:warn# Just warn about performancestyle:ignore# Don't bother with style (let Prettier handle it)guidelines:-./docs/coding-standards.pdf-./docs/security-policy.md
Real Examples
Let's see CreoGuard in action with actual vulnerable code.
Input: Vulnerable Code
password = "admin123"
api_key = "sk-secret-key-12345"defget_user(user_id):
query = "SELECT * FROM users WHERE id = " + user_id
return query
deflogin(username, password):
query = f"SELECT * FROM users WHERE username = '{username}'"return query
eval(input("Enter command: "))
Output: CreoGuard Review
The developer sees exactly what's wrong, where it is, and how to fix it. No guessing.
Lessons from Building This
1. Fast feedback beats thorough feedback
My first version tried to catch everything - security, performance, style, documentation, and test coverage. Reviews took 30+ seconds and had 20 comments.
Too much noise. I dialed it back to focus on the critical stuff: security vulnerabilities and logic errors. Let ESLint handle the semicolons.
2. The PDF guidelines feature was worth the effort
I almost skipped the RAG feature. "Nobody will upload a PDF," I thought.
But then I realized every team I've worked with has some document with coding standards sitting somewhere. The RAG feature turns these dusty documents into living, enforced rules. That's where the real value is.
3. Pre-commit beats PR review
Catching issues before committing changes to the entire experience. You fix problems in seconds, not days. No embarrassment. No waiting for reviews. Just immediate feedback while the code is still fresh in your mind.
4. Make the bot's comments helpful, not annoying
Early versions left comments like: "This code has issues."
Useless. I rewrote the prompts to be specific:
What file and line
What type of issue
Why it's a problem
How to fix it (with code)
The goal: a developer should be able to fix the issue without asking any follow-up questions.
What's Next
This started as a hackathon project, but there's more I want to build:
Auto-fix PRs - One-click button to apply suggested fixes. CreoGuard commits the fix directly to your branch. (Already working on this!)
Learning from feedback - If you dismiss a suggestion multiple times, CreoGuard learns that your team doesn't care about that rule.
IDE extension - Real-time feedback as you type, not just at commit time.
Analytics dashboard - Track code quality trends. See which issues come up most. Identify training opportunities.
Self-hosted option - For enterprises that can't send code to external APIs.
Try It Yourself
CreoGuard comes in two flavors - pick what works for you:
GitHub App (PR Reviews)
Install it in your organization, and it starts reviewing PRs immediately.
# For OpenAI
creoguard config set provider openai
creoguard config set apiKey sk-your-openai-key
# Or use Ollama for free, local AI
creoguard config set provider ollama
Initialize in your project:
cd your-project
creoguard init
Now every commit is automatically reviewed. Or run it manually:
creoguard review --staged
Wrapping Up
Code review shouldn't be painful. It shouldn't take days. And your coding guidelines shouldn't be a document nobody reads.
CreoGuard doesn't replace human reviewers; it handles the tedious parts so humans can focus on architecture, logic, and design decisions. The stuff that actually needs human judgment.
If you're tired of catching hardcoded secrets in PR reviews, give it a shot.
We at CreoWis believe in sharing knowledge publicly to help the developer community grow. Let’s collaborate, ideate, and craft passion to deliver awe-inspiring product experiences to the world.
This article is crafted by Syket Bhattachergee, a passionate developer at CreoWis. You can reach out to him on X/Twitter, LinkedIn, and follow his work on the GitHub.
