Casestudy: Secure AI Codereview Pipeline
How can we create a (mostly) safe environment for running LLM-based code review? Amidst the hype around AI, security concerns may easily be forgotten. The aim of this POC project was to build a secure context in which LLMs can be used for code reviews. The goal was to be able to review untrusted but proprietary code. The main concerns were: Prompt injection and data or code exfiltration.
The result was a pull request review orchestrator with a small Express/SQLite control UI. For each review it creates an isolated Docker setup with separate containers for code review, infrastructure access via MCP and limited web access via proxy.
Casestudy: Secure AI Codereview Pipeline
This project focuses on the execution boundary around automated code review. Each pull request is processed inside a short-lived Docker Compose setup with clearly separated responsibilities and restricted network paths.
Pipeline overview
Security Concept
Rules:
- The code review agent does not have access to any credentials or secrets (as long as they are not checked into the repository).
- The code review agent has no way to upload injected code (except to trusted endpoints for analysis, i.e. trusted LLM providers).
- The code review agent cannot trigger destructive operations on the infrastructure.
Rule enforcement via container isolation:
- Every review gets its own disposable container stack, network namespace and work volume.
- The checked-out repository is mounted read-only into the review container.
- The LLM review container has no direct internet access. Outbound traffic is forced through a dedicated proxy container.
- The proxy only allows explicitly whitelisted target hosts.
- Infrastructure access (to post the review results) is isolated in the MCP provider container, which receives the required credentials and exposes only allowed operations (whitelist).
Container Roles And Access
| Container | Responsibility | Can access |
|---|---|---|
| Review | Runs the review prompt and analyzes the checked-out PR changes | Local repo copy, MCP provider, proxy |
| MCP | Provides limited (whitelisted) infrastructure operations such as reading existing review comments and posting findings | Selected infrastructure endpoints |
| Proxy | Controls review containers internet access via explicit whitelists | Whitelisted external hosts |