Source URL: https://cloud.google.com/blog/products/ai-machine-learning/how-coderabbit-built-its-ai-code-review-agent-with-google-cloud-run/
Source: Cloud Blog
Title: 50% faster merge and 50% fewer bugs: How CodeRabbit built its AI code review agent with Google Cloud Run
Feedly Summary: CodeRabbit, a rapidly growing AI code review tool, is leveraging Google Cloud Run to cut code review time and bugs in half by safely and efficiently executing untrusted code.
CodeRabbit improves code quality and automates code reviews by analyzing changes against the entire codebase and generating scripts for deeper analysis. It integrates with code hosting platforms to provide automated feedback on pull requests.
To safely execute untrusted code, CodeRabbit needed an execution environment that was scalable, cost-effective, and secure enough to analyse and run their customers’ code.
In this post, we’ll share how CodeRabbit built an AI code review agent with Google Cloud Run to scale dynamically and handle high volumes efficiently and securely.
CodeRabbit in Action
CodeRabbit integrates directly with platforms like GitHub and GitLab, providing automated code reviews triggered by pull requests. Its integration with the foundational models doesn’t just analyze the changed files; it assesses the impact of those changes on the entire codebase. This requires a sophisticated system that can:
Clone the user’s repository.
Set up a build environment with necessary dependencies (think npm install, go mod download, etc.).
Run static analysis tools including 20+ linters and security scanners.
Execute AI-generated scripts. This is where things get really interesting. CodeRabbit’s AI agent creates shell scripts to navigate the code, search for specific patterns (using tools like cat, grep, and even ast-grep), and extract relevant information. It can even generate Python code for analysis.
Interact with external services. CodeRabbit can also perform actions by generating and executing curl commands, for example to interfacing with services like Slack, Jira and Linear.
This solution needs to be scalable, cost-effective, and above all, secure. The code being analyzed and executed is, by definition, untrusted. It could be incomplete, buggy, or even contain malicious intent.
The solution: Cloud Run
CodeRabbit Architecture: Powered by Cloud Run
CodeRabbit’s architecture cleverly combines several technologies to create a robust and isolated execution environment:
Cloud Run services: CodeRabbit uses Cloud Run services as the foundation. Incoming webhook events (from GitHub, GitLab, etc.) are first handled by a lightweight Cloud Run service that performs billing and subscription checks. This service then pushes a task to Google Cloud Tasks.
Google Cloud tasks: This acts as a queue, decoupling the webhook handling from the actual code execution. This allows CodeRabbit to handle bursts of pull requests without overwhelming the system.
Cloud Run execution service: This is the heart of the system. A separate Cloud Run service pulls tasks from the Cloud Tasks queue. Each task represents a code review request. This service is configured with a 3600 second long request timeout and a concurrency of 8 requests per instance, allowing it to scale based on CPU utilization. This setup is crucial because code reviews are long-running operations, often taking 10-20 minutes to complete. The Execution Service uses an in-memory volume mount where the entire repository, build artifacts, and temporary files are stored.
Sandboxing: All Cloud Run instances are sandboxed with two layers of sandboxing and can be configured to have minimal IAM permissions via dedicated service identity. In addition, CodeRabbit is leveraging Cloud Run’s second generation execution environment, a microVM providing full Linux cgroup functionality. Within each Cloud Run instance, CodeRabbit uses Jailkit to create isolated processes and cgroups to further restrict the privileges of the jailed process.
Sandboxing is especially critical for CodeRabbit in scenarios where untrusted code must be executed, such as:
Static analyzers that support custom, untrusted plugins (e.g., ESLint, Rubocop)
LLM-generated verification scripts for deeper analysis of the entire codebase
LLM-generated CLI actions, such as opening GitHub or Jira issues
Python-based advanced analyses
Code verification publishing a running analysis chain that ran in a Cloud Run sandbox
CodeRabbit’s use of Cloud Run allows it to scale dynamically. During peak hours, CodeRabbit’s Agentic PR Reviewer service receives up to 10 requests/second served by over 200 Cloud Run instances. Each Cloud Run instance is fairly bulky and utilizes 8vCPUs and 32GiB memory. CodeRabbit sees high CPU utilization, significant network traffic (downloading repositories and dependencies), and high memory usage when powering their PR reviewer service with Cloud Run.
Cloud Run instances powering CodeRabbit
Try this on your own
CodeRabbit’s use of Google Cloud Run is a compelling example of how to build a secure, scalable, and cost-effective platform for running AI-powered code analysis. Their architecture provides a blueprint for developers tackling similar challenges, and their experience highlights the evolving capabilities of serverless technologies. We’re excited to see how their platform advances as Cloud Run continues to add new features.
Learn more about developing, deploying and hosting AI agents on Cloud Run, watch the “Build AI Agents on Cloud Run" Cloud Next ’25 session featuring CodeRabbit, and give CodeRabbit a try.
AI Summary and Description: Yes
**Summary:** CodeRabbit, an AI code review tool, employs Google Cloud Run to efficiently execute untrusted code and automate code reviews. Utilizing scalable and secure architectures, CodeRabbit minimizes bugs while providing deep insights into code quality through integrations with platforms like GitHub and GitLab.
**Detailed Description:**
CodeRabbit’s innovative use of Google Cloud Run to facilitate AI-driven code reviews presents significant advancements in both AI security and software development practices. Key points include:
– **Automated Code Review and Quality Improvement:** CodeRabbit enhances code quality by executing thorough analyses against entire codebases and automating the code review process based on pull requests from integrated platforms like GitHub and GitLab.
– **Safe Execution of Untrusted Code:** Recognizing the risks associated with running untrusted code, CodeRabbit focuses on a secure execution environment characterized by:
– **Scalability and Cost-Effectiveness:** The system dynamically accommodates varying workloads and ensures operational cost efficiency.
– **Security Features:** The platform employs sandboxing techniques through Cloud Run’s microVM technology, which isolates execution environments and limits permission scopes to mitigate security risks.
– **CodeRabbit Architecture:** The architecture underpins the execution of AI-driven scripts and automates the analysis workflow:
– **Cloud Run Services:** Facilitates the management of incoming webhook events and task queues, enabling efficient handling of code review requests.
– **Google Cloud Tasks:** Decouples processing to enhance performance under load, allowing concurrent review tasks.
– **Execution Service Configuration:** Tailored to handle long-running code reviews (10-20 minutes), optimized for parallel processing.
– **Sandbox and Layered Security:** Each execution instance features:
– **Two-Layer Sandboxing:** To enhance security when untrusted code is executed.
– **IAM Role Restrictions:** Specific identities limit access and permissions of processes for executing untrusted code.
– **Dynamic Workload Handling:** During peak usage, CodeRabbit can handle up to 10 requests per second across 200+ Cloud Run instances, showcasing the platform’s capability to support high-volume operations effectively.
– **Practical Implications for Professionals:**
– CodeRabbit serves as a blueprint for software professionals seeking to implement secure, scalable AI tools within development workflows.
– Insights from their architecture can help inform best practices in AI code analysis and security protocols.
In conclusion, CodeRabbit leverages advanced cloud technologies to provide a robust framework for AI-powered code reviews, emphasizing secure execution and operational efficiency, which are critical factors for professionals in software security landscapes.