Everything you need to integrate and use NeuronX Guard.
Go to github.com/apps/neuronx-guard and click Install. Select your repos.
Guard reviews automatically on every PR open, update, or reopen. No configuration needed.
Log in at /guard/dashboard to get your API key for CI and VS Code integration.
Comment any of these on a Pull Request:
| Command | Description |
|---|---|
/guard explain | Detailed explanation of each finding with OWASP/CWE references, bad/good examples |
/guard dismiss | Collapse review, record dismissed patterns (suppressed after 3x) |
/guard re-review | Trigger fresh review (useful after pushing fixes) |
/guard quality | Code quality score (0-100, grade A-F) with trend |
/guard leaderboard | Developer leaderboard ranked by cleanest code |
/guard report | Compliance-ready markdown report |
/guard config | Show current .neuronx-guard.yml config |
/guard feedback | Collect reaction data from Guard's comments |
Guard is powered by the NeuronX AI platform. Every review uses these platform features:
Before calling LLMs, Guard searches 23,000+ learned code patterns and 189,000 FAISS semantic vectors for known vulnerability matches. Instant results, zero API cost.
Every issue includes an actionable fix. 40+ deterministic fixes for known issues (e.g., except: → except Exception as e:), pattern-based reference code from the database, and LLM-generated repairs for complex errors.
A 3,900-node knowledge graph with 38,700 edges enriches LLM review prompts with codebase context — related concepts, dependencies, and known patterns. This makes LLM reviews significantly more accurate.
Tested across 14 files in 10 languages: 56% of all issues include fix suggestions. Python and JavaScript achieve 93-100% fix coverage.
Every review includes a 3-5 bullet LLM-generated summary of what the PR does — changes, impact, risk. Not just issues, but a human-readable changelog.
Mention @neuronx-guard in any PR comment to ask questions: "Why is this dangerous?", "Fix this for me", "Is this safe?". Guard answers with full context from the diff + Knowledge Graph.
Configurable thresholds that block merges. Set max_errors: 0 in .neuronx-guard.yml and Guard will fail the Check Run if any errors are found. Enterprise-grade CI enforcement.
quality_gate:
enabled: true
max_errors: 0
max_warnings: 10
max_cve_critical: 0
block_merge: trueEvery security finding tagged with CWE ID + OWASP 2021 Top 10 category. Example: SQL injection [CWE-89] [OWASP A03:2021]. Covers CWE-78, 89, 94, 208, 502, 798 and OWASP A02, A03, A07, A08.
Every issue includes a fix suggestion rendered as a GitHub suggestion block. Developers see a green "Apply suggestion" button — one click to fix. Zero risk.
Comment /guard rollback to see all applied fixes. Use /guard rollback <id> to revert a specific fix. Every fix is tracked with original code, confidence score, and audit trail.
When a developer applies Guard's suggestion, the fix pattern is recorded into the 23K pattern database. Guard gets smarter with every review — no competitor has a self-improving engine.
Detects copy-pasted code blocks across files in the same PR. Uses token-based comparison — normalizes whitespace and strings, then compares sliding windows. Flags blocks of 6+ lines that are 80%+ similar.
Separate from the quality badge. Shows a security grade (A-F) based on CWE findings from your review history.
Guard posts review summaries to your team's Slack or Discord channel after every review.
Set the webhook URL as an environment variable:
GUARD_SLACK_WEBHOOK_URL=https://hooks.slack.com/services/T.../B.../xxx
GUARD_DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/xxx/yyyOr configure per-repo in .neuronx-guard.yml:
notifications:
slack_webhook: https://hooks.slack.com/services/...
discord_webhook: https://discord.com/api/webhooks/...Notifications include: repo, PR number, title, author, issue count, errors/warnings, and review time.
Pro and Team plan users get their reviews processed first. Free tier reviews go to the back of the Redis queue, paid plans go to the front. No configuration needed — automatic based on your plan.
Guard can commit deterministic fixes directly to your PR branch. Three modes:
| Mode | Behavior | Risk |
|---|---|---|
suggest | GitHub suggestion blocks — one-click apply (default) | Zero |
commit | Guard creates a fix branch + Fix PR | Low |
auto | Commit directly to PR branch (deterministic only, confidence ≥ 0.95) | Medium |
Configure in .neuronx-guard.yml:
auto_fix:
enabled: true
mode: auto
confidence_threshold: 0.95
max_fixes_per_pr: 5
protected_files:
- "*.lock"
- "migrations/*"Safety: AST validation, max 5 fixes/PR, protected files skipped, every fix tracked with rollback via /guard rollback.
Base URL: https://neuronx.jagatab.uk
| Endpoint | Description |
|---|---|
POST /api/github/webhook | GitHub App webhook receiver |
POST /api/guard/ci-review | CI review — send diff, get issues back |
GET /api/github/status | Guard integration status + feature list |
| Endpoint | Description |
|---|---|
GET /api/github/quality/{owner}/{repo} | Quality score, grade, trend data |
GET /api/github/analytics/{owner}/{repo} | Review history, averages, trends |
GET /api/github/leaderboard/{owner}/{repo} | Developer leaderboard |
GET /api/github/report/{owner}/{repo}/{pr} | Compliance report (markdown or ?format=json) |
curl -X POST https://neuronx.jagatab.uk/api/guard/ci-review \
-H "Content-Type: application/json" \
-d '{
"diff": "--- a/file.py\n+++ b/file.py\n@@ ...",
"repo": "owner/repo",
"pr_number": 1,
"severity_threshold": "warning"
}'{
"issues_found": 3,
"errors": 1,
"warnings": 2,
"review_time": "1.2",
"issues": [
{"file": "api/auth.py", "line": 14, "severity": "error",
"message": "Hardcoded password detected"}
]
}Add .neuronx-guard.yml to your repo root (optional — all checks enabled by default):
enabled: true
checks:
security: true # 19 security patterns
complexity: true # AST cyclomatic complexity
bare_except: true # Bare except detection
patterns: true # Language-specific rules
llm_review: true # Multi-model LLM consensus
ignore_files:
- "*.md"
- "tests/*"
- "docs/*"
- "vendor/*"
severity_threshold: warning # info | warning | error
# Custom rules (Pro feature):
custom_rules:
- pattern: "TODO|FIXME|HACK"
message: "Resolve before merging"
severity: info
- pattern: "print\\("
message: "Debug print() — remove for production"
severity: warningRun /guard config on any PR to see active config.
Run Guard as a CI step — no GitHub App installation needed:
name: Guard Review
on: [pull_request]
jobs:
guard:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: sreejagatab/neuronx-platform/.github/actions/neuronx-guard@main
with:
severity-threshold: warning # info, warning, error
fail-on-error: true # fail CI on errors
scan-dependencies: true # CVE scan
max-issues: 20Results appear in the GitHub Actions job summary.
# Install
cd vscode-extension && npm install && npx vsce package
code --install-extension neuronx-guard-1.0.0.vsix| Setting | Default | Description |
|---|---|---|
neuronxGuard.apiUrl | https://neuronx.jagatab.uk | Guard API URL |
neuronxGuard.apiKey | (empty) | API key from dashboard |
neuronxGuard.scanOnSave | true | Auto-scan on save |
neuronxGuard.severityThreshold | warning | Min severity to show |
Ctrl+Shift+G to scan current file. Status bar shows issue count.
| Category | Patterns |
|---|---|
| Hardcoded secrets | password=, api_key=, secret=, sk-*, ghp_* |
| Code injection | eval(), exec() |
| SQL injection | f-string SELECT/INSERT/UPDATE/DELETE, .execute(f"...") |
| Command injection | os.system(), subprocess shell=True |
| Unsafe deserialization | pickle.loads() |
| Timing attacks | == password comparison |
| Language | Rules | Examples |
|---|---|---|
| JavaScript/TypeScript | 7 | console.log, ==, var, innerHTML |
| Go | 5 | fmt.Print, panic, unsafe.Pointer |
| Java | 4 | System.out, printStackTrace, Runtime.exec |
| Rust | 4 | unwrap(), unsafe{}, panic!() |
| C/C++ | 8 | gets(), strcpy(), system() |
| Ruby | 3 | send(params), constantize |
| PHP | 3 | mysql_query, echo $var, shell_exec |
| Shell | 4 | eval, rm -rf /, chmod 777, curl|sh |
| Kotlin | 2 | !!, Thread.sleep |
| Swift | 1 | try! |
Plus nesting depth check (>6 levels) for all brace languages. Plus LLM review for any language.