IntegrationsPeer Reviewer AssistantFunctionality

Functionality

Last updated: May 28, 2026

The Peer Reviewer Assistant helps developers identify security issues while they are reviewing pull requests or merge requests. After the integration is configured, the assistant reviews the code changes introduced in a PR/MR and posts the result directly in the code hosting platform.

What the assistant does in a merge request

When a developer opens a merge request, the assistant analyzes the changes and reports the result in the merge request conversation.

If it detects a security issue, it can add a discussion to the affected change. The comment identifies the type of vulnerability, shows the relevant location, and provides guidance so the developer can remediate the issue before merging.

If the reviewed changes do not introduce vulnerabilities detected by the assistant, it posts a completion message indicating that no vulnerabilities were found.

Example: Review a GitLab merge request

The following example shows a GitLab merge request in which new application code is reviewed, a vulnerability is reported, the code is remediated, and the assistant validates the updated changes.

1. Create or update a branch with code changes

A developer works in a source branch and introduces changes to the application.

Code changes introduced in the source branch

2. Open a merge request

In GitLab, the developer creates a merge request from the source branch into the target branch.

GitLab merge request form

3. Wait for the assistant to analyze the changes

After the merge request is created, Fluid Attacks starts the security analysis and posts an activity message in the merge request.

Security analysis started

4. Review vulnerability comments

When the assistant detects a vulnerability, it posts a comment in the merge request. The comment is attached to the relevant context in the change set so developers can review the issue without leaving the PR/MR.

Inline assistant comment in the diff

The assistant comment can include the vulnerability category, weakness identifier, affected location, explanation, and remediation guidance.

Vulnerability explanation in the merge request

5. Remediate the issue

The developer applies the required code changes in the source branch.

Code remediation in the source branch

Then the developer commits and pushes the remediated changes to the remote branch.

Pushing remediated changes

6. Open a remediation merge request or update the existing one

The updated branch can be compared again against the target branch to continue the review.

Compare remediated branch

7. Validate the result

The assistant runs the security analysis again for the updated changes.

Security analysis for remediated changes

If the assistant does not detect vulnerabilities in the reviewed changes, it posts a message that no vulnerabilities were found.

No vulnerabilities found

Use the assistant as part of the normal pull request or merge request review process. Developers can use its comments to identify security issues earlier, apply fixes in the same branch, and validate the result before merging.

Azure DevOps Peer Reviewer Assistant

Set up the Fluid Attacks Peer Reviewer Assistant for Azure DevOps to get automated vulnerability scanning and comments on pull requests.

Troubleshooting

Fix common Peer Reviewer Assistant issues on GitLab including integrations not working after setup and token expiration after six months.

On this page

What the assistant does in a merge requestExample: Review a GitLab merge request1. Create or update a branch with code changes2. Open a merge request3. Wait for the assistant to analyze the changes4. Review vulnerability comments5. Remediate the issue6. Open a remediation merge request or update the existing one7. Validate the resultRecommended useRelated information