Sign up at the dashboard, then go to License Keys and generate a new key. Save it securely — it's only shown once.
Pull and run the Docker image on your infrastructure:
docker run -d \
--name security-review-agent \
-e AGENT_LICENSE_KEY=sra_live_your_key_here \
-e GITLAB_URL=https://gitlab.example.com \
-e GITLAB_PAT=glpat-xxxxxxxxxxxx \
-e LLM_PROVIDER=anthropic \
-e ANTHROPIC_API_KEY=sk-ant-xxxxxxxxxxxx \
-e WEBHOOK_SECRET=your-webhook-secret-min-16-chars \
-e DATABASE_URL=sqlite+aiosqlite:////data/security-review.db \
-v agent-data:/data \
-p 8000:8000 \
ghcr.io/your-org/security-review-agent:latestIn your GitLab project or group settings, add webhooks pointing to your agent:
https://your-agent-host:8000/webhook/merge-requesthttps://your-agent-host:8000/webhook/commentSet the Secret token to the same value as your WEBHOOK_SECRET environment variable.
Open a merge request in your project. The agent will automatically post security review comments on the MR.
Check the agent health endpoint: GET https://your-agent-host:8000/health
| Variable | Required | Description |
|---|---|---|
| AGENT_LICENSE_KEY | Yes | Your license key from the dashboard |
| GITLAB_URL | Yes | Your GitLab instance URL |
| GITLAB_PAT | Yes | GitLab personal access token (api scope) |
| LLM_PROVIDER | Yes | "anthropic" or "gemini" |
| ANTHROPIC_API_KEY | If anthropic | Your Anthropic API key |
| GEMINI_API_KEY | If gemini | Your Google Gemini API key |
| WEBHOOK_SECRET | Yes | Shared secret for webhook verification (min 16 chars) |
| DATABASE_URL | Yes | SQLite or PostgreSQL connection string |