Review Every PR for Security Bugs.
Automatically. On Your Hardware.
Semgrep finds the patterns. GLM 5.2 judges severity and eliminates false positives. PR comment posted before anyone opens the diff. No code leaves your network — no API keys for third-party AI services.
How It Works — 3 Stages, One Workflow
1. Scan
Semgrep runs on PR diff. Finds SQL injection, XSS, hardcoded secrets, path traversal — 1,700+ rules. Output: JSON with finding + line number + rule ID.
2. Review
GLM 5.2 receives each finding with surrounding code context. Judges: is this a true positive? What's the severity? Is there a fix? Runs on your GPU — nothing sent to external APIs.
3. Report
GLM 5.2 posts a GitHub PR comment: finding, verdict, severity, suggested fix. False positives filtered out before your team sees them. Real issues prioritized by risk.
The Workflow — Skeleton
Each stage is a GitHub Actions job. The manual includes the complete YAML with error handling, batch processing, and PR comment formatting.
# .github/workflows/security-review.yml — skeleton
name: GLM 5.2 Security Review
on:
pull_request:
types: [opened, synchronize]
jobs:
semgrep:
runs-on: ubuntu-latest
outputs:
findings: ${{ steps.scan.outputs.findings }}
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
id: scan
run: |
semgrep --config=auto --json -q > findings.json
echo "findings=$(cat findings.json)" >> $GITHUB_OUTPUT
glm-review:
needs: semgrep
runs-on: [self-hosted, gpu] # Your GPU runner
if: needs.semgrep.outputs.findings != '[]'
steps:
- name: GLM 5.2 Security Review
run: |
curl -s http://glm-server:8000/v1/chat/completions \
-H "Content-Type: application/json" \
-d "$(python3 build_review_payload.py)" \
| python3 post_pr_comment.py
The skeleton shows the architecture. The manual ships build_review_payload.py (prompt engineering for security audit), post_pr_comment.py (GitHub API integration), and the full error handling that prevents a single bad finding from crashing the pipeline.
Why This Beats Manual Review (and GPT-5 API)
| Manual Review | GPT-5 API | Self-Hosted GLM 5.2 | |
|---|---|---|---|
| Cost per 100 PRs | $2,000+ (engineer time) | $80-150 (API tokens) | $0 (your hardware) |
| Code leaves network | No | Yes — sent to OpenAI | No — stays on-prem |
| Turnaround | Hours to days | 2-5 min | 2-5 min |
| False positive rate | Varies by reviewer | ~10-15% | <5% (tuned prompt) |
| Consistency | Depends on who reviews | Consistent | Consistent + auditable |
| Compliance (SOC2, HIPAA) | OK | Requires DPA with OpenAI | OK — no third party |
The False Positive Problem
Semgrep's default rules produce ~20% false positives. That means 1 in 5 findings wastes your team's time. Two things cut this down:
- Semgrep rule tuning — disable noisy rules, add path filters (the manual includes a curated ruleset)
- GLM 5.2 triage — the model reads the finding + code context and judges: "false positive — this input is sanitized 3 lines above at
validateInput()"
The manual's prompt engineering chapter covers the exact system prompt that gets GLM 5.2 to output structured, actionable verdicts — not generic "consider reviewing this" hand-waving.
What a GLM 5.2 PR Comment Looks Like
## Security Review — GLM 5.2
**Finding:** Potential SQL injection in `src/api/users.ts:142`
**Semgrep Rule:** `python.sqlalchemy.security.audit.raw-sql`
**Verdict:** TRUE POSITIVE — High Severity
**Why:** User input `req.body.username` is concatenated directly into a
raw SQL query string. No parameterization, no ORM escape.
**Fix:** Replace with parameterized query:
```ts
db.query('SELECT * FROM users WHERE username = ?', [req.body.username])
```
**Confidence:** 0.94
---
*Reviewed by GLM 5.2 on self-hosted infrastructure. No code sent externally.*
What the Manual Adds (Ch.5)
| This Page (Free) | Production Manual Ch.5 |
|---|---|
| Workflow skeleton (3 stages) | Complete GitHub Actions YAML with error handling, retry logic, artifact caching |
| Conceptual prompt design | Full system prompt engineering — tested across SQL injection, XSS, path traversal, SSRF, deserialization |
| Single-finding review flow | Batch processing for 500+ findings — chunking, concurrency, token budget management |
| Basic Semgrep invocation | Curated ruleset — which 142 rules to enable, which 38 to disable, path filters per project type |
| Not covered | False positive reduction workflow — GLM 5.2 self-consistency voting, Semgrep rule feedback loop |
| Not covered | Cost analysis — self-host vs GPT-5 API vs CodeRabbit vs Semgrep Pro for teams of 5/20/100 |
FAQ
Does this work with GitLab CI / Bitbucket Pipelines?
The manual includes adapters for GitLab CI and Bitbucket Pipelines. The core workflow (Semgrep → GLM 5.2 → PR comment) is CI-agnostic. GitHub Actions is the primary example because it's the most common, but the patterns translate directly.
What languages does this cover?
Semgrep supports 30+ languages. The manual's curated ruleset focuses on Python, TypeScript/JavaScript, Go, Java, and Rust — the languages where we've validated GLM 5.2's security review accuracy. Other languages work but haven't been benchmarked for false positive rate.
Can I add custom security rules?
Yes. The manual includes a template for writing custom Semgrep rules and the corresponding GLM 5.2 review prompt snippet. This is covered in Ch.5 — you define the pattern in Semgrep's YAML DSL, then add a review context block to the system prompt so GLM 5.2 knows how to judge it.
This Page Shows the Pipeline. The Manual Ships the Workflows.
You've seen the concept and the skeleton. The manual contains the complete GitHub Actions YAML (tested across 200+ PRs), the prompt engineering chapter that cuts false positives below 5%, and the batch processing strategy for repos with 500+ Semgrep findings. Everything is a file you can copy, paste, and run today.
Get the Production Manual — $2930-day money-back guarantee. If the pipeline doesn't work in your repo, full refund.