NewGitZoid now watches security and reports your week
All posts
WorkflowsJun 25, 2026·5 min read

Running GitZoid with Claude Code

GZ
GitZoid Team
Engineering
Workflows/gitzoid

Claude Code changes the shape of a workday. The agents open pull requests all day, and the human job shifts from writing the diff to judging it. GitZoid slots into that loop as the reviewer that never falls behind.

Setup

Connect a repo in two clicks through Try GitZoid. No CLI, no IDE plugin, no YAML. GitZoid installs as a GitHub app, builds a per-repo brain from the codebase, and starts watching open pull requests. The agents need no configuration change at all, they keep pushing the way they already do.

What happens on every push

Claude Code rarely lands a pull request in one push. It iterates. GitZoid tracks the last commit it reviewed on each pull request and reads only the delta on the next push, so feedback stays scoped to what just changed and nothing gets restated.

When a finding clears the severity bar, the comment is structured: severity, location, why it matters in this repo, and a suggested change.

High · Unvalidated redirect · src/routes/auth.ts:88

The new callback handler redirects to req.query.next without
checking it. Every other redirect in this repo goes through
safeRedirect() in src/lib/url.ts.

Suggested change:
  return res.redirect(safeRedirect(req.query.next, "/dashboard"))

When the push is clean, the review is a short summary that says so, with nothing to act on.

What happens every week

Two emails, no dashboard.

  • Security Watch. Dependencies are scanned daily, and one ranked report arrives weekly: new CVEs, end-of-life packages, leaked secrets, widened workflow permissions.
  • Monday digest. A plain-English summary of what the agents shipped last week, business and technical, readable in two minutes.

The weekly layer matters more with agents than with humans. A human remembers what they merged. An agent does not, and neither do you at the volume Claude Code produces.

Deterministic oversight, stochastic coders

Claude Code is stochastic by design. Two runs on the same prompt produce different diffs, and that is where the leverage comes from. The oversight layer should not share that property. GitZoid runs on a deterministic engine, so the same change gets the same review and the merge bar stays constant while the volume climbs.

That pairing is the whole point.

Let the agents be creative. Keep the judge consistent.

The loop in practice

  1. Claude Code opens or updates a pull request.
  2. GitZoid reviews the delta within minutes, with a summary every time and a flagged finding when one clears the bar.
  3. You merge on clean threads and act on the rare flagged one.
  4. Monday, the digest tells you what actually shipped, and the Security Watch email flags anything the week's merges changed in your risk surface.

The first 10 outputs are free, no card required. Connect one busy repo and watch a week of pushes go through it.

Put a patrol on your repo.

The first review posts on your next pull request.

Try GitZoid