GCP – 50% faster merge and 50% fewer bugs: How CodeRabbit built its AI code review agent with Google Cloud Run

CodeRabbit, a rapidly growing AI code review tool, is leveraging Google Cloud Run to cut code review time and bugs in half by safely and efficiently executing untrusted code. 

CodeRabbit improves code quality and automates code reviews by analyzing changes against the entire codebase and generating scripts for deeper analysis. It integrates with code hosting platforms to provide automated feedback on pull requests.

To safely execute untrusted code, CodeRabbit needed an execution environment that was scalable, cost-effective, and secure enough to analyse and run their customers’ code.

In this post, we’ll share how CodeRabbit built an AI code review agent with Google Cloud Run to scale dynamically and handle high volumes efficiently and securely.

CodeRabbit integrates directly with platforms like GitHub and GitLab, providing automated code reviews triggered by pull requests. Its integration with the foundational models doesn’t just analyze the changed files; it assesses the impact of those changes on the entire codebase. This requires a sophisticated system that can:

1. Clone the user’s repository.

2. Set up a build environment with necessary dependencies (think npm install, go mod download, etc.).

3. Run static analysis tools including 20+ linters and security scanners.

4. Execute AI-generated scripts. This is where things get really interesting. CodeRabbit’s AI agent creates shell scripts to navigate the code, search for specific patterns (using tools like cat, grep, and even ast-grep), and extract relevant information. It can even generate Python code for analysis.

5. Interact with external services. CodeRabbit can also perform actions by generating and executing curl commands, for example to interfacing with services like Slack, Jira and Linear.

This solution needs to be scalable, cost-effective, and above all, secure. The code being analyzed and executed is, by definition, untrusted. It could be incomplete, buggy, or even contain malicious intent.

The solution: Cloud Run

CodeRabbit’s architecture cleverly combines several technologies to create a robust and isolated execution environment:

1. Cloud Run services: CodeRabbit uses Cloud Run services as the foundation. Incoming webhook events (from GitHub, GitLab, etc.) are first handled by a lightweight Cloud Run service that performs billing and subscription checks. This service then pushes a task to Google Cloud Tasks.

2. Google Cloud tasks: This acts as a queue, decoupling the webhook handling from the actual code execution. This allows CodeRabbit to handle bursts of pull requests without overwhelming the system.

3. Cloud Run execution service: This is the heart of the system. A separate Cloud Run service pulls tasks from the Cloud Tasks queue. Each task represents a code review request. This service is configured with a 3600 second long request timeout and a concurrency of 8 requests per instance, allowing it to scale based on CPU utilization. This setup is crucial because code reviews are long-running operations, often taking 10-20 minutes to complete. The Execution Service uses an in-memory volume mount where the entire repository, build artifacts, and temporary files are stored.

4. Sandboxing: All Cloud Run instances are sandboxed with two layers of sandboxing and can be configured to have minimal IAM permissions via dedicated service identity. In addition, CodeRabbit is leveraging Cloud Run’s second generation execution environment, a microVM providing full Linux cgroup functionality. Within each Cloud Run instance, CodeRabbit uses Jailkit to create isolated processes and cgroups to further restrict the privileges of the jailed process.

Sandboxing is especially critical for CodeRabbit in scenarios where untrusted code must be executed, such as:

• Static analyzers that support custom, untrusted plugins (e.g., ESLint, Rubocop)

• LLM-generated verification scripts for deeper analysis of the entire codebase

• LLM-generated CLI actions, such as opening GitHub or Jira issues

• Python-based advanced analyses

CodeRabbit’s use of Cloud Run allows it to scale dynamically. During peak hours, CodeRabbit’s Agentic PR Reviewer service receives up to 10 requests/second served by over 200 Cloud Run instances. Each Cloud Run instance is fairly bulky and utilizes 8vCPUs and 32GiB memory. CodeRabbit sees high CPU utilization, significant network traffic (downloading repositories and dependencies), and high memory usage when powering their PR reviewer service with Cloud Run.

Try this on your own

CodeRabbit’s use of Google Cloud Run is a compelling example of how to build a secure, scalable, and cost-effective platform for running AI-powered code analysis. Their architecture provides a blueprint for developers tackling similar challenges, and their experience highlights the evolving capabilities of serverless technologies. We’re excited to see how their platform advances as Cloud Run continues to add new features.

Learn more about developing, deploying and hosting AI agents on Cloud Run, watch the “Build AI Agents on Cloud Run” Cloud Next ’25 session featuring CodeRabbit, and give CodeRabbit a try.