AI Code Review for GitLab CI: Cloud and Self-Hosted

GitLab is the platform of choice for many enterprises — especially those running self-hosted instances for data sovereignty. Merlin AI Code Review is purpose-built for GitLab CI and supports both GitLab.com and self-hosted GitLab with private runners, making it the ideal AI review solution for GitLab shops.

Why GitLab teams choose Merlin AI Code Review

Teams running self-hosted GitLab are already serious about data control. Merlin AI Code Review matches that philosophy: the review binary runs inside your GitLab runner, your code never leaves your network (except for the diff sent to the AI provider via your own API key), and there's no external SaaS dependency.

Basic GitLab CI setup

stages:
  - review
merlin-review:
  stage: review
  image: ubuntu:22.04
  script:
    - apt-get update -qq && apt-get install -y curl
    - curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlin
    - chmod +x merlin && ./merlin review
  variables:
    GITLAB_TOKEN: $CI_JOB_TOKEN
    ANTHROPIC_API_KEY: $ANTHROPIC_API_KEY
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Self-hosted GitLab with private runners

If your GitLab instance is air-gapped or uses private runners, you can pre-download the Merlin AI Code Review binary and store it in your artifact registry or runner cache:

merlin-review:
  stage: review
  image: ubuntu:22.04
  cache:
    key: merlin-binary
    paths:
      - merlin
  script:
    - |
      if [ ! -f merlin ]; then
        curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlin
        chmod +x merlin
      fi
    - ./merlin review
  variables:
    GITLAB_TOKEN: $CI_JOB_TOKEN
    ANTHROPIC_API_KEY: $ANTHROPIC_API_KEY
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Adding a security scan step

merlin-review:
  stage: review
  script:
    - ./merlin review
    - ./merlin run /security
  variables:
    GITLAB_TOKEN: $CI_JOB_TOKEN
    ANTHROPIC_API_KEY: $ANTHROPIC_API_KEY
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Using CI_JOB_TOKEN vs. a personal access token

For most pipelines, CI_JOB_TOKEN is sufficient — it has permission to comment on merge requests. For webhook bot mode (enabling @merlin commands in MR comments), you'll need a project or group access token with api scope:

variables:
  GITLAB_TOKEN: $MERLIN_PROJECT_TOKEN    # project access token stored as CI variable

Setting up AI provider secrets in GitLab

Navigate to your project → Settings → CI/CD → Variables. Add:

• ANTHROPIC_API_KEY — your Claude API key, masked and protected
• (Optional) MERLIN_PROJECT_TOKEN — for bot mode

Using Ollama for fully private inference

For GitLab instances in air-gapped environments, run Ollama on a machine accessible to your GitLab runners and configure Merlin AI Code Review to use it:

[ai]
provider        = "ollama"
model           = "qwen2.5-coder:32b"
ollama_base_url = "http://ollama.internal:11434"

This achieves completely air-gapped AI code review — no internet access required for the inference step.