AI-powered PR security review for DevOps and Infrastructure-as-Code.
Polaris is an autonomous security agent that connects to GitHub as an App, scans every Pull Request containing infrastructure code, and posts inline findings with one-click auto-fix — all in under 60 seconds.
Infrastructure code gets reviewed for functionality but almost never for security. A developer pushes a Terraform file with an open S3 bucket, a Dockerfile with hardcoded secrets, or a Kubernetes manifest running privileged containers — it passes code review and ships to production. Nobody catches it until an audit or a breach.
Teams need a senior SRE reviewing every infrastructure change before it merges, but no team has the bandwidth for that.
Polaris acts like that senior SRE, automatically. Install the GitHub App, open a PR, and Polaris handles everything:
- Parses the PR diff and extracts modified IaC files
- Scans with deterministic rules for known anti-patterns
- Reasons with Gemini to enrich evidence-backed findings and propose exact code fixes
- Verifies every AI-only claim and patch before it can affect the pull request
- Reports inline findings on changed lines, with one-click commit enabled only for mechanically verified fixes
Gemini is an enhancement, not a single point of failure. If the provider times out, exhausts quota, or returns invalid output, Polaris completes the deterministic scan and reports the degraded mode explicitly instead of discarding valid results.
The pipeline is time-bounded and always returns a truthful result, even when AI enrichment is unavailable.
- Automatic PR Scanning — Every PR with Terraform, Kubernetes YAML, Dockerfiles, or GitHub Actions is scanned automatically via webhook
- Gemini-Powered Analysis — Gemini reasons about infrastructure intent, blast radius, and compliance impact
- Inline PR Comments — Findings posted directly on the line of code in your PR, just like a human reviewer
- One-Click Auto-Fix — Approve a suggested fix from the dashboard and Polaris commits it directly to your PR branch with a full audit trail
- Security Dashboard — Overview of all scans, findings by severity, and drill-down into individual scan results
- Multi-User Isolation — Each user only sees scans for their own repositories
- Verified Patches — AI review plus exact patch application, syntax, and rule-resolution gates protect one-click commits
PR Opened → GitHub Webhook → FastAPI Backend → Deterministic Scan
→ Optional Gemini Enrichment → Evidence + Patch Verification
→ Inline PR Comments + Commit Status → Dashboard Updated
- A developer opens a PR containing infrastructure files
- GitHub sends a webhook to the Polaris backend
- The deterministic scanner checks for known patterns (open ports, hardcoded secrets, privileged containers, etc.)
- Gemini enriches detector-backed findings and may propose additional evidence-linked findings
- AI-only findings and proposed patches pass independent validation; provider failure falls back to deterministic results
- Results are posted as an inline PR review on GitHub and stored in the dashboard
- The developer can approve fixes with one click — Polaris commits directly to the PR branch
| Layer | Technology |
|---|---|
| Frontend | Next.js 16, React 19, Tailwind CSS |
| Auth | NextAuth.js with GitHub OAuth |
| Backend | Python 3.11, FastAPI, Uvicorn |
| AI | Gemini 3 Flash Preview (dual-agent: reasoning + verification) |
| Database | PostgreSQL (Neon) |
| Hosting | Vercel (frontend) · Render (backend) · Neon (DB) |
| Uptime | UptimeRobot ping every 5 min |
Polaris is deployed end-to-end on free-tier hosting:
| Component | URL |
|---|---|
| Frontend | https://polaris-livid-one.vercel.app |
| Backend | https://polaris-backend-4xoy.onrender.com |
| Health | https://polaris-backend-4xoy.onrender.com/health |
| Uptime | https://stats.uptimerobot.com/lMd1MkrQaT |
To try it on your own repo, install the Polaris GitHub App, open a PR with an infra file (.tf, Dockerfile, k8s.yaml, or .github/workflows/*.yml), and watch the scan land within ~30 seconds.
For contributing or local testing — production users should just use the live deployment above.
- Node.js 18+
- Python 3.11+
- A GitHub Account
- A GitHub App with PR read/write permissions and webhook configured
- A Gemini API key
git clone https://github.com/Param-10/hackthebay.git
cd hackthebaynpm installCreate .env.local:
GITHUB_ID=your_github_oauth_app_id
GITHUB_SECRET=your_github_oauth_app_secret
NEXTAUTH_SECRET=your_random_secret_string
NEXTAUTH_URL=http://localhost:3000
BACKEND_URL=http://localhost:8000
API_SECRET=same_secret_used_in_backend
NEXT_PUBLIC_GITHUB_APP_INSTALL_URL=https://github.com/apps/your-app-slug/installations/new
Start the frontend:
npm run devcd github-app
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtCreate .env (see .env.example):
GITHUB_APP_ID=your_app_id
GITHUB_PRIVATE_KEY=/path/to/your/private-key.pem
GITHUB_WEBHOOK_SECRET=your_webhook_secret
GEMINI_API_KEY=your_gemini_api_key
GEMINI_MODEL=gemini-3-flash-preview
GEMINI_FALLBACK_MODEL=gemini-2.5-flash
GEMINI_TIMEOUT_SECONDS=30
GEMINI_TOTAL_BUDGET_SECONDS=90
GEMINI_REASONING_THINKING_LEVEL=medium
GEMINI_VERIFICATION_THINKING_LEVEL=low
API_SECRET=same_secret_used_in_frontend
DATABASE_URL=sqlite:///./scans.db
Start the backend:
uvicorn app.main:app --reload --port 8000Install smee-client to forward GitHub webhooks to your local machine:
npm install -g smee-client
smee -u https://smee.io/YOUR_CHANNEL_ID -t http://localhost:8000/webhookSet your Smee URL as the webhook URL in your GitHub App settings.
- Install the GitHub App on a test repository
- Open a PR with infrastructure files (
.tf,Dockerfile,k8s.yaml,.github/workflows/*.yml) - Watch the scan results appear on the PR and in the dashboard at
http://localhost:3000/dashboard
Built for Hack the Bay 2026.



