From AI Sidecar to Core DevSecOps Engine
AI code review is shifting from a niche, browser-side assistant into a first-class feature of the DevSecOps platform. Two recent announcements underscore this change. Sonar, long known for its AI code verification and governance, has acquired Gitar, an AI-native code review platform built specifically for the agentic era. At the same time, GitLab’s 19.0 release expands its intelligent orchestration capabilities with agentic merge request workflows and deeper visibility across CI pipelines and supply chains. Together, these moves signal that code verification, security, and automation can no longer be treated as bolt-on tools around the repository. Instead, AI code review is being woven into the same systems that manage merge requests, secrets, and pipelines, so that quality, security, and governance checks happen continuously from the moment code is generated to the moment it ships.
Sonar + Gitar: Consolidating AI Code Review and Verification
Sonar’s acquisition of Gitar unifies AI-native code review with a multilayered code verification platform built for autonomous agents. Sonar will integrate Gitar directly into SonarQube, extending code review from the first line an AI agent writes through to final integration in the codebase. According to Sonar, more than 75% of the Fortune 100 and 7 million developers and their AI agents already depend on SonarQube to safeguard quality, security, and architectural integrity of AI-generated code, with measurable reductions in outages and token usage. By combining Gitar’s agentic AI reasoning with Sonar’s zero-trust, multilayered engine, the company aims to give enterprises a single place to validate output from tools like Claude Code, Cursor, Codex, Devin, or GitHub Copilot. This consolidation marks a shift: AI code review is no longer just a productivity helper, but a strategic layer of code verification and governance.
GitLab 19.0: Agentic Workflows and Self-Hosted AI Models
GitLab 19.0 pushes in the same direction from a platform perspective, framing itself as an intelligent orchestration hub for DevSecOps. The release introduces agentic merge request workflows that extend Developer Flow across the full lifecycle, handling reviewer feedback, conflict resolution, and splitting oversized merge requests while honoring project standards defined in AGENTS.md. Crucially, GitLab now supports self-hosted open-source models, allowing organizations to run AI-assisted code review and analysis without relying on external APIs. This directly addresses the AI paradox: as AI accelerates code generation, it multiplies the need for trustworthy, auditable workflows around review, merging, and compliance. By embedding agentic workflows and self-hosted AI models where developers already work, GitLab reduces the distance between writing code, verifying it with AI, and safely merging it into production pipelines.
Secrets Management and CI Visibility Join AI Code Review
Modern DevSecOps platforms are bundling AI code review with adjacent controls that determine whether code can be trusted in production. GitLab 19.0’s Secrets Manager, now in public beta for Premium and Ultimate tiers, stores credentials inside the same platform that runs code and pipelines, enforcing least-privilege access by tightly scoping each secret to authorized jobs. If a credential is compromised, teams can follow the audit trail to every job and originating pipeline without stitching together external logs. Combined with expanded CI pipeline visibility and supply chain insights, this creates a richer context for AI-driven code verification: reviewers and agents can reason not only about code quality, but also about which secrets, environments, and compliance checks are implicated. The result is an end-to-end DevSecOps platform where AI code review, secrets governance, and pipeline standards reinforce each other instead of existing as fragmented tools.