Code Genie

You can use Code Genie to automate tasks on the repository contents of DevOps Control that are triggered by pull requests (PRs).

Code Genie automates a wide range of tasks on the contents of a Control repository. You can trigger Code Genie either automatically through webhooks, or manually through the Code Genie button in the Plan user interface.

When a you create or update a PR in a repository, Code Genie launches a development container, clones the repository from the PR source branch, runs one or many commands, collects JavaScript Object Notation (JSON) results according to a standardized schema, maps them to PR comments, and can approve or reject the PR.

When you act on a work item in Plan, Code Genie launches a development container in the background, generates code based on the work item description, and creates a branch and pull request with the implementation.

Code Genie is a general-purpose feature for any PR automation task. Trivy Security Scanning, AI Code Review and Automated JUnit Testing are some examples that uses Code Genie.

Default Capabilities

The following capabilities are available by default through the configuration file .devops-loop/code-config.jsonc, which is discussed in the Configuration File section.

  • Plan work item implementation: When you act on a work item in Plan, Code Genie reads the work item description and associated comments, generates code, and creates a pull request implementing the requested changes. To use this feature, you must configure a coding CLI token for either GitHub Copilot or IBM Bob.
  • Trivy scanning and AI code review: When you create or update a pull request, Code Genie automatically runs a Trivy security scan followed by an AI-powered code review using GitHub Copilot. The security scan runs independently of the coding CLI token. However, to run the code review, you must have a GitHub Copilot token configured.
  • Interact with Code Genie through PR comments: When you add a comment to a pull request, you can ask Code Genie to explain specific code sections, suggest fixes, or answer questions about the implementation. Code Genie responds directly within the pull request comment thread.

You can use Code Genie for other use cases that include, but are not limited to the following tasks:

  • Run unit tests on the PR source branch and reject the PR if any test fails.
  • Let a large language model perform a code review for the PR and reject the PR if severe problems are found.
  • Perform language-specific static code analysis, such as clang-tidy for C++ or ESLint for TypeScript, and reject the PR if critical problems are found. For more information, refer to Clang Tools 23.0.0 git documentation and ESLint.
  • Automatically approve small PRs that only involve certain low-risk files, such as documentation files, possibly after performing sanity checks such as spell checking.

Code Genie uses JSON

JSON is the core format used by Code Genie to connect automated tools with pull request (PR) outcomes.

It defines a structured contract between:
  • what runs inside the development container (tools, scripts, analyzers).
  • what Code Genie displays or enforces in the PR (comments and approval decisions)

Code Genie uses JSON in two key areas: configuration and execution results, which is elaborated in the following sections:

Configuration File

When creating a Loop, a Control repo autoconfigures Code Genie via .devops-loop/code-config.jsonc.

This default configuration defines how Code Genie implements Plan work items, performs pull request security scanning and AI-powered code reviews, and responds to pull request comments.

{
  "code-genie": {
    "workitem": [
      {
        "dev-container": "Copilot",
        "coding-instructions": [/*URL to markdown file, for example https://github.com/WDI-SEA/code-review/blob/master/code-guide.md*/],
        "coding-command": "export GH_TOKEN=${loop_property:copilotclitoken} && cp /opt/run-copilot.ts /usr/code/ && tsx /usr/code/run-copilot.ts --prompt-file=${promptFile} --llm_args=\"--allow-all-tools --model claude-sonnet-4.5\""
      },
      {
        "dev-container": "Bob",
        "coding-instructions": [/*URL to markdown file, for example https://github.com/WDI-SEA/code-review/blob/master/code-guide.md*/],
        "coding-command": "export BOBSHELL_API_KEY=${loop_property:bobtoken} && cp /opt/run-bob.ts /usr/code/ && tsx /usr/code/run-bob.ts --prompt-file=${promptFile} --bob_args=\"--yolo --accept-license --auth-method api-key\""
      }
    ],
    "pull-request": [
      {
        "dev-container": "TrivyScan",
        "interactive": false,
        "custom-commands": [
          {
            "run-trivy": "cp /opt/run-trivy.sh /usr/code/ && chmod +x /usr/code/run-trivy.sh && REPO_URL=https://${platform-fqdm}/control/${repo-owner}/${repo}/src/branch/${pr-branch}/ /usr/code/run-trivy.sh ${code-folder} ${result-json} --reject=high --trivyArgs=\"--scanners vuln,misconfig,secret,license --license-full --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL\""
          }
        ]
      },
      {
        "dev-container": "Copilot",
        "interactive": true,
        "custom-commands": [
          {
            "code-review-command": "export GH_TOKEN=${loop_property:copilotclitoken} && cp /opt/run-copilot.ts /usr/code/ && tsx /usr/code/run-copilot.ts --prompt-file=${promptFile} --llm_args=\"--allow-all-tools --model claude-sonnet-4.5\""
          }
        ]
      }/* Uncomment this block to use IBM Bob Shell for code reviews
      ,{
        "dev-container": "Bob",
        "interactive": true,
        "custom-commands": [
          {
            "code-review-command": "export BOBSHELL_API_KEY=${loop_property:bobtoken} && cp /opt/run-bob.ts /usr/code/ && tsx /usr/code/run-bob.ts --prompt-file=${promptFile} --bob_args=\"--yolo --accept-license --auth-method api-key\""
          }
        ]
      }*/
    ]
  }
}

In the above example, the configuration splits into two sections: "workitem" , which defines how Code Genie implements Plan work items by selecting either the GitHub Copilot or IBM Bob entry based on the configured token, and "pull-request", which defines what runs automatically on PR creation or update. Three entries run sequentially, TrivyScan (always active), GitHub Copilot code review (active by default), and IBM Bob code review (commented out). Setting "interactive" to false on TrivyScan runs it entirely in the background, while setting it to true on the AI code review containers allows developers to interact with Code Genie directly through PR comments.

The JSON file provides the following key properties:

@workitem
This property specifies how Code Genie implements a work item from plan UI by defining the dev containers and the coding commands/instructions.
@dev-container
This property specifies the name of the dev container to open. The dev container image should be accessible from Code Genie so that it can open the devcontainer. You must use a non-IDE dev container since such a dev container opens faster and occupies fewer resources than a dev container that contains an IDE. Since a Code Genie dev container runs in the background, without user interaction, including an IDE would be unnecessary overhead. For more information, refer to the non-IDE dev container.
@coding-instructions
This property specifies an array of URLs pointing to markdown files that contain the coding guidelines Code Genie passes to the AI as context. Replace the placeholder comment with one or more URLs to your own coding standards documents.
@coding-command
This property specifies how Code Genie invokes the AI coding assistant to implement a work item. It sets the required authentication token, copies the assistant's runner script into the working directory, and executes the script with a prompt file containing the work item details. Additional arguments can also be provided to configure the model and tool permissions used during code generation.
@pull-request
This property specifies how Code Genie is triggered. Code genie is triggered on PR creation and when more commits are added to the PR.
@custom-commands
This is an array of commands to run in the dev container. They run sequentially in the order specified in the JSON file. The current working directory for each command invocation is the folder in the dev container file system where the Control repository was cloned. Each command is represented by a JSON object in the array, with a single property describing what the command does (for example, "run-trivy"). The value of the property is the actual Unix command-line to invoke in the dev container. It can use any tool or script that is present in the dev container.
@interactive
This property if set to true allows users to interact with Code Genie through PR comments for AI dev containers.

Variables

Before Code Genie runs a command, it replaces certain variables with actual values:

${platform-fqdn}
Fully qualified domain name of the Loop installation.
${repo-owner}
Owner of the cloned repository (typically a teamspace).
${repo}
Name of the cloned repository.
${pr-branch}
Name of the PR source branch (currently checked out).
${code-folder}
Folder in the dev container where the Control repo is cloned.
${result-json}
Path to JSON results file (unique name like cg-result-10-1.json). An invoked command might choose to generate this file, and its contents then must comply with the standardized schema for PR comment translation.
${promptFile}
Reserved runtime placeholder used by the Code Genie backend. It is not a real file path and must not be modified or interpreted in the configuration. During execution, the backend replaces it with the actual generated prompt file that contains the work item context. This ensures the coding command receives the correct input without requiring any manual handling.
Note:
You can use comments (both line comments (//) and block comments (/* */)) in the configuration file.

Prompt file

When a loop is created, a new prompt file also gets automatically created in the Control repo: .devops-loop/code-genie-workitem-prompt.md, that is, at the same location where code-config.jsonc. is created.

This prompt is helpful when you use the code genie feature in a Plan work item to implement a work item. You can customize it, if needed.

Note:
You must not modify placeholders such as ${targetDir} in the code-genie-workitem-prompt.md, as doing so may lead to unexpected behavior or results.

Using webhooks and runner scripts

Each command-related property like "custom-commands" or "coding-command" in the configuration file invokes runner scripts that are executed inside a dev container by Code Genie to automate tasks such as implementing Plan work items, handling pull request workflows and supporting other customized usecases. For more information, see Runner Scripts.

In addition to the configuration file, Code Genie requires a webhook to be present on the Control repository. For a repository that is created as part of loop creation, the webhook is automatically created. If you create a repository manually, you must create the webhook. See Creating webhooks.

Coding CLI token configuration

For Plan work item implementation and AI code review to function, a coding CLI token must be configured. For more information, see Configuring Coding CLI token.

Execution Result File

The result of running a command can be stored in a JSON result file. The variable ${result-json} expands to the full path of that JSON file. The file name is unique for each command invocation and includes the Control PR number and index within the custom-commands array. For example, the file name can be cg-result-10-1.json if the Control PR number is 10 and the command is the first command in the custom-commands array.

After running the command, Code Genie checks whether a JSON result file is available. If present, it must comply with a standardized JSON schema. The JSON properties are as follows:

@results
This is an array of objects that specify code locations, typically locations within files of the Control repository. Each such object is mapped to a PR comment that is associated with a specific file ("path" property) and a line within that file ("new_position" property). The PR comment text is specified by the "body" property and might use markdown for formatting.
@pr-comments

This is an array of strings, each of which is mapped to a PR comment that is not associated with any file. The strings might use markdown for formatting.

@review
This object can be present to specify whether Code Genie should make a review of the PR as either approved (property "approved" set to true) or rejected (property "approved" set to false). In either case, you can set the "comment" property to a comment explaining the PR approval or rejection.

The following example shows the results JSON file generated by Code Genie when it specifically runs a Trivy scan.

Note:
The format is the same when Code Genie runs a Copilot AI code review, but the contents can be different and the "review" property is not used.
{
  "results": [
    {
      "path": "package-lock.json",
      "new_position": 1,
      "body": "[VULNERABILITY] CVE-2024-29041 | MEDIUM | express (v4.16.0) | Fix: 4.19.2, 5.0.0-beta.3"
    },
    {
      "path": "package-lock.json",
      "new_position": 1,
      "body": "[VULNERABILITY] CVE-2024-43796 | LOW | express (v4.16.0) | Fix: 4.20.0, 5.0.0"
    },
    {
      "path": "package-lock.json",
      "new_position": 1,
      "body": "[LICENSE] MIT | LOW | Pkg: express"
    }
  ],
  "pr-comments": [
    "Started: 2026-05-13T15:28:24Z, Ended: 2026-05-13T15:28:33Z",
    "Findings summary => vulnerabilities: 2, misconfigurations: 0, secrets: 0, licenses: 1, total: 3",
    "Full repository analysis performed. Total number of files scanned: 4, Total files with findings: 1. Local changes detected: 1",
    "",
    "✅ Security scan passed (No issues at HIGH or CRITICAL).",
    "🛡️ Detailed Security Analysis",
    "| File | Line | Type | ID | Severity | Package | Details |",
    "| :--- | :--- | :--- | :--- | :--- | :--- | :--- |",
    "| [package-lock.json](<https://10.83.92.71.nip.io/control/test_ts/testloop/src/branch/testb5/package-lock.json>) | 1 | Vulnerability | CVE-2024-29041 | MEDIUM | express | cause malformed URLs to be evaluated |",
    "| [package-lock.json](<https://10.83.92.71.nip.io/control/test_ts/testloop/src/branch/testb5/package-lock.json>) | 1 | Vulnerability | CVE-2024-43796 | LOW | express | Improper Input Handling in Express Redirects |",
    "| [package-lock.json](<https://10.83.92.71.nip.io/control/test_ts/testloop/src/branch/testb5/package-lock.json>) | 1 | License | MIT | LOW | express | Review Compliance |"
  ],
  "review": {
    "approved": true,
    "comment": "All security checks passed threshold."
  }
}