// Reviews GitLab merge requests by fetching changes, analyzing code against project guidelines, and posting inline comments. Use when user asks to "review MR", "check merge request", "code review", "review !123", or provides a GitLab MR URL.
| name | gitlab-mr-code-review |
| description | Reviews GitLab merge requests by fetching changes, analyzing code against project guidelines, and posting inline comments. Use when user asks to "review MR", "check merge request", "code review", "review !123", or provides a GitLab MR URL. |
Fetch MR changes → analyze using code review guidelines → get user approval → post inline comments to GitLab.
glab CLI authenticated (glab auth status).claude/agents/code-reviewer.mdDefault Project: epm-cdme/mermaid-server (ID: 19214)
For other projects, specify --repo <PROJECT> in glab commands.
From user input:
!123 → 123https://gitbud.epam.com/epm-cdme/mermaid-server/-/merge_requests/123 → 123# Get MR metadata
glab mr view <MR_ID> --repo epm-cdme/mermaid-server
# Get diff refs (required for inline comments)
glab api "projects/:id/merge_requests/<MR_ID>" --repo epm-cdme/mermaid-server | \
jq '{base_sha: .diff_refs.base_sha, start_sha: .diff_refs.start_sha, head_sha: .diff_refs.head_sha}'
# Store SHAs for Step 5
For large PRs: Pull and checkout the branch locally:
git fetch origin
git checkout <source_branch>
Validation:
merged/closed → ask user if should continueRead guidelines: .claude/agents/code-reviewer.md
For large diffs: Read key changed files directly from checkout
Analyze against project patterns:
Classify findings:
Present findings with position details:
## Proposed Comments for MR !<ID>
### Critical Issues (<count>)
**[1]** 🚨 CRITICAL: <Title>
- **File:** `path/to/file`
- **Line:** 45 (new_line)
**Issue:** <description>
**Impact:** <what could go wrong>
**Fix:**
---
### Major Issues (<count>)
**[2]** ⚠️ MAJOR: <Title>
- **File:** `path/to/file`
- **Line:** 23 (new_line)
**Issue:** <description>
**Fix:** <solution>
---
**SHA References:**
- base_sha: `<sha>`
- start_sha: `<sha>`
- head_sha: `<sha>`
REQUIRED: Get explicit approval before posting.
Found X critical and Y major issues. Choose action:
1. Approve all - Post all comments
2. Select specific - e.g., "1,3,5"
3. Edit - Modify before posting
4. Cancel - Don't post
Default to Cancel if unclear.
IMPORTANT: Inline comments can ONLY be placed on lines that appear in the diff (added/modified/deleted lines).
Before posting, confirm the target line is actually changed:
# Check if line appears in diff (look for the line content)
glab mr diff <MR_ID> --repo epm-cdme/mermaid-server | grep -A2 -B2 "the_code_on_that_line"
If the line isn't in the diff, you cannot post an inline comment there. Use a general MR comment instead.
For added/modified lines (lines with + in diff):
printf '%s' '{
"body": "**🚨 CRITICAL: Issue Title**\n\nDescription of the issue.\n\n**Impact:** What could go wrong.\n\n**Fix:**\n```\n# Fixed code\n```",
"position": {
"position_type": "text",
"base_sha": "<BASE_SHA>",
"start_sha": "<START_SHA>",
"head_sha": "<HEAD_SHA>",
"old_path": "<FILE_PATH>",
"new_path": "<FILE_PATH>",
"new_line": <LINE_NUMBER>
}
}' | glab api --method POST "projects/19214/merge_requests/<MR_ID>/discussions" --input - -H "Content-Type: application/json"
For deleted lines (lines with - in diff):
printf '%s' '{
"body": "Comment on deleted code",
"position": {
"position_type": "text",
"base_sha": "<BASE_SHA>",
"start_sha": "<START_SHA>",
"head_sha": "<HEAD_SHA>",
"old_path": "<FILE_PATH>",
"new_path": "<FILE_PATH>",
"old_line": <LINE_NUMBER>
}
}' | glab api --method POST "projects/19214/merge_requests/<MR_ID>/discussions" --input - -H "Content-Type: application/json"
If inline comment fails (line not in diff), post as general discussion:
printf '%s' '{
"body": "**🚨 CRITICAL: Issue Title**\n\n**File:** `path/to/file` **Line:** 411\n\nDescription..."
}' | glab api --method POST "projects/19214/merge_requests/<MR_ID>/discussions" --input - -H "Content-Type: application/json"
| Error | Cause | Solution |
|---|---|---|
line_code can't be blank | Line not in diff | Verify line is actually changed; use general comment if not |
position is invalid | Wrong SHA or missing field | Re-fetch diff_refs; ensure old_path + new_path both present |
new_line is invalid | Line number doesn't exist | Check actual line numbers in the new file version |
✓ Posted X/Y comments to MR !<ID>
- Critical: <count>
- Major: <count>
- Failed: <count> (if any)
View: https://gitbud.epam.com/epm-cdme/mermaid-server/-/merge_requests/<ID>
| Error | Solution |
|---|---|
glab: command not found | Install: brew install glab |
not authenticated | Run glab auth login |
MR not found | Verify ID: glab mr list --repo epm-cdme/mermaid-server |
HTTP 415 | Add -H "Content-Type: application/json" |
HTTP 400 position is invalid | Verify SHAs and position fields match (new_line vs old_line) |
| Comment not inline | Ensure JSON has complete position object |
Standard review:
User: "Review MR !42"
→ Fetch metadata + SHAs
→ glab mr diff 42 --repo epm-cdme/mermaid-server
→ Read .claude/agents/code-reviewer.md
→ Analyze: 1 critical, 2 major
→ Show proposals with file/line/position
→ User: "Approve all"
→ Post inline comments via glab api
→ Summary with MR URL
Large MR:
User: "Review !38" (20 files)
→ Warn: Large diff
→ git checkout source_branch
→ Read key files directly
→ Focus on Dockerfile, Makefile, CI config
→ Present findings → User approval → Post
Selective posting:
→ Find 5 issues [1]-[5]
→ User: "Post 1,3,5"
→ Post only selected comments
Manages git commits with Jira tickets (EPMCDME-xxx format), pushes, and GitLab MR creation. Works in any GitLab repository — repo info is detected at runtime. Use this skill whenever the user says "commit changes", "push changes", "create MR", "make merge request", "push and open PR", or any similar GitLab workflow request. Enforces Jira ticket format in commit messages.
Use this skill when the user asks to "fix a CVE", "remediate a vulnerability", "patch a security issue", "address trivy findings", or provides one or more Jira ticket IDs related to security/CVE. Acts as a security lead to guide CVE remediation from ticket analysis through Dockerfile patching, container build, and Trivy verification. Always use this skill for security-related Jira tickets even if the user just pastes a URL or ticket ID without saying "security".