The Problem I Was Trying to Solve
AI coding assistants have fundamentally changed how developers work. Claude Code, Cursor, GitHub Copilot; your team is already using them, whether officially sanctioned or not.
But here's what nobody's talking about: what happens after the AI-generated code lands in your repo?
A few hard questions I kept hitting as an architect:
- How do you know an AI tool didn't leak a secret or API key into source code?
- How do you enforce guardrails on what Claude Code or Cursor is allowed to do in your codebase?
- How do you measure AI adoption ROI - not vibes, but actual metrics?
- How do you give security and compliance teams an audit trail for AI-assisted changes?
I didn't find a ready-made answer, so I built one.
What I Built: AI-Governed SDLC
The idea was simple: wrap AI-assisted development in an observable, policy-enforced pipeline; without sending a single byte to the cloud for governance purposes.
Here's the full architecture:
┌─────────────────────────────────────────────────────────────────────┐
│ LOCAL WINDOWS WORKSTATION │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌─────────────────────┐ │
│ │ DEV-1 │ │ DEV-2 │ │ GITEA (Local Git) │ │
│ │ Claude Code │───▶│ Cursor AI │───▶│ + Webhooks │ │
│ └──────────────┘ └──────────────┘ └────────┬────────────┘ │
│ ▼ │
│ AI Config Files: ┌─────────────────────┐ │
│ • CLAUDE.md (guardrails) │ JENKINS (CasC) │ │
│ • .cursorrules (guardrails) │ • detect-secrets │ │
│ • .claudeignore │ • Semgrep SAST │ │
│ • .cursorignore │ • AI Policy Check │ │
│ │ • pytest + cov │ │
│ └────────┬────────────┘ │
│ ▼ │
│ ┌─────────────────────┐ │
│ │ Prometheus + Loki │ │
│ │ Grafana (3 boards)│ │
│ └─────────────────────┘ │
│ AI AGENTS (CrewAI): │
│ Code Review Agent | Test Gen Agent | Architecture Review Agent │
└─────────────────────────────────────────────────────────────────────┘
Let me walk through every layer and the architectural decisions behind them.
Layer 1: AI Guardrail Configs (Before a Single Line is Committed)
The first, and most underrated, layer is controlling what the AI tools are allowed to do in your repo. This happens before any code leaves the developer's machine.
CLAUDE.md
Claude Code respects a CLAUDE.md file in the repo root. Think of it as your AI's onboarding doc and rules of engagement combined. Mine includes:
- Coding standards and patterns to follow
- Files and directories that are off-limits (
.env, secrets, infra configs) - The tag convention: every AI-assisted commit should include
[AI-ASSISTED]in the message - A reminder of what this codebase does, so context isn't lost
.cursorrules
Cursor reads .cursorrules - same concept, different format. I define security rules, architecture patterns to honour, and frameworks to stay within.
Why This Matters Architecturally
Most teams think AI governance starts at the pipeline. It doesn't. It starts at the IDE. These config files are your first line of defence. They're also version-controlled, reviewable, and enforceable through PR policy.
Layer 2: Jenkins CI/CD - The Automated Quality Gate
Every push from either developer (simulated via Git worktrees for the PoC) triggers a Jenkins pipeline configured as code via casc.yaml. Zero-click provisioning.
The pipeline runs six stages in order:
Stage 1: detect-secrets (Secret Scanning)
stage('Secret Scanning') {
steps {
sh 'detect-secrets scan --baseline .secrets.baseline'
}
}
If a developer, human or AI, hardcodes a password, API key, or connection string, this stage BLOCKs the pipeline. Full stop. No exceptions.
I deliberately tested this in the PoC:
echo 'DB_PASSWORD = "super-secret-password-123"' >> app/src/main.py
git add . && git commit -m "feat: add database connection"
git push origin feat/dev1-auth-module
# → detect-secrets fires. Pipeline BLOCKED.
# → secret_leak_attempts_total metric increments in Grafana
That last part, the metric incrementing in Grafana, is what makes this governance, not just a check.
Stage 2: Semgrep SAST
Static analysis runs on every push. Findings are categorised by severity and pushed as metrics:
sast_findings_total{severity="high"}
sast_findings_total{severity="medium"}
sast_findings_total{severity="low"}
Stage 3: AI Policy Check
This stage verifies that AI-assisted commits are tagged correctly (the [AI-ASSISTED] convention). It's lightweight but creates the audit trail compliance teams need.
Stage 4: pytest + Coverage
Automated tests run, and test_coverage_percent is pushed to Prometheus. If you're using the AI Test Generation agent (more on that below), coverage trends are visible in real-time.
Stage 5 & 6: Metrics Push + Notification
All metrics flow: Jenkins → Prometheus Pushgateway (:9091) → Prometheus (:9090) → Grafana (:3001)
Layer 3: CrewAI Agents - Agentic SDLC Roles
This is where it gets interesting. Three CrewAI agents handle roles that traditionally require senior human bandwidth:
Code Review Agent
poetry run python agents/code_review_agent.py \
--branch feat/dev1-auth-module \
--output reports/review-dev1.md
Reviews the diff against architectural standards, security patterns, and codebase conventions. Outputs a structured Markdown report.
Test Generation Agent
poetry run python agents/test_gen_agent.py \
--source app/src/ \
--output app/tests/generated/
Generates pytest test cases for existing source code. In my benchmarks on the sample app, this agent consistently pushed coverage above 70% on the first run.
Architecture Review Agent
poetry run python agents/arch_review_agent.py \
--readme README.md \
--output reports/arch-review.md
Reviews architectural decisions documented in the README against best practices. Useful for PoC validation and ongoing ADR (Architecture Decision Record) hygiene.
The key architectural decision here: agents are invoked as scripts, not as part of the main pipeline. This keeps the CI pipeline fast and deterministic, while agentic tasks run on-demand or asynchronously.
Layer 4: Grafana Observability - Three Dashboards
Grafana is auto-provisioned from grafana/dashboards/ - no manual import needed. Three dashboards, each targeting a different stakeholder:
Dashboard 1: AI SDLC Health
For engineering teams and DevOps. Shows:
- Pipeline pass/fail rate over time
- SAST findings trend by severity
- Secret leak attempt count
- Test coverage percentage trend
- Pipeline duration (a proxy for developer feedback loop speed)
Dashboard 2: Adoption & ROI
For engineering leadership. Shows:
-
ai_suggestions_accepted_totalvsai_suggestions_rejected_total- acceptance rate tells you how well-calibrated your AI tools are - Developer adoption trends over time
- AI-assisted commits as a percentage of total commits
Dashboard 3: Governance & Compliance
For security, risk, and compliance teams. Shows:
- Policy violations timeline
- Guardrail enforcement events
- Audit trail of AI-assisted changes (every
[AI-ASSISTED]tagged commit)
This last dashboard is the one that gets architecture review sign-off in enterprise contexts. Auditors don't want to hear "we're using AI responsibly" - they want to see a dashboard.
The Responsible AI Metrics Model
The full metrics schema:
| Metric | What It Measures |
|---|---|
ai_suggestions_accepted_total |
AI suggestions merged to repo |
ai_suggestions_rejected_total |
AI suggestions discarded |
ai_policy_violations_total |
Guardrail config triggers |
sast_findings_total{severity} |
SAST findings by severity |
secret_leak_attempts_total |
detect-secrets pipeline findings |
test_coverage_percent |
pytest-cov output |
ai_agent_review_score |
0–100 score from code review agent |
pipeline_duration_seconds |
End-to-end pipeline time |
pipeline_success_total |
Successful pipeline run count |
These aren't vanity metrics. The acceptance ratio and policy violation count together tell you whether your AI configs are well-calibrated; if rejection is high, your guardrails are too restrictive; if violations are high, they're too loose.
Setup in 10 Minutes (After Prerequisites)
Prerequisites: Docker Desktop, Python 3.11, Poetry, Semgrep, detect-secrets, Claude Code CLI.
# Clone the repo
git clone https://github.com/saurabh-oss/ai-sdlc-poc
cd ai-sdlc-poc
# Install dependencies
poetry install
# Configure your environment
cp .env.example .env
# Edit .env - add your Anthropic API key for agents
# Bring up the full stack
docker compose up -d
Services spin up at:
- Gitea: http://localhost:3000
- Jenkins: http://localhost:8080 (admin/admin123 via CasC)
- Grafana: http://localhost:3001 (admin/admin)
- Prometheus: http://localhost:9090
Full step-by-step setup is in STEP_BY_STEP_SETUP.md.
To seed the Grafana dashboards with demo data for a presentation:
poetry run python scripts/seed_demo_data.py
Key Architectural Decisions and Trade-offs
Why Jenkins, not GitHub Actions?
Enterprise on-prem teams often can't use cloud-hosted runners. Jenkins + CasC gives you a fully declarative, version-controlled pipeline that runs in Docker with zero cloud dependency. Also, Jenkins is where most enterprise pipeline engineers already live.
Why Gitea, not a real Git host?
Same reason. The PoC simulates a fully air-gapped environment. Gitea gives you webhooks, PR flows, and a familiar UI without touching GitHub or GitLab.
Why CrewAI for agents?
CrewAI's role-based agent model maps cleanly to SDLC personas (reviewer, tester, architect). The role/goal/backstory schema makes agents easy to audit and explain to non-technical stakeholders, which matters when you're pitching this to a governance committee.
Why store metrics in Prometheus rather than a database?
Time-series is the right data model for pipeline metrics. Prometheus + Grafana is the defacto open-source observability stack. Adding Loki for log aggregation gives you correlated log + metric views in Grafana, essential when you're debugging why a specific guardrail fired.
What's Next
This is a PoC, intentionally. Things I'm considering for v2:
- MCP integration: expose the CrewAI agents as MCP tools so Claude Code can invoke them directly from the IDE
- PR-level agent commentary: post the code review agent's output as a Gitea PR comment automatically
- Policy-as-code: move guardrail configs to a shared, versioned policy repo that all projects inherit from
- Ollama support: swap Anthropic API for a local Ollama model for full air-gapped operation
The Bigger Point
AI coding tools are not a risk to be blocked, they're an acceleration to be governed. The SDLC wrapper matters as much as the AI tool itself.
Most teams are doing this backwards: adopting AI tools first, building governance second (or never). This PoC demonstrates that you can build the governance layer first and it actually makes AI tools more adoptable, because it gives security and compliance teams the visibility they need to say yes.
Repo: github.com/saurabh-oss/ai-sdlc-poc
If you're working on AI governance in your SDLC, or trying to get enterprise sign-off on AI coding tools, I'd love to hear what patterns you're using. Drop a comment below.
Saurabh Srivastava is a Senior Enterprise Architect with 16+ years of experience in enterprise architecture, AI/GenAI, and open-source tooling. Building in public at github.com/saurabh-oss. Follow on X: @sauvast | LinkedIn: linkedin.com/in/saurabh-tcs



Top comments (0)