execution evidence for code review

The runtime reviewfor your PRs

AI is creating more PRs, but reviewers still only see the code changes — not what happened when the code ran.

Garnet records what ran during execution and attaches that record directly to the PR you already review.

Install Garnet Read docs

Review faster. Trust your PRs. Merge with confidence.

dev-sarah pushed 1 commit 12 minutes ago

Add rate limiter to /api/auth

c91fa03

coding-agent pushed 1 commit 3 minutes ago

Update dependency lockfile

Verifiede7b42d1

garnetbotcommented 2 min ago

coding-agent introduced a new outbound connection in the build-and-test workflow at 4f7a2c1.

47 processes · 4 connections · 123 files

PROCESS LINEAGE

Runner.Worker

└─ bash

├─ bash

│ └─ curl

+ │ scan.aquasecurtiy.org

├─ entrypoint.sh

│ └─ trivy

+ │ check.trivy.dev

└─ python3.12

+ boundary.dfinity.network

+ td tqy-oyaaa-aaaaa-af2dq-cai.raw.icp0.io

View Run Profile →

How it works

One step. Record and review every run.

Supercharge and ground your existing code review workflows with execution context from jobs.

Add Garnet

One workflow step attaches our eBPF sensor to the runner to watch every run.

.github/workflows/ci.yml

+3 −0

1steps:
2  - uses: actions/checkout@v4
3+  - uses: garnet-org/action@v2
4+    with:
5+      api_token: ${{ secrets.GARNET_API_TOKEN }}

02
Run normally
Your tests, builds, installs, publish jobs, and agent workflows run as usual.
D
dev-sarah pushed to feat/rate-limiter
Some checks pending
2 in progress, 1 successful
build-and-test4m 02s
garnet profile
publish
≤2% CPU · no proxy · no code change
03
Review the Run Profile
Into a record of what happened in that PR, at a system-level. Feedback surfaced in GitHub, Slack alerts and where you work.
garnetbotcommented just now
attention
Run Profile ready on build-and-test #4823 — 1 new egress flagged
5 runtime checks passedView Run Profile →
one record · same context on every surface

The primitive

A record of what ran.

agent-run #5120per-run behavioral record

agent-harness:1

claude-code:30

bash:58

curl:63

169.254.169.254

python3:47

scoped to claude-code · commit e7b42d1 · actor coding-agent

Lineage

Process lineage

Which step spawned which binary, down to the syscall.

Network

Network egress

Every outbound connection, attributed to the process that made it.

Files

File access

What was read, what was written, and which process touched it.

Checks

Runtime checks

What matched baseline, what changed, and what deserves review.

evidence from real runs

Run Profile

attention

gstack — JS build baseline

5 domains · all expected

Garry Tan's Claude Code setup. Node reached only the npm registry and GitHub. This is what a clean JS project looks like at the syscall level.

registry.npmjs.org · api.github.com

Run Profile

fail

Aqua Trivy — compromised action exfiltration

12 domains · 1 unexpected

A profiled Trivy run. The record shows entrypoint.sh spawning a curl POST to scan.aquasecurtiy[.]org — a domain that's nowhere in the build's expected egress — with the process ancestry tracing it straight back to the action.

check.trivy.dev · python3.12 · bash

bash

curl scan.aquasecurtiy[.]org

Run Profile

fail

Clinejection — postinstall exfiltration

1 egress · webhook.site

npm install triggered a postinstall shell that spawned curl to webhook.site — a connection absent from normal installs. The lineage names the exact step.

Devin sandbox — three tools, one ancestry

3 tools · 4 domains

Jibril inside a Devin sandbox. The agent reached the network three different ways — curl, python3, wget — each traced back through bash to the agent harness.

httpbin.org · python3

chainstack.com · wget

ipify.org

Run Profile

fail

SHA1-HULUD — 492-package npm campaign

492 packages · postinstall egress

A coordinated npm campaign across 492 typosquat packages targeting Zapier, PostHog, Postman, and ENS. Across the profiled installs the record shows obfuscated postinstall scripts spawning node and reaching out from the install step — the same shape, package after package.

Claude Code — 13 connections, self-reported

13 connections · self-reported

Claude Code, MCP, and Jibril in one CI run. All 13 connections recorded. The agent reads its own profile to summarize what it did.

systemd

Runner.Worker

claude-code

13 connections recorded

AI-written summary

Run Profile

attention

gstack — JS build baseline

5 domains · all expected

Garry Tan's Claude Code setup. Node reached only the npm registry and GitHub. This is what a clean JS project looks like at the syscall level.

registry.npmjs.org · api.github.com

Run Profile

fail

Aqua Trivy — compromised action exfiltration

12 domains · 1 unexpected

check.trivy.dev · python3.12 · bash

bash

curl scan.aquasecurtiy[.]org

Run Profile

fail

Clinejection — postinstall exfiltration

1 egress · webhook.site

npm install triggered a postinstall shell that spawned curl to webhook.site — a connection absent from normal installs. The lineage names the exact step.

Devin sandbox — three tools, one ancestry

3 tools · 4 domains

Jibril inside a Devin sandbox. The agent reached the network three different ways — curl, python3, wget — each traced back through bash to the agent harness.

httpbin.org · python3

chainstack.com · wget

ipify.org

Run Profile

fail