Sandbox build & test runs


What sandbox runs do

On paid plans, GitAlert can do more than read the diff. It can build your project and run its existing tests on the pull request inside a throwaway sandbox, then report whether the change actually holds up — not just whether CI is green.

This turns "the tests pass" into evidence: GitAlert can see whether the tests passed before and still pass after the change, and flag a regression the diff introduced.

On the free plan, GitAlert never executes your code — triage there is based only on reading the diff.

How your code is protected

Sandbox runs happen in an isolated, single-use environment operated by our sandbox provider, and it is destroyed after every run. The isolation is deliberate:

  • Default-deny networking. The sandbox can only reach your Git host and the public package registries it needs to install dependencies — nothing else.
  • No secrets. GitAlert passes no credentials into the sandbox. It clones your repository over HTTPS to run the build; it does not carry your CI secrets, environment variables, or tokens.
  • Separated from our systems. The sandbox has no access to GitAlert's own infrastructure or database.
  • Ephemeral. The workspace is torn down as soon as the run finishes.

{note} Because the sandbox has no secrets and no privileged network access, a malicious or buggy PR can't use a GitAlert run to exfiltrate data or reach anything sensitive.

What the sandbox reports

The sandbox result is folded into the same neutral check and label. It contributes signals such as:

  • whether the project built successfully,
  • whether the test suite was green on the base and green on the head,
  • whether the change caused a regression.

If a sandbox run can't complete for any reason, GitAlert fails soft: the static diff-based verdict still stands, and the label is never worse than what the diff alone justified.

Enabling sandbox runs

Sandbox runs require a paid plan and are configured by us at the infrastructure level. Once available on your plan, GitAlert uses them automatically on eligible pull requests — there's nothing to add to your repository. See the pricing page for which plans include sandbox runs.