Blog

Automating Developer tasks

Written by Nathan Wilkerson, VP of Engineering | Apr 9, 2025 9:16:11 PM

For our hackathon, we decided to automate some of the more mundane tasks that developers do like documentation and security review.  

To start with we reviewed Git Copilot and Amazon Q Developer. Both of them have features that we could use to complete some of these tasks. The problem was these were often manual commands that had to be run or required additional setup. Which requires training and time to build habits. Our Hackathon Team decided to build on top of the normal developer workflow and use git hooks. 

To get started, a team would attach Metal Toad’s githook repo as a submodule. Once it's added as a submodule they can walk through the quick Readme.md file and complete these three simple steps. 

  1. Ensure Jira API key is added to a credential file. 
  2. Ensure AWS Credentials are set up. (This should be to an account that has access to Amazon Bedrock and the Nova Pro model)
  3. Run a git command to point hooks at the folder they just created. 

This process took me less than 5 minutes and only needs to be done once per repo. (Renewing Credentials needs to be handled from time to time.)

We added three hooks. 

  1. Documentation: This gets a list of changed/deleted files. It will then send several requests to Amazon Nova Pro to create or update Readme files for every folder that has a changed file. More importantly it doesn’t just use the changes for the Readme. But every file inside of that folder.  This means that a well organized code base will document each component, class, or function independently of each other. 
  2. Security: Git and other code review providers do security scans but this is often during pull requests, after a developer has moved on. This hook sends changed files up to Amazon Nova Pro and asks it to grade security risks from LOW to CRITICAL and report back with the line number and the risk. Right now it’s configured to automatically abort on CRITICAL security problems and not allow a commit. With this check we have been able to identify hard coded passwords, SQL Injection vulnerabilities and many more. 
  3. Jira Comments: Last we extract the JIRA ticket number from the branch name or commit message, then post a comment to jira with the commit message and a DIFF of the changes. Eventually we would like this to include the security report as well. 

These new tools will allow Metal Toad developers to improve our coding standards with little or no change to our current work process.
View full post