DevLab
DevLab connects your GitHub or GitLab repositories to SiteBrief. Every deploy is scanned automatically, issues get auto-fixed via PR, and stale pull requests never slip through unreviewed.
What DevLab does
| Feature | What it does |
|---|---|
| Deploy scan | Scans your site after every push: PageSpeed, security headers, SSL, SEO, bundle size |
| Dockerfile analysis | Detects root user, :latest tags, npm install vs ci, missing HEALTHCHECK |
| CI/CD YAML analysis | Finds outdated actions, missing timeout, no npm cache, hardcoded secrets |
| Auto-fix PR | One click to open a GitHub/GitLab PR with the fix applied |
| AI PR verification | After a fix PR is merged, AI re-checks production, takes a screenshot, and posts a verified comment |
| Rollback suggestion | Flags deploys that introduced 1+ critical issues and links to commit history |
| Stale PR notifications | Alerts you when a PR has had no review activity for 48 hours |
| Dependency audit | Weekly scan for vulnerable and outdated npm packages |
| Bundle size tracking | Alerts when your JS/CSS bundle grows more than 10% after a deploy |
| Customer Complaints Radar | Searches Reddit for brand mentions and negative feedback, categorizes by severity, auto-creates tasks |
| Agency Copilot | Weekly digest includes an AI-generated priority action list per client — no manual review needed |
Connect GitHub
Go to Integrations → GitHub and click Connect GitHub. Authorize the OAuth app — SiteBrief gets read access to your repos.
Then go to a site's DevLab tab and select the repo and branch to watch.
Connect GitLab
Go to Integrations → GitLab and connect your GitLab account via OAuth. Then link the repo in the site's DevLab tab.
Per-site tokens (agencies)
If you manage multiple clients who each have their own GitHub or GitLab account, you can connect a separate token per site — so DevLab opens PRs from the correct account for each client.
To connect a site-level token: open a site → DevLab tab → click “Connect a different account just for this site” under the GitHub or GitLab repo panel. After authorizing, DevLab will use that token for all operations on this site.
| Token type | When DevLab uses it |
|---|---|
| Site-level token | Always preferred when set — used for generate PR, rollback, dependency audit, autopilot on this specific site |
| Account-level token | Fallback when no site-level token is configured |
Deploy scan
Every time you push to the watched branch, SiteBrief runs a full scan within seconds:
- PageSpeed score — regression flagged if it drops 15+ points
- Security headers — grade D or F triggers a critical issue
- SSL validity
- SEO meta tags (title + description)
- Bundle size vs. previous deploy — alerts on 10%+ growth
- Dockerfile issues (if a Dockerfile exists in the repo root)
- GitHub Actions workflow issues (if
.github/workflows/exists)
Results appear in DevLab → Deploy Scan History. Notifications with detected issues also appear in the bell icon in the sidebar.
Rollback suggestion
When a deploy scan detects 1 or more critical issues (or 3+ issues of any severity), SiteBrief shows a red Consider reverting this deploy banner inside the scan details.
The banner includes direct links to:
- View commits — commit history on GitHub/GitLab for the branch
- Compare changes — diff view to identify what changed
The same rollback suggestion appears in the bell notification for that deploy.
Auto-fix PR
Many issues have a Fix button in DevLab. One click opens a pull request (or merge request on GitLab) with the exact change applied.
Plan requirements
| Fix type | Free | Pro / Agency / Power Pack |
|---|---|---|
| Security header fixes | ✓ Unlimited | ✓ Unlimited |
| SEO tag fixes | ✓ Unlimited | ✓ Unlimited |
| WP / CI/CD / dependency fixes | ✓ Unlimited | ✓ Unlimited |
| Accessibility issue fixes | — | ✓ Unlimited |
| PageSpeed / cache fixes | — | ✓ Unlimited |
What can be auto-fixed
| Issue | What the PR changes | Confidence |
|---|---|---|
| Security header missing | Adds header to netlify.toml, .htaccess, or nginx.conf | 88% |
| PageSpeed low | Adds long-term cache headers for JS/CSS/fonts | 75% |
| WP_DEBUG enabled | Sets WP_DEBUG to false in wp-config.php | 95% |
| SEO tag missing | Injects tag into layout.tsx, index.html, or robots.txt | 62–90% |
| Dependency vulnerable | Bumps package version in package.json | 82% |
| Dependency outdated | Bumps package version in package.json | 75–88% |
| Dockerfile: no USER | Adds USER node before CMD/ENTRYPOINT | 72% |
| Dockerfile: npm install | Replaces with npm ci | 90% |
| Dockerfile: no HEALTHCHECK | Adds HEALTHCHECK directive | 60% |
| CI/CD: outdated action | Upgrades e.g. checkout@v2 → checkout@v4 | 95% |
| CI/CD: no timeout | Adds timeout-minutes: 15 to all jobs | 70% |
| CI/CD: no npm cache | Adds cache: 'npm' to setup-node step | 82% |
Stale PR notifications
SiteBrief checks every 6 hours for open pull requests and merge requests that have had no review activity for 48 hours — no reviews submitted and no review comments.
When a stale PR is found, a notification appears in the bell icon with:
- PR title and number
- How many hours it has been open without review
- A direct link to the PR/MR
Notifications are deduped — you will receive at most one alert per PR per 24 hours.
Dependency audit
Every Monday at 3:00 UTC, SiteBrief scans your linked repos for vulnerable and outdated npm packages. Results appear as issues in DevLab with one-click fix PRs available.
- Vulnerable — package has a known CVE; fix PR bumps to the patched version
- Outdated (patch/minor) — auto-fixable via PR
- Outdated (major) — flagged but not auto-fixed (breaking changes possible)
Bundle size tracking
SiteBrief measures the total size of JS and CSS assets after every deploy and compares it to the previous deploy. If the bundle grows by more than 10% (or more than 50 KB), an issue is created.
This helps catch accidental large imports, unoptimized images in JS, or missing tree-shaking before they reach users.
AI PR verification
When a DevLab fix PR is merged into the watched branch, SiteBrief automatically verifies the fix on production:
- Waits 5 seconds for the deployment to propagate
- Runs a targeted check based on the issue type (security headers grade, PageSpeed score, SEO meta, or HTTP status)
- Takes a screenshot of the live site via ScreenshotOne
- Sends the screenshot to Claude Vision for a one-sentence visual confirmation
- Posts a comment on the merged PR with the verification result, AI verdict, and screenshot
Customer Complaints Radar
Available on the site detail page (Pro/Agency plans). Searches Reddit for mentions of your client's brand and negative keywords (problem, broken, issue, bug) in the last 30 days.
Claude analyzes each post and assigns:
- Category — ux_bug, checkout, performance, content, pricing, other
- Severity — critical, high, medium, low
- Summary — one-line description of the complaint
Critical and high severity complaints automatically create a maintenance task. You can also create tasks manually per complaint with one click. Scans run weekly (Tuesday 2:00 UTC) or on-demand via the Scan now button.
Agency Copilot
Every Monday, the weekly digest email includes an ⚡ This week's actions section — an AI-generated prioritized list of what needs to be done across all your client sites.
The Copilot considers:
- Sites currently down or with recent incidents
- SSL and domain certificates expiring within 30 days
- PageSpeed scores below 70
- Security header grade D or F
- Open maintenance tasks and pending DevLab PRs
- Broken links detected
The output is a numbered list of up to 5 actions — specific, actionable, no fluff. No manager required.
FAQ
Which branch does SiteBrief watch?
The branch you set in Site Settings → DevLab → GitHub branch. Defaults to main. Only pushes to that branch trigger a deploy scan.
Does DevLab work with monorepos?
Yes — link the same repo to multiple sites, each watching a different branch (e.g. main for production, staging for staging).
What happens if the fix PR is already open?
SiteBrief checks for an existing open PR on the fix branch before creating a new one. If one exists, it is reused.