Would you use a self-hosted CI/CD platform where an AI sets up your whole pipeline — and refuses to ship your leaked API keys? (idea validation, nothing to sell)
Hey everyone — before I sink into building this, I want to know if it's something you'd actually use or if I'm solving a problem only I have.
The idea: an open-source, self-hostable DevOps platform (think Dokploy-style dashboard) with its own CI/CD engine — not a wrapper around GitHub Actions — where an AI agent acts as your DevOps engineer.
The flow:
- Login → connect GitHub (or GitLab), create a project
- The AI scans your repo, asks you 2–3 questions (deploy target? env vars?), and builds the full pipeline in the dashboard — build, test, deploy stages. Nothing is pushed to your repo at this point.
- Every pipeline includes mandatory security stages: secret scanning across all files (yes, including that API key you pasted into a
.mdfile), dependency CVE checks, container image scanning. If it finds a leaked key, the pipeline halts and the AI opens a fix PR — removes the secret, moves it to the secret store, and reminds you it's still in Git history and needs rotating. - Only after the first pipeline run passes does it open one PR to your repo with all the generated files — Dockerfile, the pipeline config, deploy files — with the green run and staging URL linked as proof it actually works. Merge it, and from then on everything lives in your Git. Delete the platform tomorrow and you keep working configs.
- After that it keeps working: failed builds get diagnosed in plain English with a fix PR instead of a red X and 4,000 log lines. Production incidents get a timeline, probable cause, and one-click rollback.
The parts I think this sub will care about:
- Fully self-hostable, single
docker compose up, targeting a cheap VPS. Own runners — no GitHub Actions minutes, no Git-host lock-in - BYO LLM key — Anthropic/OpenAI, or point it at local Ollama. No hidden inference bill; your code never leaves your box with a local model
- Zero lock-in by design: after the first successful run, every config (including the CI/CD definition) is committed to your repo
- The AI never touches prod without approval — everything is a PR or a gated action with a full audit log
I know Coolify and Dokploy exist (I use and like them) — they give you a dashboard and templates. This gives you an agent that reasons about your specific repo, enforces security by default, and maintains the setup over time. Closer to "a DevOps engineer that works for you" than "a deploy panel."
My questions for you:
- Would the "proof-first PR" (config PR arrives only after a passing run) be enough for you to trust merging AI-generated configs?
- Is the built-in secret/CVE scanning with auto-fix PRs genuinely valuable to you, or is that already covered in your setup?
- Own CI/CD engine vs. wrapping GitHub Actions — do you care? Would you prefer your CI not depend on GitHub at all?
- What's the first thing you'd be afraid it would break?
Brutal honesty welcome. If the answer is "nobody wants this," better to hear it now.