Custom Agents

Define per-repo review agents by dropping .md files into a .lgtm.d/ directory in your repo root.

Creating an agent

Each .md file becomes an agent whose ID is the filename (without .md):

---
label: Security Audit
output: bugs
---

Focus on authentication, authorization, and input validation issues.
Flag any hardcoded secrets or credentials.
Check for SQL injection, XSS, and CSRF vulnerabilities.

Frontmatter keys

Key	Default	Description
`label`	filename	Display name shown in the review UI
`output`	`bugs`	Output type: `bugs` (inline flags with severity) or `notes` (general review notes)

Output types

`bugs`

Bug-type agents produce inline annotations with severity levels. These appear directly in the diff view at the relevant line:

Error — likely bug or security issue
Warning — potential problem worth investigating
Info — suggestion for improvement

`notes`

Notes-type agents produce general review commentary that appears in the group summary, not inline in the diff.

Examples

Performance agent

---
label: Performance Review
output: bugs
---

Flag N+1 queries, unnecessary re-renders, missing memoization,
and large bundle imports. Check for O(n²) algorithms on large datasets.

Documentation agent

---
label: Docs Check
output: notes
---

Check that public APIs have JSDoc/TSDoc comments.
Flag any breaking changes that aren't documented in the PR description.

Selecting agents

By default, all built-in and custom agents run. To limit which agents run, use the agents key in your .lgtm config:

---
agents:
  - quality
  - security-audit
---