GitHub branch rules and AI review gates for a logistics SaaS team

A logistics SaaS company, 35 engineers, Python/Django API and React SPA, merged PRs without consistent review on Fridays; a Sev-2 SQL injection vulnerability reached staging via a well-intentioned reporting hotfix.

Simplileap implemented GitHub Enterprise rulesets: main and release/* protected; two human approvals required; CODEOWNERS for auth, billing, and migrations; signed commits enforced; force-push and deletion blocked.

AI layer: Cubic (AI code reviewer) integrated on all repos >500 LOC changed, flags security antipatterns, missing migrations tests, and N+1 queries with comment threads engineers must resolve or dismiss with rationale.

Problems: initial noise from AI false positives on Django admin boilerplate, tuned ignore paths; senior engineers resisted "machine comments" until we showed three caught issues in month one (raw SQL concat, missing CSRF on internal endpoint, hardcoded AWS key in test fixture); review SLA conflict with India/US timezones, rotated on-call reviewer roster.

Complementary automation: Semgrep in CI for OWASP rules; dependency review on Renovate PRs; stale branch cleanup after 30 days.

Outcome: median PR cycle time 2.3 days → 0.8 days; security findings caught pre-merge up 4×; zero production rollbacks in Q4 post-policy. Client anonymized as APAC logistics software vendor.