Managing a popular open source project is a lot of work and can be very rewarding. This is especially so for a security-critical application such as KeePassXC that enables people around the world to protect their most sensitive information. As such, we have implemented a robust quality control process that ensures all code merged into production is thoroughly reviewed, tested, and signed off on.
Recently, we changed our contribution policy and readme to address code created by Generative AI by adding the following paragraph:
“Generative AI is fast becoming a first-party feature in most development environments, including GitHub itself. If the majority of a code submission is made using Generative AI (e.g., agent-based or vibe coding), then we will document that in the pull request. All code submissions go through a rigorous review process regardless of the development workflow or submitter.”
This statement has sparked a variety of reactions from innocent questions to serious concerns. We want to address them head-on and explain how we use AI and how we keep the project safe and secure.
However, before we can explain our process for AI contributions, we should explain our general code contribution workflow first. The KeePassXC Team has five maintainers with the ability to merge code into the develop branch, including two core maintainers with admin access to the organisation. Code contributions are generally posted to GitHub as a pull request. Code submitted this way runs through our CI pipeline for basic quality assurance and is then tested and reviewed line by line by one of the maintainers. Merging is blocked until at least one maintainer signs off on the changes. If the changes were proposed by a maintainer, another maintainer will do the review. This policy is strictly followed, even for small changes. After the review, the submitted commits are squashed into a single commit to ensure only the tested top state makes it into the main branch, and the CI will run again after the commit is merged.
This process is fully transparent and open for anyone to see, and it does not change with AI. We take no shortcuts. At KeePassXC, we use AI for two main purposes:
As an additional pair of “eyes” in code reviews.
In this function, AI summarises the changes (the least helpful part) and points out implementation errors a human reviewer may have missed. AI reviews don’t replace maintainer code review, nor do they relieve maintainers from their due diligence. AI code reviews complement our existing CI pipelines that perform unit tests, memory checks, and static code analysis (CodeQL). As such, they are a net benefit and make KeePassXC strictly safer. Some examples of AI reviews in action: example 1, example 2. For creating pull requests that solve simple and focused issues, add boilerplate code and test cases.
Unfortunately, some people got the impression that KeePassXC was now being vibe coded. This is wrong. We do not vibe code, and no unreviewed AI code makes it into the code base. Full stop. We have used Copilot agent to draft pull requests, which are then subsequently tweaked in follow-up commits, and reviewed by a maintainer, openly for anyone to see, with the same scrutiny as any other submission. Good pull requests are merged (example), bad pull requests are rejected (example).
All this is only part of the development process. There are no AI features inside KeePassXC and there never will be!
... continue reading