Skip to main content

PR Review

PR Review is AISafe's automated security review for pull requests. When enabled on a Project, each PR against the project's repository gets an automated security audit. The agent analyzes the changed paths and posts inline comments with fix suggestions on the PR.

How it works

  1. A pull request opens or updates on the connected GitHub or GitLab repository.
  2. AISafe detects the pull request, identifies the project, and creates a PR review.
  3. The AI agent fetches the diff, extracts the changed files, and runs a focused security analysis on those paths, leveraging the project's living knowledge base for context.
  4. The agent posts a review on the PR with inline comments on specific lines, including severity ratings and suggested fixes.

Why it's not an assessment

PR review is a project-level continuous capability, not an Assessment. It produces inline PR comments. This keeps the feedback loop tight: developers get security feedback in their existing code review workflow without switching tools.

Setup

To enable PR review:

  1. Create a Project bound to your repository.
  2. Ensure the GitHub App or GitLab integration has PR webhook permissions.
  3. Enable PR review on the project.

See Guide: Set up PR review for a step-by-step walkthrough.

Delivery log

Each VCS-backed project includes a webhook delivery log on the Source tab. Use it to diagnose why a push or pull request did not trigger a review or source sync. Delivery rows show the repository, commit, event type, status, and a readable ignored reason such as an unbound project, branch filter mismatch, or disabled PR review.

The same log is available through the API:

  • GET /api/v1/projects/{id}/webhook-deliveries lists deliveries for a project's bound repository.
  • GET /api/v1/integrations/vcs/connections/{connection_id}/webhook-deliveries lists deliveries for a VCS connection, including deliveries that did not match any project.

Credit consumption

PR reviews consume credits per review. Credit spend is idempotent: if a webhook storm triggers duplicate reviews for the same PR, AISafe records one debit.