Set up PR review
Set up automated security PR review on a GitHub repository. Each pull request receives an AI-driven security audit with inline comments and fix suggestions.
Prerequisites
- An AISafe account with manager or higher role
- The AISafe GitHub App installed on your repository (see GitHub integration)
- A Project created for the repository
Step 1: Connect GitHub
Connect your GitHub organization or personal account first:
- Navigate to Integrations and click Connect GitHub.
- Authorize the AISafe GitHub App and select the repositories to include.
- Ensure the App has pull request webhook permissions for the target repository.
Step 2: Create a project
- Navigate to Projects and click New Project.
- Enter a project name and select the connected repository as the source.
- Save the project.
The project is now the continuous security entity for this repository. It owns a living knowledge base that will accumulate context across scans.
Step 3: Enable PR review
- Open the project you created.
- Go to the PR Review tab or settings section.
- Toggle Enable PR review.
- Configure any options (e.g. which branches to review, severity threshold for comments).
PR review is now active. The next pull request against the repository will trigger an automated security review.
Step 4: Open a test PR
To verify the setup works:
- Create a branch on your repository and introduce a deliberate vulnerability (e.g. an SQL injection in a query).
- Open a pull request.
- Within a few minutes, AISafe posts a review on the PR with inline comments identifying the vulnerability and suggesting a fix.
If a pull request does not trigger a review, open the project's Source tab and check Webhook deliveries. The delivery log shows whether AISafe received the PR or push event and why it was ignored, such as no project bound to the repository, a branch filter mismatch, PR review disabled, or insufficient credits. The Integrations page also shows recent webhook deliveries per VCS connection, including events that could not be matched to a project.
How comments appear
AISafe posts review comments on the specific lines of the diff, similar to a human code reviewer. Each comment includes:
- The vulnerability type and severity
- A brief explanation of the issue
- A suggested fix (code snippet where applicable)
Credit consumption
Each PR review consumes a small number of credits. Credit spend is idempotent: if a webhook storm triggers duplicate reviews for the same PR, the platform records one debit.
Next steps
- Set up scheduled scans: add recurring full scans
- Monitor for regressions: catch reverted fixes
- Features: PR Review: understand the capability in depth