open source · MIT · $0 to run

A first-pass code review on every pull request.

RepoSentry reviews PRs the moment they open: it reads the diff, flags bugs, security smells, and style issues, and leaves inline comments with concrete fixes. It won't replace your senior engineer — it makes sure they never see the obvious stuff.

Next.js · Hono · Groq (free tier) · Postgres · MCP

acme/checkout-service · PR #142 · src/payments/intent.ts
reposentryreviewed 38s after open

critical · security Raw SQL built with string interpolation

`tenantId` comes from a request header and is interpolated into the query. Any caller can inject SQL. Use a parameterized query:

- db.query(`SELECT * FROM intents WHERE tenant_id = '${tenantId}'`)
+ db.query('SELECT * FROM intents WHERE tenant_id = $1', [tenantId])

+2 more findings · overall risk: critical

in plain english

It's spellcheck — but for bugs and security holes in your code.

On GitHub, every code change goes through a pull request before it ships. Normally a teammate has to read it and point out mistakes by hand. RepoSentry does that first read automatically: the moment a pull request opens, it studies exactly what changed and leaves comments on the specific lines that look wrong — with a plain explanation and a fix you can apply in one click.

  1. 1

    You open a pull request. Some code changed and you want it merged.

  2. 2

    RepoSentry reads the change and asks an AI: are there bugs, security holes, or risky patterns here?

  3. 3

    It comments on the exact lines — what's wrong, why it matters, and the corrected code.

  4. 4

    Everything is logged in a dashboard so you can see history, severity, and trends.

What it catches

  • Security holes — e.g. SQL injection, where unescaped input could let an attacker read your whole database.

  • Real bugs — money stored as decimals, off-by-one errors, race conditions, unhandled failures.

  • Performance & style — slow queries, unbounded loops, and maintainability smells.

It's a first pass, not a replacement for a human reviewer. It clears the obvious stuff so people can focus on design.

How it works

The same flow, with the technical detail.

  1. 01

    PR opens, webhook fires

    The GitHub App receives pull_request events, verifies the HMAC signature, and queues a review — one at a time, respecting free-tier rate limits.

  2. 02

    The engine reads the diff

    Changed files are filtered (lockfiles and generated code skipped), chunked to fit the context window, and reviewed by Llama 3.3 70B on Groq with strict JSON output.

  3. 03

    Inline comments, exact lines

    Findings are validated, anchored to real diff lines, deduplicated, and posted as one review: inline comments with suggested fixes plus a summary and risk rating.

mcp server

The same reviewer, inside your editor.

RepoSentry ships as an MCP server. Plug it into Claude Code or Cursor and call review_diff on uncommitted changes before you even push — same engine, same rules, no GitHub round-trip.

  • review_pull_request — full PR review, structured findings
  • review_diff — any unified diff, no GitHub needed
  • list_recent_reviews — review history
  • explain_finding — deep dive on one finding
// .mcp.json (Claude Code) or Cursor settings
{
  "mcpServers": {
    "reposentry": {
      "command": "node",
      "args": ["apps/mcp/dist/index.js"],
      "env": { "GROQ_API_KEY": "gsk_…" }
    }
  }
}

> claude "review my staged changes with reposentry"

Run it yourself. Keep your code.

MIT licensed, built entirely on free tiers: Groq for inference, Neon or Supabase for Postgres, Upstash for Redis, Vercel and Railway for hosting. Local dev needs nothing but Docker and a Groq key.

git clone https://github.com/ft-prince/RepoSentry.git
cd reposentry && docker compose up -d
pnpm install && pnpm db:push && pnpm db:seed
pnpm dev   # web :3000 · api :3001 · mcp :3002