MergeGuard - AI Protection for every Pull Request

Features

GitHub AI code review built for safer merges

Automated pull request review, inline PR comments, security & dependency scanning, risk scoring, and AI auto-fix—installed as a GitHub App in minutes. No new CI YAML required.

MergeGuardAgentGitHub AppAI PR reviewInline commentsSecurity scanTrivy + OSVRisk score 0–100Auto-fix commits
Connect free

Native on GitHub

Reviews post on Conversation and Files changed—no separate dashboard required.

Security-first

Secrets, dependencies, injection patterns, and deep-scan for high-risk merges.

Actionable fixes

Reply @mergeguards fix on inline findings to generate patches on your branch.

Team-ready

Usage metering, unlimited repo connections, and dashboards that scale from solo devs to engineering orgs.

AI coding tools + MergeGuard

Works Alongside Your Favorite AI Coding Tools

Generate code with AI.
Validate it with MergeGuard.

Copilot, Cursor, and Claude Code help you ship faster—MergeGuard is the review layer that catches security risks, logic errors, and AI-generated mistakes before they reach production.

  • Cursor

  • Visual Studio Code

  • GitHub Copilot

  • Claude Code

Step 1

AI generates code

Step 2

MergeGuard validates

  • Catch hallucinated APIs, missing guards, and logic bugs AI assistants skip
  • Security scans on AI-generated diffs before you commit or open a PR
  • Same MergeGuard account for VS Code, Cursor, GitHub, and GitLab
Install MergeGuardAgentValidate in your editor

Cursor, VS Code, Copilot, and Claude Code are trademarks of their respective owners. MergeGuard is an independent review tool that works alongside them.

Live nowMergeGuardAgent

AI code review inside your editor

Catch issues on the file you're editing or your local git diff—before the pull request. Install MergeGuardAgent from the VS Code Marketplace and sign in with your MergeGuard account.

  • Review Current File — AI review of the active editor tab with diagnostics in Problems
  • Review Git Diff — check uncommitted changes before you open a PR
  • Security Scan — OSV + Trivy on lockfiles, Dockerfile, Terraform, and YAML
  • Explain Issue — plain-language breakdown and one-click Apply Fix when available
  • Same MergeGuard account, plan, and monthly review limits as GitHub & GitLab
  • Works in VS Code, Cursor, VS Code Insiders, VSCodium, and Windsurf
Install from Marketplace →MergeGuardAgent quickstart →Watch demo →
user.service.ts — MergeGuardAgent
MG

export class UserService {

async updateUser(…) {

// finding: SQL injection risk

}

}

MergeGuardAgent sidebar — review file, git diff, or run a security scan from your editor
Live nowvs PR-only reviewers

Understand code — not just review diffs

CodeRabbit shines on open pull requests. MergeGuard Code Explorer helps you navigate brownfield code every day: onboarding, incidents, refactors, and "what happens if I delete this?"

  • Works without a pull request — dashboard, editor, or PR conversation
  • Explain flows, find similar code, trace root causes, and check delete safety
  • Repo-aware context: imports, search hits, and related files
  • Same commands on GitHub PRs, GitLab MRs, MergeGuardAgent, and Dashboard → Explore
  • Pro+ for connected repos; free on local files via MergeGuardAgent

Open ExploreCommand reference →

Core commands
  • /askAsk anything
  • /explain-flowExplain flow
  • /find-similarFind similar
  • /root-causeRoot cause
  • /impactImpact analysis
  • /can-deleteCan delete?
  • /why-existsWhy exists
PR example: @mergeguards explain-flow src/auth.ts
OSV liveTrivy liveContainer live

Trivy + OSV security inside your PR workflow

MergeGuard combines AI code review with open-source security scanners in one PR workflow—OSV dependencies, Trivy filesystem scans, and async container image CVEs when Dockerfiles change.

  • OSV — npm lockfile CVEs merged into every PR review
  • Trivy — filesystem vulns, secrets & misconfig in the same pipeline
  • Container — async Dockerfile image scan with Trivy (Pro+, follow-up comment)
  • One Conversation summary and inline threads on GitHub & GitLab
GitHub pull request showing MergeGuard Security review section with OSV and Trivy findings in the review summary
Security review block on Conversation—OSV dependency CVEs and Trivy findings merged with your AI code review.
NewTeam plan+

AI test generation on pull requests

On Team plan and above, MergeGuard spots missing test coverage in the diff, then commits generated specs to your branch—tick use the agent to generate tests or post @mergeguards generate-tests.

  • Detects changed source files without matching test updates after each review
  • Review summary plus a checkbox to use the agent to generate tests (updates in place)
  • Creates new spec files or extends existing tests—up to three files per run
  • GitHub pull requests and GitLab merge requests
Read the test generation guide →
Live nowAsync · Pro+

Container image CVE scan on Dockerfile PRs

MergeGuard builds your PR's Docker image in the background and scans it for CVEs—without slowing down your main review. Your team sees AI findings right away; image vulnerabilities arrive in a second native PR comment.

Diagram: Dockerfile PR on GitHub or GitLab gets a fast main review comment, then a follow-up comment with container image CVEs after background build and scan
  • Triggers when a PR changes a Dockerfile, Dockerfile.*, or *.dockerfile
  • Main review posts immediately—image build and CVE scan run in the background
  • Follow-up comment with image CVEs grouped by severity (Critical → Info)
  • GitHub and GitLab native comments—no extra CI YAML
Read the container scan guide →
Container scan follow-up
GitHub pull request showing MergeGuard async container scan follow-up comment with CVE findings grouped by severity
When a PR changes a Dockerfile, MergeGuard posts the main review immediately—then a follow-up comment with image CVEs when the background scan finishes.

See automated review on GitHub & GitLab

Platform-specific walkthroughs with real screenshots—risk scores, recommended fixes, and inline security findings where your team already reviews.

GitHub demoGitLab demoMergeGuardAgent demoDashboard demoInstall MergeGuardAgent

GitHub pull request showing MergeGuard AI review with risk score, finding counts, recommended fixes, and an inline security comment on the diff

Full feature catalog

Everything included in MergeGuard for GitHub pull requests—from first install to enterprise controls.

X

Code Explorer

Understand brownfield code every day — not only on pull requests. CodeRabbit stops when the PR closes; MergeGuard does not.

explain-flowroot-causeimpactonboarding
  • /explain-flow — map control & data flow
  • /find-similar — duplicates & patterns
  • /root-cause — trace bugs & errors
  • /impact — blast radius before you edit
  • /can-delete — dead code & safe removal
  • /why-exists — purpose & history hints
  • Dashboard Explore + MergeGuardAgent + PR commands
V
Live now

MergeGuardAgent

PR-grade AI review from your editor—review the current file, local git diff, or lockfiles before you push.

VS CodeCursorMergeGuardAgent
  • Review Current File with editor diagnostics
  • Review Git Diff (uncommitted changes)
  • Security scan — OSV + Trivy on lockfiles & IaC
  • Explain Issue and Apply Fix in-editor
  • Same account & plan as GitHub / GitLab reviews
  • VS Code, Cursor, Insiders, VSCodium, Windsurf
A

AI Pull Request Review

Automated GitHub pull request review that reads your diff like a senior engineer.

AI code reviewPR bot
  • Line-by-line review on every push
  • Code smells & logic bugs
  • Maintainability suggestions
  • Duplicate code detection
  • Architecture concerns
  • Summary + inline threads
B

Risk Score Engine

Explainable merge risk scoring for pull request governance.

PR risk scoremerge confidence
  • Risk score 0–100 per PR
  • Severity breakdown (critical → info)
  • Regression likelihood signals
  • High-risk file detection
  • Large PR warnings
C

Auto Fix with AI

GitHub-native auto-fix: from inline finding to committed patch.

@mergeguards fixAI patch
  • @mergeguards fix on inline threads
  • Patch committed to your branch
  • Lint & null-check fixes
  • Follow-up with @mergeguard-followup
D

Security Review

Pull request security scanning before code reaches production.

PR securitysecrets scan
  • Secrets & credential leaks
  • Insecure auth changes
  • OSV / npm dependency signals
  • Injection & permission risks
  • @mergeguards deep-scan (paid)
  • Trivy filesystem, secrets & misconfig
  • Async container image CVE scan on Dockerfile PRs (Pro+)
S

Trivy + OSV Security

Open-source scanners merged into MergeGuard PR reviews—OSV for npm lockfile CVEs today, Trivy for broader coverage.

TrivyOSVCVEDependencies
  • OSV npm dependency CVEs on every PR (live)
  • Trivy vulns, secrets & misconfig
  • Container image scan — Kaniko + Trivy async (Pro+)
  • Findings merged with AI review before we comment
  • Combined risk score 0–100
  • Same GitHub App / GitLab connect—no extra workflow
E

Test Intelligence

Detect missing tests on GitHub PRs and GitLab MRs (Team plan+), then commit specs in one step.

test coverage PRAI test generation
  • Team plan and above
  • Missing tests on changed source files
  • Test coverage section in review summary
  • Use the agent to generate tests (checkbox on PR comment)
  • @mergeguards generate-tests command
  • Create new specs or extend existing tests
F

Team Productivity

Engineering metrics for review velocity and merge health.

team dashboardPR analytics
  • Review time analytics
  • PR bottlenecks
  • Reviewer workload
  • Slow merge alerts
G

GitHub Native Workflow

Install the MergeGuards GitHub App—webhooks, checks, and PR comments included.

GitHub Appwebhooks
  • pull_request & issue_comment events
  • Inline review on Files changed
  • Status checks & badges
  • Auto re-scan on push
H

Multi-Language Support

AI code review for the languages your monorepo already uses.

TypeScriptPythonGo
  • JavaScript & TypeScript
  • Python
  • Java
  • Go
  • C#
  • PHP
  • Ruby
  • Rust
I

Enterprise Controls

Compliance-ready controls for regulated engineering teams.

SSOaudit logs
  • SSO / SAML (Growth)
  • Audit logs
  • Custom policy rules
  • Private model option
  • Self-hosted (roadmap)

Frequently asked questions

Does MergeGuard support GitLab?

Yes. Sign in with GitLab OAuth, connect projects from your dashboard, and get automated merge request reviews with inline findings and @mergeguards fix on Changes tab threads—the same command model as GitHub.

Does MergeGuard review large PRs?

Yes. MergeGuard analyzes large pull requests and merge requests, surfaces high-risk file and size signals in the risk score, and recommends @mergeguards deep-scan on paid plans when a diff needs a deeper pass.

Does MergeGuard support monorepos?

Yes. Install on a monorepo repository (GitHub App or connected GitLab project) and reviews run on each PR/MR diff. MergeGuard supports TypeScript, JavaScript, Python, Go, Java, Ruby, Rust, and other languages in the same repo.

How does MergeGuard compare to CodeRabbit?

Both review GitHub pull requests with AI. MergeGuard emphasizes merge risk scores, security-oriented deep-scan, and @mergeguards fix commits from inline threads. CodeRabbit is known for rich PR conversation and summaries. See our MergeGuard vs CodeRabbit and best AI PR review tools pages for a full comparison.

How does MergeGuard generate tests on a pull request?

After a review on Team plan or above, MergeGuard detects changed source files without matching test updates and adds a Test coverage section to the review summary. Tick Use agent to generate tests or reply @mergeguards generate-tests to commit new or extended spec files on your branch (GitHub and GitLab). Free and Pro plans do not include test generation on PRs.

Does MergeGuard replace human code review on GitHub?

No. MergeGuard augments your team with automated AI pull request review, security signals, and suggested fixes—you keep final merge decisions.

Where do MergeGuard comments appear?

On the pull request Conversation tab and as inline comments on Files changed (GitHub), or MR Overview and Changes discussions (GitLab)—where developers already review code.

How is MergeGuard different from GitHub Copilot for PRs?

MergeGuard is a dedicated GitHub App and GitLab integration focused on merge governance: risk scores, security/dependency checks, inline findings, and @mergeguards fix commits on your branch.

Compare AI PR review tools · MergeGuard vs CodeRabbit · Full FAQ · Docs · pricing · GitHub setup · GitLab setup · MergeGuardAgent

Ready to protect every merge?

Install the MergeGuards GitHub App for automated AI pull request review—free tier includes inline review and @mergeguards fix.

Connect free