AI Code Review.
Any model. Pay per use.
GitSniff catches security flaws, performance issues, and bugs in every Pull Request. Multi-model AI review. Pay per use, not per seat.
Right where you work
GitSniff posts findings as native GitHub comments. No context switching, no new tabs. Your team sees results right in the PR.
gitsniffbot4 days ago⚠️Security – The encryption key derivation uses Buffer.from(rawKey.slice(0, 32), 'utf8').
The encryption key derivation uses Buffer.from(rawKey.slice(0, 32), 'utf8'). While the .env.example instructs generating a 32-byte hex string (64 characters), this code only takes the first 32 characters and treats them as UTF-8 bytes. This limits the key material to the hex character set (0-9, a-f), resulting in only 128 bits of entropy (4 bits per char * 32 chars) for an AES-256 key, significantly weakening the encryption.
Three features. One powerful workflow.
Code Review, Chat, and Auto-Fix work together so your team ships faster and safer.
Code Review
Every PR gets a thorough, context-aware analysis. GitSniff reads the diff, runs security scans, checks for performance anti-patterns, and surfaces actionable findings with severity levels and code suggestions.
Hardcoded API key in webhook handler
The Stripe secret key is hardcoded in the source code. Move it to an environment variable to prevent credential leakage.
Missing database index on frequently queried column
The `subscription_id` column in the `payments` table is used in WHERE clauses but lacks an index. This causes full table scans on high-traffic queries.
GitSniffbotThe key on line 23 is in the main handler, not in a test file. It will be included in the production build.
I recommend moving it to process.env.STRIPE_SECRET_KEY and adding it to your .env file.
Want me to generate an auto-fix for this?
Chat
Disagree with a finding? Need more context? Just @mention GitSniff in any PR comment. It remembers the full diff, understands your codebase, and responds with nuanced explanations — not canned answers.
Auto-Fix
One click to generate fixes for every finding. GitSniff writes the code, shows you the diff, and optionally commits it directly to your branch. You stay in control — just review and merge.
Wrap async handler in try/catch with error logging
Add index on subscription_id column
Defense in depth
Multiple security scanners and AI models work together. When one misses something, another catches it.
2 of 3 models flagged issues, with 1 escalating to critical due to the hardcoded secret. Consensus: treat as critical — the credential exposure warrants immediate action.
Up and running in 2 minutes
No config files. No YAML. Just install the GitHub App and open a PR.
Install the GitHub App
One click to connect. Select the repos you want GitSniff to watch. No tokens to manage.
Open a Pull Request
Push code like you always do. GitSniff triggers automatically on every PR.
Get actionable feedback
Receive findings with severity, code diffs, and one-click fixes — right in the PR.
Why teams switch to GitSniff
Pay for impact, not headcount
No per-seat fees. Invite your whole team — PMs, QA, juniors. You only pay when a PR is reviewed.
Reviews in under 2 minutes
Stop waiting hours for human reviewers. Get thorough, context-aware feedback instantly on every PR.
Works with your workflow
Native GitHub integration. No new tools to learn. AI findings appear as regular PR comments.
100+ AI models
Not locked into one provider. Choose from Claude, GPT-4o, Gemini, DeepSeek, Llama, and more via OpenRouter.
Security-first
Bearer, Semgrep, Trivy, and ESLint run on every PR. Catch OWASP vulnerabilities before they reach production.
LLM Council mode
For critical PRs, multiple models review independently and a chairman synthesizes the consensus.
Ship better code today
Free to start. No credit card required. Unlimited team members.