It flagged a subtle async bug on a PR I was about to approve—the kind of thing we used to find in staging. Happy we have it on every pull request now.
AI review + security · one platform
Catch risks before you merge.Merge only what passes.
Native reviews on GitHub & GitLab, plus the MG Lab VS Code extension—AI review, security scans, and @mergeguards fix. One platform, no CI YAML.
- Parallel agents
- Risk scores
- OSV + Trivy scans
- Auto-fix commits
980
Files reviewed
,3,561
Bugs reported
100
Bugs fixed
- 2-click install
- 20 free PR reviews/mo
- No credit card
- Private repos
How container scan works
Two paths. One pull request.
Your review ships in seconds on the fast path. Image CVEs follow on a separate async path—same PR, second comment when the build finishes.
~30s
Comment 1
async
Comment 2
Dockerfile on the PR
MergeGuard detects a Dockerfile change and queues an image build—without blocking the main review.
Sample review
See what lands on your PR or MR
Real review shape: risk score, severities, and inline findings—before you install anything.
acme/api-service #482
MergeGuard summary
Risk score 35 / 100
Medium merge risk. Auth middleware change touches request path—verify session handling on edge cases.
- HighMissing null check before token decode
- MediumNew env var not documented in README
- LowPrefer const for immutable binding
Reply @mergeguards fix on an inline thread to push a patch commit.
One roof · parallel agents
Stop paying for a stack of pricey AI tools
Many teams bolt on different models and vendors for review, security, and dependencies—each with its own bill. MergeGuard runs specialized agents in parallel, merges the signal, and posts one native review with the strongest scans on every pull request.
acme/api-service · PR #482
Parallel agents
- Code review✓
- OSV lockfile✓
- Trivy security✓
Merge risk
48
/ 100 · ~2 min review
Conversation · Files changed
MGMedium
mergeguard
bot · just now
Potential issue — missing null check before decode() on the authorization header.
@@ src/auth/middleware.ts @@
− if (!token) decode(token);
+ if (!token) return unauthorized(res);
Reply @mergeguards fix for an auto-commit
Security · merged findings
3 signals · 1 comment
- OSV
lodash@4.17.20 · CVE-2021-23337
- Trivy
AWS key pattern in .env.example
- AI
Missing null guard before decode()
Also available natively on
GitHub&
GitLab
Why teams use MergeGuard
Faster reviews + better code
We do the heavy lifting on the diff—you do the final 10%.
Catch fast. Fix fast.
Reply @mergeguards fix on inline findings—MergeGuard generates the patch and commits to your branch.
Security scanning · now built in
Security scans are live in every review
Open-source security scanners are built into your AI code review—no separate tool to install. OSV dependency CVEs, Trivy filesystem scans, and async container image scanning on Dockerfile PRs are live on Pro+.
$mergeguard scan --pr 482Scanning
Scanning 6 targets in the diff
- OSVpackage-lock.jsonscanning…
- AI reviewsrc/auth/middleware.tsqueued
- Trivy.env.localqueued
- TrivyDockerfilequeued
- Trivyinfra/main.tfqueued
- AI reviewsrc/api/users.tsqueued
Findings
0
CVEs
0
Secrets
0
Misconfig
0
Code
Merge risk
—/ 100
merging findings…
OSVLive now
Dependency CVEs from your npm lockfiles, on every pull request.
- Known CVEs in package-lock.json
- Severity + advisory links inline
- Zero setup — on by default
TrivyLive now
Filesystem vulns, leaked secrets, and IaC misconfig in the same review.
- Hardcoded secrets & credentials
- Vulnerable OS / language packages
- Terraform & Dockerfile misconfig
ContainerLive · async
Docker image CVE scans when a PR changes a Dockerfile—queued in the background so reviews never wait on image build.
- Image build + CVE scan without blocking your review
- Follow-up PR comment with severity-grouped CVEs
- Available on Pro+ plans
How it works
Stays in GitHub. You stay in flow.
One pipeline from push to protected merge—AI review, security scans, and PR commands inline on your diff. Install once; no separate dashboard.
Install the GitHub App or connect GitLab once. Every opened, synced, or reopened pull request triggers MergeGuard automatically—no CI YAML to maintain.
4 tabs · context switching
Review portalSSO loginEmail digestStatus page
Sign in required
Leave GitHub to view findings in an external dashboard.
!!!
Context lost · extra clicks · slower merges
PR commands
Drive follow-ups from the same thread
After the review lands, reply with commands—no context switch to another tool.
@mergeguards fixAll plansReply on an inline finding to generate a patch and commit it to the PR.
@mergeguard-followupPaidRe-run AI review on the current PR after new commits or discussion.
@mergeguards deep-scanPaidDeeper pass for security and architectural risk—ideal before merging large changes.
Powered by
OpenAI
Anthropic- GitHub
- GitLab
Railway
Customer stories
Why teams prefer MergeGuard
Inline comments and @mergeguards fix save hours—I apply patches from the PR instead of hunting issues after merge.
MergeGuard caught a leaked env pattern and a vulnerable dependency in the same PR—both fixed before merge. Reviews feel consistent.
The risk score helps us focus on high-impact bugs first. Issues that used to slip through on busy review days get caught early.
Self-serve setup
Get your first review in minutes
No scheduled demo—we walk you through install with short videos and docs. Most teams are live on their first pull request the same day.
- 1
Connect GitHub or GitLab
Sign in with the provider that owns your repos—no MergeGuard password.
Connect account → - 2
- 3
Prefer GitLab? GitLab walkthrough
Free tier · 20 reviews/month
Your next PR reviewed in minutes
Install the GitHub App or connect GitLab—review and scans on every PR or MR.
See pricing · Product demos · FAQ · Security