How DevReview Works

Click 'Install on GitHub' from your dashboard and select which repositories DevReview should review. Permission scope is read-only on code, with comment-write access on PRs.

• ▸GitHub App (not OAuth) — installed at the org or repo level
• ▸Choose specific repos or grant access to all
• ▸No manual webhook config — we register everything for you
• ▸Uninstall anytime from GitHub's settings — full data deletion follows

When you push a branch and open a PR (or push new commits to an existing one), GitHub fires a webhook to DevReview. We immediately queue the review.

• ▸Triggers: PR opened, PR reopened, new commits pushed
• ▸Skipped automatically: draft PRs, bot PRs (Dependabot, Renovate)
• ▸Webhook signed with HMAC-SHA256 — we verify every request
• ▸Free plan limits to 5 reviews/month; Pro is unlimited

DevReview pulls the PR's file changes via GitHub's API using the installation's scoped credentials. We never clone the whole repo — only the changed files.

• ▸Up to 20 files per PR (the most-changed ones first)
• ▸Up to 12,000 characters per file (truncated with marker if larger)
• ▸Generated files filtered out: lock files, minified bundles, build artifacts, images
• ▸Binary files skipped automatically

We send the diff to Anthropic's Claude Sonnet 4.5 with a carefully tuned prompt. The model identifies bugs, security issues, and suggestions — and importantly, knows when to stay quiet.

• ▸Severity ranking: BUG (real defects) > WARN (security/perf) > NIT (style) > PRAISE
• ▸Language-aware checks — Python mutable defaults, Go goroutine leaks, Rust unwrap misuse, etc.
• ▸Framework-aware — React hooks rules, Next.js boundaries, Django ORM patterns
• ▸Hard cap: 8 comments max per PR — we cut nits before bugs
• ▸Code is processed only for the review and is not retained by Anthropic for training

DevReview converts Claude's findings into a single PR review with inline comments on the exact lines that need attention. If a line can't be matched, we fall back to a top-level PR comment so you never lose feedback.

• ▸Comments are posted as a single review (one notification, not eight)
• ▸Each comment includes severity, the issue, and a concrete suggested fix
• ▸Bot author label: 'devreview[bot]' so you can filter or rule-block easily
• ▸If you push new commits, a new review runs — old comments stay as audit trail

Read the comments, fix what matters, ignore what doesn't. DevReview is a first-pass reviewer — your judgment is the final word. Merge when you're ready.

• ▸No 'block merge' enforcement — DevReview never blocks your CI
• ▸You can dismiss the review or mark comments as resolved like any human review
• ▸Subsequent pushes re-review automatically — no manual re-trigger
• ▸Total wall-clock time from PR open to comments: typically under 60 seconds