MergeWatch runs specialized AI agents on every pull request — before your reviewer opens the diff. Security issues, logic bugs, style violations, and architectural risks surface as inline comments. Add your own custom agents for anything else. Your reviewer makes the final call.
AGPL v3 — the whole codebase, not just the parts we’re comfortable showing you.
Runs on AWS · GCP · Azure · Bare metal · Fly.io · Railway
“We switched from our previous review tool after they went closed-source. MergeWatch catches the same issues, costs a fraction of the price, and our infra team can actually audit what's running on our code.”
— Engineering lead, Series B startup
“The security agent flagged a path traversal vulnerability on our first PR. Our human reviewer had been looking at that file for 10 minutes.”
— Senior engineer
SQL injection, XSS, secrets, OWASP Top 10
User input passed to exec() without sanitization
Null dereferences, off-by-ones, race conditions
Array index i+1 can exceed arr.length
Naming, dead code, missing types
Exported function has no return type annotation
PR intent, risk rating, scope
Adds rate limiting to /api/upload — medium risk
Architecture impact, Mermaid flowchart
Control flow diagram of changed paths
All agents run in parallel — including your custom ones. Total latency is bounded by the slowest agent, not the sum. Most reviews complete in under 60 seconds. Define custom agents in .mergewatch.yml with a name and a prompt.
Already checked for you:
No secrets or tokens detected
Lock files look clean
847 lines scanned across 12 files, 40 known vulnerability patterns checked
Focus your energy on:
High risk — your attention here will matter most
Adds authentication middleware to admin routes. One bypass path detected in routes/admin.ts — may be intentional.
| Severity | Confidence | Location | Finding |
|---|---|---|---|
| critical | Likely | src/api/handler.ts:42 | Unsanitized input passed to exec() |
| high | Likely | routes/admin.ts:18 | Auth middleware bypassed on /health |
| warning | Worth checking | lib/db.ts:91 | Missing null check on optional user |
Before you approve, consider:
☐ Is the auth bypass in routes/admin.ts:18 intentional?
☐ Does the new retry logic handle network timeouts?
These are flags, not verdicts. You know this codebase.
Posted as inline review comments + a top-level summary. Re-triggers automatically when new commits are pushed.
Most review tools charge per developer per month. Every engineer you hire makes your bill bigger — the tool that’s supposed to help you scale penalizes growth. MergeWatch prices by PR volume, not headcount. A 5-person team and a 100-person team merging the same number of PRs pay the same.
AGPL v3. Not “source available.” Not a limited open-core wrapper around a closed engine. The full review pipeline — every agent prompt, every orchestrator, every comment template — is in the repo. Your security team can audit it. Your engineers can fork it.
Self-host with a single docker-compose up. Use Anthropic, OpenAI via LiteLLM, Ollama for air-gapped environments, or Amazon Bedrock with IAM-native auth — no API keys to manage. GCP, AWS, Azure, bare metal. If you can run Docker, you can run MergeWatch.
Set up in 2 minutes. No credit card required.