feat: v0.5.0 — viral improvements (personas, complexity, SAST, notifications, i18n)#26
Conversation
… badges Replace placeholder Discord/stats badges with PyPI downloads, Python version, and concrete value props. Reposition tagline as "open-source CodeRabbit replacement" for better SEO and immediate clarity on what the project does.
…d custom rules Encourage community engagement with structured discussion templates: - Show & Tell: users share their setups and results (social proof for README) - Custom Rules: users share and request review rules (builds ecosystem)
…d fields Add dropdown selectors for platform, provider, command, and feature area. Makes triage faster and helps identify patterns in bug reports.
Algorithmic complexity analysis based on 6 metrics: size, spread, language diversity, cross-module coupling, sensitive files, and code churn. Helps teams enforce small, reviewable PRs. No LLM call needed — instant.
Cover scoring edge cases: empty PRs, multi-language amplification, sensitive file detection, high churn ratios, and format output.
6 built-in personas: default, security-hawk, mentor, nitpicker, quick-scan, dora. Each bundles review style, priorities, tone, and max comments. Teams can set persona: security-hawk in .pr-reviewer.yml instead of writing custom_instructions from scratch. No competitor has this.
Cover all 6 built-in personas, case-insensitive lookup, prompt modification, and default persona pass-through behavior.
- --persona: select review persona (security-hawk, mentor, etc.) from CLI - --json: output review as structured JSON for CI pipeline integration - --dry-run: explicit flag for no-post mode (documents existing behavior)
Guided setup that generates .pr-reviewer.yml and workflow YAML. Asks for provider, persona, review style, custom instructions. Auto-detects frameworks (Next.js, venv) to add smart ignore paths. Zero-friction onboarding for new users.
8 curated test cases covering SQL injection, XSS, secrets, N+1 queries, race conditions, eval injection, and clean code. Measures recall/precision of the security scanner. Baseline: 57% recall, 100% precision.
New coverage: path traversal via os.path.join, timing attacks, prototype pollution, open redirect, XXE, ReDoS, JWT secret, mass assignment, file upload, CSRF, insecure cookies, log leaks, hardcoded IPs, TypeScript any abuse, Go defer-in-loop.
Hashes file patches and caches per PR. On subsequent pushes, only files with changed patches go to LLM. Can reduce costs 30-70% on iterative PRs. Cache stored at ~/.pr-reviewer/cache/.
Send review summaries to team channels when risk level exceeds threshold. Configurable via .pr-reviewer.yml notifications block. Rich formatting with risk colors, comment counts, and direct PR links.
Weekly/monthly analytics digest: total PRs, risk distribution, severity breakdown, cost trends, top authors, and a 0-100 team health score. Outputs markdown for posting to Slack or GitHub Discussions.
Step-by-step migration with config translation tables, command mapping, and comparison charts. Captures users searching "CodeRabbit alternative" or "switch from PR-Agent".
Add Chinese Traditional, Brazilian Portuguese, Italian, Turkish, Polish, Dutch, and Arabic. Structured language injection into system prompt ensures JSON keys stay English while review text uses target language.
Drop-in rule packs that teams can copy to .pr-reviewer-rules.yml: - Python/Django: ORM enforcement, migration review, debug detection - TypeScript/React: no-any, XSS protection, key-as-index, component tests - Go API: SQL injection, panic handling, error ignoring, TLS verification
Both contained only empty __init__.py files with no code. Reduces confusion for new contributors.
…ucture Add good-first-issue guidance, step-by-step paths for adding security rules, LLM providers, rule packs, and personas. Updated project structure to reflect all new modules (complexity, personas, cache, i18n, notifications).
Runs the golden dataset benchmark when security.py or eval files change. Posts recall/precision results as a PR comment for visibility.
New action inputs allow selecting review persona and configuring notification webhooks directly in workflow YAML without .pr-reviewer.yml. Also expanded language list to 15 supported languages.
…ation sections Major README expansion: document 6 review personas with comparison table, PR complexity scoring explanation, Slack/Discord/Teams notification setup, migration guides from CodeRabbit and PR-Agent, updated feature comparison table and roadmap reflecting all new features.
Add high-traffic keywords (coderabbit-alternative, security-scanner, github-action, devtools). Upgrade status to Production/Stable. Expand description to mention Bitbucket and position as CodeRabbit alt.
…nd i18n Comprehensive config example showing all new features: persona selection, 15-language support, notification webhooks, and organized sections.
Topics cover all major search terms: ai, code-review, github-action, llm, sast, coderabbit-alternative, developer-tools, etc.
SEO-optimized comparison of all major AI code review tools with honest pros/cons, pricing, and setup time. Targets high-traffic search queries.
Updated PH listing with all new features (personas, /fix, SAST, complexity). Added targeted Reddit posts for r/programming, r/devops, and r/selfhosted with different angles for each community.
Additional funding channel alongside GitHub Sponsors.
7 notification tests: summary formatting, risk threshold filtering, empty/null config handling. 8 cache tests: hash consistency, file change detection, cache persistence, missing cache.
Cover all 15 languages, case-insensitive lookup, English passthrough, empty code handling, and language prompt injection content.
Comprehensive changelog covering all 30+ commits: personas, complexity scoring, 15 new SAST rules, notifications, cache, benchmarks, wizard, rule packs, i18n expansion, migration guides, and community improvements.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
AI Code Review
This PR introduces significant improvements to the AI Code Reviewer, including new features, security enhancements, and performance optimizations. The changes are extensive, covering 42 files and adding over 3,000 lines of code. Overall, the PR appears well-structured and thoroughly tested.
Feature | Risk: [MEDIUM] Medium
3 comments: [WARNING] 1 warning · [SUGGESTION] 1 suggestion · [INFO] 1 info
 | $0.0031 | 2.4s | llama-3.3-70b-versatile |
PR Complexity
Complexity: 78/100 (HIGH 4/5)
Breakdown: Lines changed: +30 | Files touched: +15 | Language mix: +3 | Cross-module: +15 | Sensitive files: +15
This PR changes 3375 lines. Consider splitting into smaller, focused PRs for easier review.
This PR touches 42 files across the codebase. Large surface area increases risk of unintended side effects.
Sensitive files changed: .github/workflows/bench.yml, pyproject.toml. Extra review attention recommended.
Security Scan
Found 5 security issues:
- HIGH: 2
- MEDIUM: 3
Categories: auth (1), crypto (1), secrets (2), xss (1)
| - Anthropic (Claude) | ||
| - Google (Gemini) | ||
| - Ollama (local) | ||
| - Azure OpenAI |
There was a problem hiding this comment.
[WARNING] Warning
[WARNING] Potential Information Leak: The workflow field in the bug report template may expose sensitive information. Consider adding a note to remind users to remove secrets.
Suggested fix:
| - Azure OpenAI | |
| attributes: | |
| label: Configuration | |
| description: Paste your workflow YAML or .pr-reviewer.yml (remove secrets and sensitive information). |
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.11' | ||
|
|
There was a problem hiding this comment.
[SUGGESTION] Suggestion
[SUGGESTION] Improve Benchmark Workflow: Consider adding a step to handle potential failures during the benchmark run, ensuring the workflow doesn't fail unnecessarily.
Suggested fix:
| - name: Run security scanner benchmark | |
| run: python -m tests.eval.bench || echo 'Benchmark failed, but continuing workflow...' |
|
|
||
| # Maximum number of comments per review | ||
| # max_comments: 15 | ||
|
|
There was a problem hiding this comment.
[INFO] Info
[INFO] Configuration Update: The updated .pr-reviewer.yml file includes new settings. Ensure these are properly documented and understood by users.
No code changes suggested.
| SecurityRule( | ||
| id="SEC083", | ||
| name="CSRF protection disabled", | ||
| pattern=r"""(?:csrf_exempt|@csrf_exempt|WTF_CSRF_ENABLED\s*=\s*False|CSRF_ENABLED\s*=\s*False)""", |
There was a problem hiding this comment.
[HIGH] Security: CSRF protection disabled (SEC083)
CSRF protection disabled. State-changing endpoints are vulnerable to CSRF attacks.
Fix: Enable CSRF protection. Use token-based CSRF for APIs, SameSite cookies for sessions.
Matched: csrf_exempt
| - uses: actions/checkout@v4 | ||
| - uses: mara-werils/ai-code-reviewer@v1 | ||
| env: | ||
| {api_key_env}: ${{{{ secrets.{api_key_secret} }}}} |
There was a problem hiding this comment.
[HIGH] Security: Cross-Site Scripting (template unescaped) (SEC012)
Unescaped template output can lead to XSS.
Fix: Use escaped output. Avoid mark_safe() and |safe unless content is trusted.
Matched: {{{{ secrets.{api_key_secret} }}}}
| current_hash = _hash_patch(f.patch) | ||
| cached_hash = cached.file_hashes.get(f.filename, "") | ||
|
|
||
| if current_hash == cached_hash: |
There was a problem hiding this comment.
[MEDIUM] Security: Timing attack (string comparison of secrets) (SEC052)
String comparison of secrets is vulnerable to timing attacks.
Fix: Use hmac.compare_digest() (Python) or crypto.timingSafeEqual() (Node.js).
Matched: hash ==
|
|
||
| print("\n Next steps:") | ||
| if info["env"]: | ||
| print(f" 1. Add {info['env']} to GitHub repo secrets") |
There was a problem hiding this comment.
[MEDIUM] Security: Sensitive data in logs (SEC091)
Sensitive data (password, token, etc.) may be written to logs.
Fix: Redact sensitive fields before logging. Use structured logging with field filtering.
Matched: print(f" 1. Add {info['env']} to GitHub repo secret
| print("\n Next steps:") | ||
| if info["env"]: | ||
| print(f" 1. Add {info['env']} to GitHub repo secrets") | ||
| print(f" Settings > Secrets > Actions > New repository secret") |
There was a problem hiding this comment.
[MEDIUM] Security: Sensitive data in logs (SEC091)
Sensitive data (password, token, etc.) may be written to logs.
Fix: Redact sensitive fields before logging. Use structured logging with field filtering.
Matched: print(f" Settings > Secrets > Actions > New repository secret
1 participant
Summary
Major release targeting viral growth and feature parity with paid competitors. 31 commits across 42 files (+3,281 lines), 428 tests all passing.
New Features
pr-reviewer init) — interactive config and workflow generatorCommunity & Virality
Housekeeping
src/context/andsrc/server/modulesTest plan
pytest tests/unit/ -v)pr-reviewer initwizard flow