FAQ

Most AI code review tools comment on style, naming, "consider using" patterns, and minor refactors. PRMergeSafe ignores all of that. We only flag things that actually break production: breaking API changes, data risks, security holes, dependency conflicts, missing auth checks.

The goal is signal, not volume. If your team is already burnt out on AI review noise, PRMergeSafe is the opposite philosophy.

We fetch the diff and the current contents of changed files (via the GitHub API, using your install's short-lived token) to run the analysis. Once analysis completes, the diff and file contents are discarded. We only store: PR metadata (title, repo, PR number), the analysis output (risk level, findings, score), and token usage for billing. We never store full source code at rest.

Every HIGH or CRITICAL finding goes through an adversarial verification step before being posted — a second AI pass tries to disprove the finding. If the verifier can find evidence the original analysis missed (mitigating code elsewhere, compensating logic in callers, etc), the severity is downgraded or the finding is dropped entirely. This cuts false-positive rate substantially — you get real risks, not noise. PRs touching protected paths get even more verification.

We optimize for low false-positive rate first because noisy tools get ignored and stop being useful. That means we will miss some real issues — usually subtle ones that require context only a human reviewer has. PRMergeSafe is not a replacement for code review by a teammate — it's a fast first pass that catches the obvious-but-easy-to-miss stuff.

Every PR is analyzed by default. The only exception: PRs with [skip-prmergesafe] in the title or the skip-prmergesafe label are ignored entirely (and not charged credits). Draft PRs are analyzed unless you skip-tag them.

Yes. Go to /dashboard/repos and toggle off any repo you want PRMergeSafe to skip. The GitHub App stays installed, but no analysis runs and no credits are charged.

End-to-end (PR opened → comment posted): usually 30–90 seconds. The status check appears within ~1 second. Larger PRs touching many files can take longer — up to a few minutes for 10,000+ line PRs.

Any language. The analyzer is language-agnostic — it reads the diff and the file contents, then reasons about safety. We've seen it work well on TypeScript, JavaScript, Python, Go, Rust, Java, Ruby, PHP, C#, and more. Some categories (like dependency manifest changes) work best on languages whose package files we recognize (package.json, requirements.txt, go.mod, etc.) but the core analysis works for anything.

Yes. Org-wide defaults live in /dashboard/settings. Each repo can override (or extend) any of: custom rules, protected paths, risk threshold, notification preferences. Per-repo settings live on the repo's page in /dashboard/repos.

On /dashboard/billing, click Manage subscription. This opens the customer portal where you can cancel anytime. You retain access through the end of your current billing cycle.

Email hello@prmergesafe.com with a link to the PR. False positives help us improve — we tune the prompt based on real cases. If the issue is repeatable (PRMergeSafe keeps flagging the same correct pattern), we'll prioritize a fix.