Automated GitHub PR code review agent powered by Claude. Works like Sourcery — installs as a GitHub App, reviews pull requests automatically, and posts detailed inline feedback.
- Automated PR Reviews — Triggered by GitHub webhooks on PR open/sync/reopen
- On-Demand Reviews — Comment
@<bot> reviewon any PR to trigger a review (opt-in) - Sourcery-Style Output — Summary, Reviewer's Guide with file table, mermaid diagrams, overall comments, inline findings, and a collapsible "Prompt for AI Agents" section
- OAuth Login — Use your Claude Pro/Max/Team subscription instead of an API key
- Multiple LLM Providers — Anthropic (Claude), OpenAI, or any compatible API
- Safety Checks — Anti-prompt-injection fencing, canary verification, and output safety validation via a secondary model
- Rule Engine — Configurable rules for skipping files, adjusting severity, adding focus areas, and more
- TUI Dashboard — Real-time terminal UI with stats, review table, live logs, and manual review trigger (
--tui) - MCP Support — Connect Model Context Protocol servers for additional tools (linting, type checking, etc.)
- Rate Limiting — Per-repository rate limits with burst support and user bypass lists
- Access Control — Whitelist by organization, user, or repository (with glob patterns)
- Sandboxing — Isolate code analysis in a restricted environment (Linux)
- Go to Settings > Developer settings > GitHub Apps > New GitHub App
- Set the webhook URL to
https://your-server:3000/webhook - Generate a webhook secret and a private key
- Permissions needed:
- Pull requests: Read & Write
- Checks: Read & Write
- Contents: Read
- Issues: Read & Write (for comments)
- Subscribe to the Pull request webhook event
- (Optional) Grant Issues: Read & Write, then subscribe to Issue comment for
@bot reviewtriggers - Install the app on your repositories
cp config.toml.example config.toml
cp .env.example .envEdit .env:
GITHUB_WEBHOOK_SECRET=your-webhook-secret
ANTHROPIC_API_KEY=sk-ant-... # if using API key authEdit config.toml:
[github]
app_id = 123456
private_key_path = "private-key.pem"
[auth]
method = "api_key" # or "oauth"
[llm]
provider = "anthropic"
model = "claude-sonnet-4-6"# Build
cargo build --release
# API key auth
./target/release/claude_review
# OAuth auth (use your Claude subscription)
./target/release/claude_review login --manual
./target/release/claude_review
# With TUI dashboard
./target/release/claude_review --tuiSet ANTHROPIC_API_KEY (or OPENAI_API_KEY / LLM_API_KEY) in your .env file or environment.
Use your Claude Pro, Max, or Team subscription instead of an API key:
./claude_review login # Opens browser for auth
./claude_review login --manual # For headless servers (paste code manually)
./claude_review status # Check auth status
./claude_review logout # Remove credentialsSet method = "oauth" in config.toml under [auth].
Every review includes these components (similar to Sourcery):
| Component | Description |
|---|---|
| Summary | Categorized bullet points: new features, enhancements, bug fixes, chores, docs, security |
| Reviewer's Guide | PR description, file-level changes table, and optional mermaid diagram |
| Overall Comments | High-level feedback: architecture concerns, missing tests, N+1 patterns, etc. |
| Inline Findings | Line-specific comments with severity (critical/warning/info/nitpick) and category (bug_risk/security/performance/etc.) with concrete code suggestions |
| Prompt for AI Agents | Collapsible section with structured markdown that can be pasted into an AI coding assistant to auto-fix issues |
| Check Run | GitHub check with pass/fail status and annotations on specific lines |
Run with --tui for a real-time terminal dashboard:
+-- Claude Review -- 0.0.0.0:3000 -- Auth: OAuth -- Up: 5m --+
| Reviewed: 12 Active: 1 Failed: 0 Rate Limited: 0 |
+-- Recent Reviews -------------------------------------------+
| siiway/api-testing #4 Done 8.2s 2 2m ago |
| siiway/frontend #12 Active - - now |
+-- Logs (47) ------------------------------------------------+
| 14:32:01 INFO webhook received event=pull_request |
| 14:32:01 INFO processing PR review repo=siiway/api-testing |
| 14:32:09 INFO review completed findings=2 duration=8.2s |
+-- Press / to type a command, q to quit --------------------+
Keys: q quit, / command input, j/k scroll logs, Esc cancel
Commands: review owner/repo#N, clear, help, quit
See config.toml.example for full documentation. Key sections:
| Section | Purpose |
|---|---|
[server] |
Listen address and webhook path |
[github] |
App ID, private key, webhook secret |
[auth] |
Authentication method (api_key or oauth) |
[llm] |
Provider, model, max tokens, temperature |
[llm.anthropic] |
Prompt caching, extended thinking, custom headers |
[proxy] |
HTTP/HTTPS/SOCKS5 proxy settings |
[mention_trigger] |
On-demand @bot review trigger (opt-in) |
[rate_limit] |
Requests per hour, burst, bypass users |
[whitelist] |
Allowed organizations, users, repositories |
[sandbox] |
Sandbox settings for code analysis |
[mcp] |
MCP server connections |
[anti_injection] |
Content length limits and suspicious pattern detection |
[safety_check] |
Output safety validation model and settings |
[[rules]] |
Custom review rules with conditions and actions |
| Variable | Purpose |
|---|---|
GITHUB_WEBHOOK_SECRET |
Webhook signature verification |
GITHUB_APP_PRIVATE_KEY |
Base64-encoded PEM (alternative to file) |
ANTHROPIC_API_KEY |
Anthropic/Claude API key |
OPENAI_API_KEY |
OpenAI API key |
LLM_API_KEY |
Generic override for any provider |
RUST_LOG |
Log level (trace, debug, info, warn, error) |
Custom rules let you control review behavior per file or PR:
[[rules]]
name = "skip-lockfiles"
condition = 'file.path ends_with ".lock"'
actions = [{ type = "skip_file" }]
[[rules]]
name = "security-focus"
condition = 'file.path contains "auth"'
actions = [
{ type = "add_focus", area = "Focus on authentication bypass and secrets" },
{ type = "set_severity", level = "high" },
]Available actions: skip_file, add_focus, set_severity, add_comment, add_instruction, set_review_depth, add_label.