One honest signal on every PR: safe to merge, or worth a closer look. That's the whole job.
See it in action
One neutral check on the pull request, sitting beside your existing CI — with the exact file:line evidence. No noise, no comments, no blocked merges.
tests/test_auth.py:42 — assertion weakened to assert True
requirements.txt:7 — package reqests not found on PyPI
.github/workflows/ci.yml — sensitive file changed
Illustrative example. GitAlert never fails your build or comments on your PR.
How it works
No pipeline to configure, no script to write. Install once and GitAlert starts checking pull requests on its own.
Add GitAlert to the repositories you choose. It reads your pull requests and posts its own neutral check — it never pushes commits, changes your branches, merges, or touches your secrets.
Whenever a teammate or an AI coding agent opens or updates a PR, GitAlert reads the diff in seconds — automatically, every time.
GitAlert posts a single check with the exact file:line reasons — one of three labels. You stay in charge of the merge.
tests/payments_test.py — assertions strengthened, 12 cases added
package-lock.json — every dependency resolves on the registry
no sensitive files — CI, auth and secrets untouched
Neutral check · never blocks the merge
What it catches
Most agent PRs are fine. GitAlert reads every diff the same way, every time, and flags the few that aren't — with the exact file:line.
Weakened assertions, skipped or disabled tests, always-true checks, and empty "fixes" — the shortcuts agents take to make a suite pass.
Every new package in requirements.txt, package.json, or pyproject.toml is checked against the real registry — before a typosquatter can exploit a name that doesn't exist.
CI config, secrets, auth, and other high-risk files are surfaced so a quiet change to your pipeline or permissions never slips through unreviewed.
A label to help you prioritise — never a score or a red ✗ on the PR.
Every flag points to a real file:line you can verify yourself.
GitHub today, GitLab and Bitbucket next — one consistent result.
Triage stays free for public repos, forever. Upgrade for private repos & sandbox runs.
Install the GitAlert app on a public repository, then open or update a pull request.
You'll get a clear triage check within seconds. No credit card, and no surprise comments on your PRs.
FAQ
Everything you need to know before installing GitAlert.
Still have a question? Contact us.
GitAlert is a check that runs on your pull requests. Whenever someone — a teammate or an AI coding agent — opens or updates a PR, GitAlert reads the changes and posts one plain-English label: Looks solid, Worth a closer look, or Likely needs attention. It helps you decide which pull requests to review carefully first.
Install GitAlert on your repositories and it reads every pull request automatically — human or AI-agent — the moment it opens or updates. It posts one neutral label (Looks solid, Worth a closer look, or Likely needs attention) so your reviewers can tell at a glance which few PRs actually need a careful read, instead of trying to review all of them. It never blocks a merge; it just tells your team where to look first.
Yes. GitAlert runs as a GitHub check that posts an informational, always-neutral status on every pull request — it never turns into a red X, never fails your build, and never becomes a required check that stops a merge. You and your reviewers stay fully in control of what ships.
No. GitAlert only posts a neutral, informational check. It never fails your build, never forces a red X that blocks merging, and never leaves comments on your PR. You and your reviewers always stay in control of what gets merged.
All of them. GitAlert checks the pull request itself, so it covers PRs opened by Copilot, Cursor, Claude Code, Codex, Devin, and any other agent — as well as your human teammates. It even labels each PR by whether it was opened by an AI agent or a person. Because GitAlert is independent of the tool that wrote the code, the check is the same no matter which agent or IDE produced the change.
The three mistakes AI-written code makes most often: tests that were quietly weakened or disabled just to pass, dependencies that do not actually exist on the package registry, and changes to sensitive files such as CI config, secrets, or authentication code. Every flag points to the exact file and line.
When a pull request adds a new package to a manifest like requirements.txt or package.json, GitAlert checks that package name against the real registry (PyPI for Python, npm for JavaScript). If the package does not exist, it is flagged — because AI agents frequently hallucinate package names, and attackers register those fake names to slip malware into builds ("slopsquatting"). Every flag points to the exact file and line.
GitAlert flags changes to a fixed set of high-risk files so a quiet edit never slips through unreviewed: secret and credential files (.env, .pem, id_rsa, credentials, secrets.yml), CI and pipeline config (.github/workflows, .gitlab-ci.yml, Jenkinsfile), container config (Dockerfile, docker-compose.yml), and infrastructure variables (terraform .tfvars). It surfaces the change as an informational note — it never blocks the merge.
GitAlert reads pull-request metadata (title, author, branch) and the PR diff. The diff is analysed in memory to produce the label and is not stored — GitAlert keeps only the pull-request metadata and the resulting verdict (the label and the file:line reasons behind it). On the free plan it never runs your code; on paid plans, optional sandbox runs build and test your project in an isolated, throwaway environment with no access to your secrets. See our Privacy & Security page for the full detail.
On the free plan, no — triage is based purely on reading the diff. On paid plans you can turn on sandbox runs, where we build your project and run its tests inside an isolated, throwaway environment that has no access to your secrets and is fully separated from our own systems.
GitAlert is fully independent. It is not built by the agent that wrote the code and it is not tied to any single IDE or provider — it runs as a check on the pull request itself, so it gives the same neutral, deterministic signal no matter which tool or person opened the PR.
Yes. Triage on public repositories is free forever, with no credit card required. Paid plans add private repositories, sandbox test runs, and higher monthly limits.
GitAlert works with GitHub today. GitLab and Bitbucket run on the same engine and are next, so you get the same consistent result wherever your code lives.
Sign in with your Git provider, install the GitAlert app on the repositories you choose, then open or update a pull request. You will see your first triage check within seconds.
Contact
Tell us what you're working on and we'll help you get GitAlert running. We reply within 1–2 business days.