On paid plans, GitAlert can do more than read the diff. It can build your project and run its existing tests on the pull request inside a throwaway sandbox, then report whether the change actually holds up — not just whether CI is green.
This turns "the tests pass" into evidence: GitAlert can see whether the tests passed before and still pass after the change, and flag a regression the diff introduced.
On the free plan, GitAlert never executes your code — triage there is based only on reading the diff.
Sandbox runs happen in an isolated, single-use environment operated by our sandbox provider, and it is destroyed after every run. The isolation is deliberate:
{note} Because the sandbox has no secrets and no privileged network access, a malicious or buggy PR can't use a GitAlert run to exfiltrate data or reach anything sensitive.
The sandbox result is folded into the same neutral check and label. It contributes signals such as:
If a sandbox run can't complete for any reason, GitAlert fails soft: the static diff-based verdict still stands, and the label is never worse than what the diff alone justified.
Sandbox runs require a paid plan and are configured by us at the infrastructure level. Once available on your plan, GitAlert uses them automatically on eligible pull requests — there's nothing to add to your repository. See the pricing page for which plans include sandbox runs.