Govern every AI pull request
before it merges.

MergeAttest is the control layer around AI coding agents: deterministic risk scoring, missing-test detection, repository rules, human approvals, and audit evidence in one GitHub-native workflow.

Start for free See how it works

free plan available · no credit card required

acme/api-gatewayreview queuequeued

AnalyzingHigh risk#482

Add retry logic to payment webhook

agent:claude-code · +218 −34 · 6 files

0High

2 test gaps detected

1 rule violation

approval required · 2 reviewersAwaiting review

Bump dependency lockfile

#479 · agent:dependabot · +12 −12

Low

Refactor auth session store

#477 · agent:claude-code · +96 −140

Medium

Signals inspected / diff

diff sizesensitive pathstest coveragedependency changesmigration filessecret patternsAPI surfacelockfile drift

01The problem

Review can't keep up with AI

Coding agents ship pull requests around the clock. Manual review was never designed for this volume — and the gaps are where production incidents start.

velocity

AI agents open pull requests faster than any team can carefully review them.

blind spots

Risky changes and missing tests slip through when review relies on reviewer attention alone.

no record

After an incident, there is no clear record of who approved what, or why.

02Features

The parts AI reviewers leave around the edges

Comments are useful. Governance needs a full record: risk, tests, policies, reviewers, approvals, and what changed after the decision.

Deterministic risk scoring

Every pull request gets a transparent risk score, so reviewers know exactly why a change is flagged. Advisory AI comments can add context, but they do not replace the control.

risk breakdown72 / 100

Sensitive paths touched+28

Missing test coverage+24

Diff size & spread+20

Audit-ready trail

Approvals, syncs, and policy changes are captured automatically and exportable for compliance reviews.

PR #482 flagged high09:24
Approved by @dana09:31
Merged to main09:33

Test-gap detection

Surface code paths shipped without coverage, with path-based suggestions for the tests that are missing.

Approval workflow

Route risky changes to the right reviewers and record every approval decision the moment it happens.

Custom repository rules

Define policies for sensitive files and high-risk patterns, then evaluate them on every PR.

GitHub-native

Risk, checks, and review context surface as comments and check runs where engineers already work.

03AI authorship

Know which AI agent wrote your code — and prove it

Coding-agent adoption is near-universal; trust is not. MergeAttest attributes every pull request to the agent behind it, tracks each agent's track record, and turns it into audit-ready evidence — the white space no AI reviewer owns.

Attributed with confidenceclaude code95%copilot92%codex90%cursor88%

Agent attribution with evidence

Every pull request is fingerprinted to Cursor, Copilot, Claude Code, Codex, or Devin from commit trailers, bot accounts, and emails — with a confidence score and the evidence behind it.

Agent identity registry

Built-in detection works out of the box. Map your own bot accounts, branch prefixes, labels, and commit trailers when your team has its own conventions.

Per-agent trust scorecard

See which agent ships the riskiest code: high-risk rate, test gaps, rule hits, reverts, and merges without human sign-off — every deduction shown.

Authorship ledger & evidence export

Track what share of your code AI wrote and how much carried a human sign-off. Export an evidence bundle supporting EU AI Act human-oversight and SOC2 reviews — not a certification, but the record auditors ask for.

04Why MergeAttest

Built for governance, not another comment stream

CodeRabbit, Copilot, Qodo, and Graphite help teams review code faster. MergeAttest answers the next question: should this AI-assisted change be allowed to merge, who accepted the risk, and where is the evidence?

Per-agent AI attributionAI authorship ledgerDeterministic risk scoringMissing-test detectionRepository policy rulesHuman approval recordsAudit-ready review packetsOptional BYOK AI review

Competitive frame

Free early-access launch

Comparison between MergeAttest and AI code review tools.
Capability	MergeAttest	CodeRabbit	Copilot Review	Qodo / Graphite
Primary job	Govern AI-assisted pull requests before merge	Generate AI review comments and developer follow-ups	Assist coding and run GitHub-hosted code review	Accelerate PR review, stacking, or code quality workflows
Trust model	Deterministic signals first, advisory AI second	AI reviewer output is the main product surface	Model-selected review output inside GitHub	AI review and workflow automation vary by product
Governance controls	Rules, approvals, risk status, and audit trail together	Enterprise audit logging and RBAC on higher tiers	Uses GitHub platform permissions and billing controls	Team controls depend on plan and platform focus
AI authorship	Attributes each PR to a specific agent with confidence and evidence, then exports authorship evidence	No per-agent authorship attribution or reporting	No cross-agent authorship attribution	Focused on review quality or PR workflow, not authorship governance
Test and policy gaps	Flags missing tests and sensitive repository changes	Focuses on review, fixes, linters, and SAST integrations	Focuses on code review assistance	Usually focused on review quality or PR workflow speed
AI provider control	OpenRouter BYOK boundary for organization-owned keys	Vendor-managed AI review service	GitHub-managed model routing	Vendor-managed model access, with enterprise options
Launch access	Free early access with usage limits; paid expansion planned after launch	Commercial AI review plans with seat-based pricing	Bundled into GitHub paid plans and usage policies	Commercial review tools commonly price by team or developer seat

MergeAttest is launching free to learn from real repository usage. Paid plans are planned later for teams that need higher usage limits.

05How it works

Live in minutes, governed from day one

Connect a repository and MergeAttest starts scoring pull requests immediately — no pipeline changes required.

Connect GitHub

Install the MergeAttest GitHub App and sync the repositories you want to govern.

Score every AI PR

New and updated pull requests are scored for risk and scanned for missing test coverage.

Review and approve

Reviewers work a prioritized queue, applying repository rules and recording decisions.

Keep an audit trail

Every decision is logged and retained, ready to export the moment compliance asks.

Ship AI code with confidence

Connect your first repository and see risk scores on your open pull requests in minutes.

Start for free Sign in

Govern every AI pull request before it merges.