Sourcery

Analyzes pull request diffs by integrating with GitHub/GitLab APIs to fetch changed code, then passes the diff context to OpenAI LLM for line-by-line feedback generation. The system reads PR metadata (title, description, changed files) and generates structured review comments that are posted back to the PR as blocking or non-blocking reviews. This approach avoids full codebase cloning by analyzing only the delta, reducing latency and context window consumption.

Performs static analysis on Python and JavaScript codebases to identify security vulnerabilities, dependency risks, and unsafe patterns (e.g., SQL injection, hardcoded secrets, insecure deserialization). The system scans repositories on a schedule (biweekly for free/Pro tiers, daily for Team tier) and uses pattern matching combined with LLM-based semantic analysis to detect both known CVEs and novel security anti-patterns. Results are aggregated and reported via dashboard or integrated into CI/CD pipelines.

Analyzes code changes across multiple files within a pull request to detect dependencies, imports, and architectural impacts that single-file analysis would miss. The system builds a dependency graph of changed files, identifies which other files are affected by the changes, and detects potential breaking changes or unintended side effects. This capability enables detection of issues like unused imports after refactoring, missing dependency updates, or architectural violations that span multiple files.

Allows teams to configure which code review findings should block PR merges versus which should only generate warnings or informational comments. Severity levels (error, warning, info) can be customized per rule, and blocking rules can be enforced at the repository or organization level. This enables teams to distinguish between critical issues (security vulnerabilities, architectural violations) that must be fixed before merge and suggestions (style improvements, performance optimizations) that are informational.

Analyzes Python and JavaScript code to identify bugs, logic errors, edge cases, and anti-patterns (e.g., unused variables, unreachable code, inefficient algorithms, type mismatches). The system uses AST-based pattern matching combined with LLM reasoning to detect both syntactic issues and semantic problems that static linters miss. Feedback is delivered as inline PR comments or IDE real-time suggestions, with severity levels (error, warning, info) to prioritize fixes.

Allows teams to define and enforce custom coding standards, naming conventions, architectural patterns, and style rules specific to their organization. Rules are configured via dashboard or API and applied automatically during PR review and IDE analysis. The system matches code against these rules using pattern matching and LLM-based semantic analysis, generating feedback that educates developers on organizational standards while blocking PRs that violate critical rules.

Integrates with VS Code and compatible IDEs to provide real-time code analysis and suggestions as developers type. The system analyzes code locally in the IDE plugin and sends context to Sourcery servers for LLM-based analysis, returning inline suggestions for bugs, quality improvements, and standards violations. Feedback appears as underlines, hover tooltips, and quick-fix suggestions, enabling developers to fix issues before committing code.

Scans multiple repositories (up to 200+ for Team tier) on a scheduled basis to identify security vulnerabilities, code quality issues, and standards violations across an entire organization. Results are aggregated into a centralized dashboard showing vulnerability trends, affected repositories, and remediation priorities. The system generates reports that can be exported for compliance audits and integrates with CI/CD pipelines to block deployments of vulnerable code.

Automatically generates visual diagrams and summaries of code changes in pull requests, showing how modifications affect system architecture, data flow, and dependencies. The system analyzes the PR diff and uses LLM reasoning to create diagrams (architecture, sequence, dependency graphs) that help reviewers understand the impact of changes at a glance. This capability is available in Pro+ tiers and integrates with PR comments to provide visual context alongside text feedback.

Aggregates code quality metrics, security scan results, and review statistics across repositories into a centralized dashboard showing trends over time. The system tracks metrics such as vulnerability count, code quality score, review turnaround time, and standards violations per developer or team. Analytics can be filtered by repository, time period, and severity level, enabling managers to identify problem areas and track improvement initiatives.

Allows organizations to configure Sourcery to use their own LLM provider (OpenAI, Anthropic, or self-hosted models) instead of the default OpenAI integration. Teams can specify custom API endpoints, model versions, and authentication credentials, enabling use of proprietary models, fine-tuned variants, or on-premise deployments. This capability is available in Team+ tiers and supports zero-retention options for organizations with strict data privacy requirements.

Integrates with GitHub and GitLab webhook systems to automatically trigger code review analysis whenever a pull request is created or updated. The system receives webhook events, fetches the PR diff and metadata via repository APIs, performs analysis, and posts review comments back to the PR as native GitHub/GitLab reviews. This integration enables zero-configuration code review automation — once installed, reviews are triggered automatically without manual invocation.