# GitDebug > AI code review for GitHub. Every push and pull request gets a deep multi-scanner AI review — bugs, security flaws, CVEs, performance issues, and code-quality regressions are caught before they reach production. The platform is free; users bring their own OpenAI API key (BYOK) and pay OpenAI directly for tokens consumed. GitDebug is a SaaS that integrates with GitHub via OAuth + repo webhooks. After connecting a repo, every `push` and `pull_request` event triggers an AI-powered review that posts inline comments and a check-run on GitHub, plus a structured report (issues with file paths, line numbers, severity, CWE/OWASP refs, suggested fixes) on the GitDebug dashboard. Notifications go to email and Slack/Discord/Teams webhooks the user configures. The platform itself charges nothing. Users provide their own OpenAI API key during onboarding and pay OpenAI directly for the tokens consumed. There is no subscription, no trial expiry, no credit card required. ## Key facts - **Pricing:** $0 from GitDebug. User brings their own OpenAI API key. They pay OpenAI for tokens. - **Model:** GPT-4o for deep PR/push analysis, GPT-4o-mini for the on-demand AI Tools (review, refactor, tests, docs, explain, commit analyzer). - **Languages supported:** 60+ programming languages, auto-detected per file (TypeScript, JavaScript, Python, Go, Rust, Java, C#, C/C++, Ruby, PHP, Swift, Kotlin, Scala, Dart, Solidity, SQL, GraphQL, Terraform, Dockerfile, YAML, Vue, Svelte, etc.). - **Scanners:** 6 layers per analysis — bug detection, security (OWASP Top 10 + CWE refs), dependency CVE audit, performance (O(n²), N+1, memory leaks), code quality (cyclomatic complexity, duplication, SOLID violations), and AI summary with merge recommendation. - **GitHub integration:** read-only OAuth (`read:user`, `user:email`, `repo`). Webhooks installed automatically on monitored repos. PR comments and check-runs posted via the GitHub API using the user's stored token. - **Privacy:** code snippets are sent only to OpenAI (the user's account, via the user's key) for analysis. GitDebug does not retain code beyond the analysis result (issues, summaries) needed to render the dashboard. No code is used for AI model training. - **Security:** Row-Level Security on every user-data table; OpenAI keys and GitHub tokens stored in deny-all RLS tables that only the service role can read; HMAC-SHA256 verification on all GitHub webhook deliveries; CSRF state tokens on the OAuth flow. - **Notifications:** every push and PR analysis fires an email (Resend) plus webhook deliveries to Slack / Discord / Teams. Each notification ships a full bug list with severity, file:line, the offending snippet, the suggested fix, CWE/OWASP refs, and a merge recommendation — no need to open the dashboard for triage. ## Who it's for - Solo developers who want a second pair of eyes on every PR without paying for a SaaS subscription. - Small/medium teams who want consistent code review velocity without scheduling burden. - Security-conscious teams who want CWE/OWASP-tagged findings on every push. - Open-source maintainers who want PR triage on community contributions. ## What it is not - Not a CI replacement — runs alongside CI, not instead of it. - Not a static analyzer alone — combines static heuristics with AI review for context-aware findings. - Not a code-rewriting agent — proposes fixes as suggestions, never auto-merges or pushes code. ## URLs - Homepage: https://gitdebug.com/ - Pricing & FAQ: https://gitdebug.com/#pricing , https://gitdebug.com/#faq - Long-form guides: - https://gitdebug.com/guides/ai-code-review-for-github-pull-requests - https://gitdebug.com/guides/automated-security-scanning-in-your-ci-pipeline - https://gitdebug.com/guides/static-analysis-vs-ai-code-review - https://gitdebug.com/guides/pull-request-review-checklist-for-teams - https://gitdebug.com/guides/how-to-add-ai-pull-request-review-on-github-in-2026 - https://gitdebug.com/guides/best-way-to-review-pull-requests-faster-without-burnout - https://gitdebug.com/guides/how-to-tune-ci-security-scans-for-fewer-false-positives - https://gitdebug.com/guides/7-signs-your-team-needs-automated-pr-review - Sitemap: https://gitdebug.com/sitemap.xml - Privacy: https://gitdebug.com/privacy - Terms: https://gitdebug.com/terms ## Frequently asked questions Q: How much does GitDebug cost? A: Nothing. GitDebug itself is free forever. Users bring their own OpenAI API key during onboarding and pay OpenAI directly for the tokens their analyses consume. There is no platform subscription, no trial period, and no credit card required. Q: How does the BYOK model work? A: During onboarding the user pastes an OpenAI API key. GitDebug validates it against `https://api.openai.com/v1/models`, then stores it server-side encrypted at rest. Every subsequent AI call (PR review, push analysis, on-demand AI Tools) is made with that key, so the user can see exact spend in their OpenAI dashboard and rotate or revoke at any time from GitDebug Settings. Q: How long does an analysis take? A: A typical PR analysis completes in 25–35 seconds end-to-end (worker fetches the unified diff from GitHub, calls GPT-4o, persists the issues, posts the GitHub review). Cached prompts (re-runs of the same diff) return instantly with no token spend. Q: Which languages does GitDebug support? A: 60+ programming languages auto-detected per file. The full list includes TypeScript, JavaScript, Python, Go, Rust, Java, C#, C/C++, Ruby, PHP, Swift, Kotlin, Scala, Dart, Solidity, SQL, GraphQL, Bash, PowerShell, Lua, Elixir, Haskell, R, Julia, Terraform, Dockerfile, YAML, Vue, Svelte, and more. Q: Is my code stored or used for training? A: No. Code snippets are sent only to OpenAI for analysis using the user's own key. GitDebug retains only the analysis results (issues, summaries, scores) needed to render the dashboard. Code is never used for AI model training under OpenAI's enterprise data terms. Q: How does GitDebug notify me of new findings? A: Every push and PR analysis triggers an email (via Resend) plus webhook deliveries to Slack, Discord, or Microsoft Teams (whichever the user configures). Each notification contains a full bug list with severity, file path, line numbers, the offending code snippet, a suggested fix, CWE/OWASP references, and a merge recommendation — designed so that triage can happen entirely from the inbox. Q: What's the difference between GitDebug and a traditional static analyzer (ESLint, SonarQube, etc.)? A: Static analyzers match patterns; GitDebug combines pattern matching with AI context-aware review. That means GitDebug catches issues that depend on intent (e.g. "this PR's auth check has the right shape but the wrong precondition"), security flaws that require diff-level context, and quality issues that span files. It runs in parallel with — not instead of — your existing CI checks. Q: Can I run GitDebug on private repositories? A: Yes. GitDebug uses standard GitHub OAuth with read-only `repo` scope. The user picks exactly which repos to monitor and can revoke the OAuth installation at any time from GitHub Settings → Applications.