Features
Here's what you get on every CodePeel review — whether triggered from a GitHub PR, the VS Code extension, or the MCP server.
Inline Comments on Your PR
CodePeel posts findings as GitHub inline comments on the exact lines that need attention. Each comment includes:
- Severity badge — 🔴 Critical, 🟠 Major, 🟡 Minor, ⚪ Info
- Structured explanation — "What's happening", "Impact", and "Recommendation" bullet sections
- Suggestion block — GitHub's native "Commit suggestion" button for one-click fixes (when a fix is available)
Where you see it: On your GitHub pull request, in the "Files changed" tab.
Trivial (🔵) findings are stored in your CodePeel dashboard only — they're not posted as PR comments to keep noise low.
Walkthrough Summary
Every PR gets a collapsible walkthrough comment posted on the Conversation tab:
- Plain-English summary of what the PR does
- Finding counts by category (bugs, security, performance, best practices)
- Review effort — a 1–5 scale indicating how complex the PR is to review
- Health score — aggregate quality score (0–100). See how it's calculated below.
- Sequence diagram (optional) — mermaid logic flow for complex PRs
Where you see it: As a collapsible comment on your GitHub PR, posted by the CodePeel bot.
Sequence diagrams are enabled by default. To disable them, set in .codepeel.yml:
walkthrough:
auto_sequence_diagram: false
Health Score
A 0–100 number representing overall code quality for a single review.
Where you see it: In the walkthrough comment on your PR, and on the PR detail page in the dashboard.
How it's calculated
Starts at 100, then deducts points per finding:
| Severity | Display | Deduction per finding | Max penalty (cap) |
|---|---|---|---|
| Critical | 🔴 Critical | -20 | -50 |
| High | 🟠 Major | -10 | -30 |
| Medium | 🟡 Minor | -4 | -15 |
| Low | 🔵 Trivial | -1 | -5 |
The caps prevent a burst of minor issues from tanking your score. For example, 10 minor findings only deduct 15 points (not 40).
What the score means
| Score | Emoji | Risk Level |
|---|---|---|
| 80–100 | 🟢 | Low risk — safe to merge |
| 60–79 | 🟡 | Moderate risk — review findings before merging |
| 40–59 | 🟠 | High risk — significant issues present |
| 0–39 | 🔴 | Critical risk — do not merge without addressing findings |
Use Pre-merge Checks to automatically block merges when the health score drops below your threshold.
Multi-Layer Analysis
CodePeel runs four analysis passes in parallel on every PR:
| Layer | What it detects | Speed |
|---|---|---|
| Secret scanning | API keys, tokens, credentials, custom patterns | Instant (posted first) |
| AI analysis | Bugs, security, performance, best practices | ~10–30s |
| SAST | Static analysis security patterns (CWE-based) | ~10–20s |
| Architecture review | Design patterns, coupling, SRP violations | ~15–25s |
All four layers run in parallel regardless of PR size. Secret scanning results are posted within seconds, before the AI analysis completes.
The architecture review is skipped when
securityOnly: trueis set.
Incremental Reviews
When you push new commits to an existing PR, CodePeel automatically re-reviews only the new changes. It won't repeat findings you've already seen.
What happens on a new push:
- CodePeel detects the
synchronizeevent (new commit pushed) - Fetches all existing CodePeel comments on the PR
- Only posts new findings on lines not previously commented
- Updates the walkthrough summary with new totals
This is always enabled — no configuration needed. If you previously dismissed a finding with @codepeel resolve, it stays dismissed even after new pushes.
Finding Categories
| Category | Internal type | Examples |
|---|---|---|
| Bug | bug | Logic errors, null references, off-by-one, unhandled promises |
| Security | security | SQL injection, XSS, path traversal, hardcoded secrets |
| Performance | performance | N+1 queries, unnecessary re-renders, memory leaks |
| Best Practice | best_practice | Error handling, naming, DRY violations, test gaps |
Severity levels
| Level | Badge | When it's used |
|---|---|---|
| Critical | 🔴 | Security vulnerabilities, data loss, crashes, race conditions |
| High/Major | 🟠 | Bugs causing incorrect behavior, missing error handling |
| Medium/Minor | 🟡 | Performance issues, potential edge cases, code smells |
| Low/Trivial | 🔵 | Style improvements, naming suggestions (dashboard only) |
| Info | ⚪ | Informational notes, context |
Deduplication
If multiple analysis layers flag the same issue on the same line, you only see one comment. CodePeel automatically deduplicates across AI, SAST, and architecture passes using file:line as the key.
Suggestion Blocks (One-Click Fixes)
When CodePeel identifies a fixable issue, the inline comment includes a GitHub suggestion block. Click Commit suggestion to apply the fix directly — no copy-pasting needed.
Where you see it: On the inline comment in the "Files changed" tab. Look for the green "Commit suggestion" button.
Not every finding has a suggestion block — only issues where CodePeel can generate a concrete, working code fix. The fix must look like actual code (not prose) and be 10 lines or fewer.
Want fixes applied automatically? Enable Auto-Fix PRs to generate a separate PR with all fixes applied.
What You Can Customize
All of these settings can be configured in .codepeel.yml (per-repo) or in the Dashboard Settings (account-wide). Repo config takes priority.
- Review profile — how aggressive the review is:
chill,balanced, orassertive - Security only — skip all non-security findings
- Ignore formatting — skip style and naming issues
- Ignore paths — exclude files/folders from review (globs like
dist/**,*.lock) - Expert rules — team conventions the AI enforces on every review
- Custom instructions — free-text instructions appended to the AI prompt
- Sequence diagrams — show/hide mermaid logic flow diagrams in the walkthrough
See the full Configuration docs →