How is MicroReview different from CodeRabbit?

MicroReview adds a 0-100 risk score per PR, merge blocking on critical findings, a dedicated GitHub Checks API integration with inline annotations, and hardcoded secret detection across 13 patterns. It also starts free and scales to $19/mo per repo vs CodeRabbit's higher per-seat pricing.

Does MicroReview work with private repositories?

Yes. MicroReview works with both public and private repositories on GitHub and GitLab. The GitHub App requests only the minimum permissions needed: read access to code for PR diffs and write access to post review comments and check runs.

What programming languages does MicroReview support?

AI bug detection and secret scanning work on any language. Deep static analysis rules including naming conventions, Spring Boot patterns, and validation checks are available for Java, TypeScript, and Python today with more language-specific rule sets coming soon.

Is my source code sent to AI?

Only the changed lines (diff hunks) from your pull request are sent to the AI, not your entire codebase. Code is sent over HTTPS, is not used to train models, and is retained by the AI provider for at most 30 days for abuse monitoring before deletion.

How much does MicroReview cost?

MicroReview starts free with 2 repos and 50 reviews per month. The Pro plan is $19/mo per repo with unlimited reviews and AI bug detection. The Team plan is $15/mo per repo for 5+ repos with analytics, SSO, and config inheritance.

How to Stop Secrets From Leaking Into Your Git History

A leaked API key is one of the cheapest mistakes to make and one of the most expensive to clean up. Once a secret lands in your Git history, rotating it isn't optional — and if the repo is public, automated scanners will find it within minutes. The good news: almost every leak is preventable at review time.

Why `.gitignore` Isn't Enough

Ignoring .envfiles stops the obvious case, but secrets leak in dozens of other ways: a hardcoded token in a test fixture, a connection string pasted into a config for "just a quick debug," a private key checked in by accident. None of these are covered by a typical ignore file.

Why Rotating After the Fact Is Painful

Removing a secret from the latest commit does nothing — it's still in the history. You have to rewrite history (disruptive for everyone who cloned the repo) and rotate the credential anyway, because you must assume it was seen. The only cheap fix is to never let it merge.

Catch Secrets at Pull Request Time

The right place to stop a secret is the pull request, before it reaches your main branch. A scanner that reads the diff can flag a hardcoded credential the moment it's added — while it's still trivial to remove with a single edit.

MicroReview scans every diff for 13 categories of secrets— AWS keys, Stripe and OpenAI tokens, GitHub PATs, JWT secrets, private keys, database URLs, and more. When it finds one, it posts an inline comment on the exact line and, if you enable merge blocking, marks the pull request as failing so it can't be merged until the secret is removed.

A Simple Three-Layer Defense

Layer 1 — Prevent: keep secrets in environment variables and a secrets manager, never in source.
Layer 2 — Detect at review: scan every PR diff so a hardcoded secret is caught before merge.
Layer 3 — Block: make critical findings fail a required status check so a leak can't reach main even by accident.

The Bottom Line

Secret leaks aren't a discipline problem — they're a tooling problem. Developers move fast and mistakes happen. The fix is to put a scanner in the pull request path so the mistake gets caught the moment it's made, not weeks later in a security audit. That turns a multi-hour incident into a ten-second edit.

Why .gitignore Isn't Enough

Why Rotating After the Fact Is Painful

Catch Secrets at Pull Request Time

A Simple Three-Layer Defense

The Bottom Line

Ready to try MicroReview?

Why `.gitignore` Isn't Enough