Sourcery

Analyzes GitHub/GitLab pull request diffs by hooking into VCS webhooks, parsing changed code segments, and running static analysis + LLM-based pattern detection to generate line-by-line review comments directly on PR threads. The system maintains PR context (base branch, changed files, commit history) to provide targeted feedback rather than full-codebase analysis, reducing false positives from unchanged code.

Runs semantic code analysis using LLM inference to identify logic errors, common anti-patterns (e.g., unused variables, incorrect error handling, performance issues), and security vulnerabilities. For each detected issue, generates a concrete code fix suggestion with explanation, which developers can apply with a single click in the IDE or approve in the PR interface. The system maintains a library of known patterns (likely trained or curated) to recognize recurring issues across codebases.

Analyzes code changes across multiple files within a pull request to detect dependencies, imports, and architectural impacts that single-file analysis would miss. The system builds a dependency graph of changed files, identifies which other files are affected by the changes, and detects potential breaking changes or unintended side effects. This capability enables detection of issues like unused imports after refactoring, missing dependency updates, or architectural violations that span multiple files.

Allows teams to configure which code review findings should block PR merges versus which should only generate warnings or informational comments. Severity levels (error, warning, info) can be customized per rule, and blocking rules can be enforced at the repository or organization level. This enables teams to distinguish between critical issues (security vulnerabilities, architectural violations) that must be fixed before merge and suggestions (style improvements, performance optimizations) that are informational.

Enforces repository-wide or team-wide coding standards by analyzing code against configurable rule sets (style, naming conventions, architectural patterns). The system can be configured with custom standards (Team tier+) or use built-in defaults, then automatically flags violations in PRs and suggests corrections. Standards are applied consistently across all team members' code, enabling drift detection when developers deviate from established patterns.

Scans code and dependencies for known security vulnerabilities, logic errors that could lead to exploits (e.g., SQL injection, XSS, insecure deserialization), and risky patterns (e.g., hardcoded secrets, weak cryptography). The system integrates with dependency databases to identify vulnerable package versions and provides remediation guidance (upgrade recommendations, patch suggestions). Scanning can be triggered on-demand or scheduled (biweekly on Open Source tier, daily on Team tier).

Provides IDE plugin integration (VS Code, JetBrains IDEs) that analyzes code as developers type, displaying inline review feedback, bug warnings, and fix suggestions in real-time. Developers can apply suggested fixes with a single click, which updates the code immediately. The IDE plugin communicates with Sourcery's cloud backend (or local analysis engine on Enterprise tier) to provide instant feedback without requiring PR submission, enabling shift-left security and quality practices.

Performs repository-wide or multi-repository scans to identify accumulated tech debt (code duplication, unused code, outdated patterns), detect when code drifts from established architectural patterns, and generate summaries of code quality trends over time. The system can identify when new code violates patterns established in older code, flagging inconsistencies that might indicate architectural decay. Results are presented as dashboards or reports showing tech debt hotspots and drift metrics.

Allows teams on Team tier and above to configure which LLM provider and model powers Sourcery's analysis (default: OpenAI GPT-4 or GPT-3.5). Teams can bring their own LLM endpoints (custom OpenAI instances, Anthropic Claude, or other providers) or use Sourcery's managed LLM service. The system routes code analysis requests to the configured LLM backend, enabling teams to use preferred models, comply with data residency requirements, or optimize for cost/latency tradeoffs.

Extends security scanning beyond single repositories to analyze multiple repositories in a team or organization, aggregating vulnerability findings and risk metrics across repos. The system can identify shared dependencies with vulnerabilities across repos, flag when one repo's vulnerable code pattern appears in others, and provide organization-wide security dashboards. Scanning scope varies by tier (3 repos on Open Source, 10 on Pro, 200+ on Team).

Automatically generates natural-language summaries of code changes in PRs, explaining what changed, why it matters, and potential architectural impacts. The system analyzes diffs to identify high-level changes (new features, refactoring, bug fixes, dependency updates) and generates summaries that help reviewers understand intent without reading every line. Can also generate architecture diagrams showing how changes affect system design.

Integrates with GitHub and GitLab webhook systems to automatically trigger code review analysis whenever a pull request is created or updated. The system receives webhook events, fetches the PR diff and metadata via repository APIs, performs analysis, and posts review comments back to the PR as native GitHub/GitLab reviews. This integration enables zero-configuration code review automation — once installed, reviews are triggered automatically without manual invocation.