Risk analysis, agent trust scoring, and auto-merge for AI-powered dev teams
Claude Code, Copilot, Cursor, and Devin are flooding your repo with pull requests. MergeShield scores every PR for risk, tracks each agent's history, and auto-merges what's safe — so you ship faster without the fear.
Free forever for individuals · No credit card required
Works with your AI coding agents
Get started in minutes, not days
One-click install on your repos. No code changes, no config files. Start getting insights in 30 seconds.
Each pull request is scored across 6 risk dimensions — security, complexity, blast radius, and more.
Auto-merge safe PRs, flag risks, require approvals, and build per-agent trust over time.
Watch the full flow — from install to auto-merge in 30 seconds
See how MergeShield works
Interactive walkthrough · 5 steps · 35 seconds
One click to connect MergeShield to your repositories. No config files, no CI changes.
Zero config
Works on any GitHub repo. No CI files to edit.
Real-time risk analysis and governance dashboard
MergeShield posts a detailed risk analysis directly on your pull request — no context-switching, no dashboard required.
Overall Risk: 62/100 HIGH
This PR introduces JWT-based authentication across the application. The security risk is elevated due to token handling in client-side storage and a missing token rotation mechanism. The blast radius is moderate as it affects middleware, API routes, and the user model. Test coverage is incomplete for edge cases like expired tokens and concurrent sessions.
| Dimension | Score | Level |
|---|---|---|
| Complexity | 45/100 | Medium |
| Security | 78/100 | Critical |
| Blast Radius | 55/100 | High |
| Test Coverage | 60/100 | High |
| Breaking Change | 35/100 | Medium |
Findings:
Suggestions:
Findings:
Suggestions:
| File | Risk | Category | Details |
|---|---|---|---|
src/lib/auth.ts | 82/100 | Security | Core authentication logic with JWT secret handling and token generation |
src/middleware/auth.ts | 68/100 | Blast Radius | Middleware applied to all 12 authenticated API routes |
src/models/user.ts | 55/100 | Breaking Change | Schema changes to user model affect existing database records |
src/routes/auth.ts | 50/100 | Security | Login and signup endpoints handle raw credentials |
src/lib/token-store.ts | 45/100 | Security | Client-side token storage using localStorage (XSS-vulnerable) |
Analyzed by MergeShield • Model: claude-sonnet-4-20250514 • 14 files • 12400ms
Every PR gets a 0–100 risk score across six dimensions. Your team knows at a glance whether this needs deep review.
Security, complexity, blast radius, tests, breaking changes — each scored independently so nothing gets missed.
Specific, line-level findings with concrete suggestions. Not vague warnings — actual next steps for the author.
Every file scored individually. Reviewers know exactly where to focus their attention.
to govern AI-generated code
Every pull request is analyzed by Claude AI across six risk dimensions, producing a structured score with confidence ratings and detailed reasoning.
Automatically identify which AI coding agent authored each pull request. Match patterns across branch names, commit messages, git trailers, and author metadata.
Build trust in your AI agents over time. Each agent earns a trust score based on their PR history, risk outcomes, and activity patterns within your organization.
Define when pull requests can be automatically merged. Configure risk thresholds, trust requirements, file limits, and exclusion patterns.
Require human approval for high-risk changes with full bidirectional GitHub sync. Approve or request changes from either MergeShield or GitHub — both stay perfectly in sync.
Get AI-powered review suggestions extracted from every risk analysis. When a reviewer requests changes, MergeShield posts structured action items directly on the GitHub PR — with checkboxes AI agents can parse and act on.
Add AI risk analysis to any CI pipeline. Drop in the mergeshield/risk-check action for instant risk scoring with pass/fail status checks.
Monitor your AI agents live. Server-Sent Events powered by Redis pub/sub stream every governance event to your dashboard the moment it happens.
Build on top of MergeShield with a full REST API, outgoing webhooks, and multi-channel notifications. Integrate AI governance into your existing workflows.
Manual code review doesn't scale for AI-generated PRs
Connects with the tools you already use
App + Action
Bidirectional sync — approvals, merges, and PR state
Real-time Alerts
Block Kit formatted messages with risk context
Developer Platform
120 req/min rate limit, org-scoped access
Event Subscriptions
HMAC-signed callbacks with auto-deactivation
Notifications
Personalized reviewer emails with direct approval links
Start free, scale as you grow. Paid plans include a 14-day free trial.
Free
For individuals & open source
Team
For small teams shipping with AI
Pro
For teams automating their merge pipeline
Enterprise
For large organizations
Need more analyses? Overage at $0.15/analysis (Team) or $0.12/analysis (Pro).
Built with security-first principles from day one
All data encrypted at rest and in transit. TLS 1.3 for all API and webhook connections.
Every governance decision, trust change, and merge is logged with full actor and resource tracking.
We analyze diffs, not your source code. Your codebase never leaves GitHub's infrastructure.
SOC2 Type II compliance in progress. Data processing agreements available on request.
Start governing AI-generated code in under a minute. Free forever for individuals — no credit card required.