Documentation

CodeMouse Docs

Everything you need to set up automated AI code reviews on your GitHub repositories — from first install to advanced configuration.

Quick Start
Install in 2 minutes
Read more
API Keys
Connect your AI provider
Read more
Review Format
Understand the output
Read more

Getting Started

CodeMouse is a GitHub App that automatically posts AI-powered code review comments on every pull request. You bring your own AI provider API key — CodeMouse itself is completely free.

Prerequisites

  • A GitHub account (individual or organization)
  • An API key from at least one supported AI provider (OpenAI, Anthropic, Gemini, or Groq)
  • Repositories where you want automated PR reviews

Installation

Installing CodeMouse takes under 2 minutes and requires no code changes to your repositories.

01
Create your account
Sign in at codemouse.io/login using your GitHub account. We use GitHub OAuth — no separate password needed.
02
Install the GitHub App
From your dashboard, click "Install GitHub App". You'll be redirected to GitHub to choose which repositories to grant access to. You can install on all repos or select specific ones.
03
Add your AI provider key
In Settings → API Keys, add your API key from OpenAI, Anthropic, Gemini, or Groq. Select your preferred model and save.
04
Open a pull request
That's it. Open any PR on an enabled repository and CodeMouse will post a detailed review comment within 60 seconds.

Configuration

All configuration happens through the Settings page in your dashboard — no config files, no YAML.

API Keys
Add and manage API keys for each supported AI provider. Keys are encrypted at rest with AES-256-GCM.
Active Model
Choose which provider and model to use for reviews. You can switch anytime — changes take effect on the next PR.
Repository Access
Manage which repositories CodeMouse can access through your GitHub App installation settings.

API Keys

CodeMouse uses a Bring-Your-Own-Key (BYOK) model. You pay your AI provider directly based on usage. CodeMouse itself is free.

ProviderModelsKey prefixEst. cost / review
OpenAIgpt-4o, gpt-4o-mini, gpt-4-turbosk-$0.01–0.05 / review
Anthropicclaude-3-5-sonnet-20241022, claude-3-haiku-20240307sk-ant-$0.01–0.06 / review
Google Geminigemini-1.5-flash, gemini-1.5-proAIza$0.005–0.03 / review
Groqllama-3.1-70b-versatile, mixtral-8x7b-32768gsk_~$0.001 / review
Security note: All API keys are encrypted with AES-256-GCM before being stored. Keys are never logged, never transmitted to third parties, and are only decrypted in memory at review time.

Understanding Reviews

CodeMouse posts a single structured comment on each PR. Here's how to read it.

Critical
Bugs, null dereferences, crashes, and runtime errors. These should be fixed before merging.
Security
OWASP Top 10 issues, hardcoded secrets, injection vulnerabilities, unsafe deserialization, and timing attacks.
Performance
N+1 queries, memory leaks, inefficient loops, unnecessary re-renders, and missing indexes.
Code Quality
Readability issues, naming problems, code duplication, missing error handling, and style inconsistencies.
Example review comment
## 🤖 CodeMouse Review

### 🔴 Critical — src/auth/session.ts:47
**Null dereference on unauthenticated request**
user.profile is accessed without verifying session state.
→ Fix: Add `if (!user?.profile) return null` before line 47.

### 🟡 Security — api/payments/webhook.ts:112
**Timing-unsafe signature comparison**
String equality on HMAC digest is vulnerable to timing attacks.
→ Fix: Use `crypto.timingSafeEqual()` for constant-time comparison.

### 🔵 Performance — components/UserList.tsx:34
**N+1 query inside render loop**
getUser() called per iteration — 100 users = 100 DB queries.
→ Fix: Batch with `getUsers(ids)` + Map for O(1) lookup.

---
*Reviewed by CodeMouse using gpt-4o-mini · 0.8s*

Webhook Reference

CodeMouse listens to GitHub's pull_request webhook events. The webhook endpoint is POST /api/webhook.

Triggered events

opened New PR created — triggers full review
synchronize New commits pushed — triggers re-review
reopened Closed PR re-opened — triggers review

Security

All webhook payloads are verified using GitHub's HMAC-SHA256 signature (X-Hub-Signature-256 header) with your app's webhook secret. Requests with invalid or missing signatures are rejected with 401 Unauthorized.

Frequently Asked Questions

Does CodeMouse store my source code?

No. CodeMouse receives the PR diff from GitHub, passes it to your AI provider using your key, and discards it. Your source code is never stored on our servers.

How is my API key protected?

API keys are encrypted with AES-256-GCM using a unique server-side encryption key before being written to the database. They are only decrypted in memory during review processing.

What if I don't have an API key?

CodeMouse will post a comment on the PR explaining that no API key is configured, and link you to Settings to add one. No review will be attempted.

Can I use different models for different repos?

Currently CodeMouse uses your globally selected active model for all repositories. Per-repo model selection is on the roadmap.

How long does a review take?

Typically 15–60 seconds, depending on PR size and the AI provider's response time. Large PRs with 500+ changed lines may take slightly longer.

Is there a line limit on PR diffs?

CodeMouse reviews up to ~4,000 lines of diff per PR. For very large PRs, it reviews the most significant files first.

Can I disable reviews for specific branches?

Not yet via UI, but reviews are triggered by any PR opened against any base branch. Branch filtering is on the roadmap.

How do I remove CodeMouse from a repository?

Uninstall the GitHub App from your GitHub account settings under Applications → Installed GitHub Apps → CodeMouse → Configure.

Ready to get started?

Set up automated AI code reviews on your repositories in under 2 minutes.

Start for free