NullSquare

concept

Code Review

Source-aware security review: connect GitHub, map a repository to a scope, run a source-aware assessment, and get an automatic review on every pull request.

Code Review is the third core product. Where the Pentest Agent probes a running system from the outside and the Compliance Agent prepares audit evidence, Code Review works at the pull request: when a developer opens a PR against a mapped repository, the agent reviews the changed code for security issues and surfaces what it finds — before the change ships.

It builds on the same GitHub integration and repository-to-scope mapping that unlock white-box testing, so if you have already connected a repository for source-aware assessments, enabling PR review is a single switch.

What Code Review does

Code Review is the third core product. When a developer opens a pull request against a repository you have mapped to a scope, the agent reviews the changed code for security issues — in the context of the surrounding codebase — and posts what it finds before the change ships. It builds on the same GitHub integration and repository-to-scope mapping that unlock white-box testing, so once a repository is connected, turning on PR review is a single switch.

The code review flow. Connect once and map a repository; from there a source-aware assessment is a click, and every pull request is reviewed automatically.
Play: PR review walkthroughInteractive demo · opens in the app

Step 1 — Connect GitHub

An Owner or Admin connects the GitHub integration once, at the organization level, and syncs the repositories you want available. The connection is read-only: the agent reads repositories to analyze code, and never pushes changes or alters repository settings.

Connect GitHub once, at the organization level, and sync the repositories you want available. The connection is read-only — the agent reads code to analyze it, never pushes changes.

Step 2 — Map the repository and turn on PR review

Open the scope that represents the system the repository backs, open Repositories, and connect the repository to it — mapping makes it available to the agent for source-aware analysis. Then turn on PR review for that mapping. That is the whole setup; every pull request from here is reviewed automatically.

Connect the repository to the scope that represents the system it backs, then flip on PR review. That single switch is what triggers a review on every future pull request.

Step 3 — Start a white-box assessment

A mapped repository also unlocks full source-aware assessments. From the home launcher, start a run the same way you would a pentest — the agent now works with the advantage of the source, reasoning about the code behind the surface. PR review, next, is the incremental version of this that runs on every change instead of on demand.

With the repository mapped, run a full source-aware assessment — the same one-click Start as any assessment, now with the agent able to read the code, not just probe from outside.

Step 4 — Every pull request gets reviewed

Once PR review is on, the loop repeats for every pull request with no further setup. A developer opens a PR; the agent fetches the diff, analyzes the changed files for security issues, validates them against the codebase, and posts a review with the exact code location, severity, and a fix. Each issue also becomes a finding in NullSquare, tied to the scope and worked through the same lifecycle as any other — validate, assign, remediate, or accept risk.

On each pull request, a review session fetches the diff, analyzes the changed files, and — here — finds insecure deserialization at an exact file and line, posting a review with severity and a fix.

Access boundary

Code Review uses the same read-only, scope-bound GitHub access as white-box testing. The agent can read only the repositories a scope has explicitly mapped — no others, even ones the organization owns — and it does not push code or change repository settings.

Related articles

Last updated Jul 14, 2026