concept
Code Review
Source-aware security review: connect GitHub, map a repository to a scope, run a source-aware assessment, and get an automatic review on every pull request.
Code Review is the third core product. Where the Pentest Agent probes a running system from the outside and the Compliance Agent prepares audit evidence, Code Review works at the pull request: when a developer opens a PR against a mapped repository, the agent reviews the changed code for security issues and surfaces what it finds — before the change ships.
It builds on the same GitHub integration and repository-to-scope mapping that unlock white-box testing, so if you have already connected a repository for source-aware assessments, enabling PR review is a single switch.
What Code Review does
Code Review is the third core product. When a developer opens a pull request against a repository you have mapped to a scope, the agent reviews the changed code for security issues — in the context of the surrounding codebase — and posts what it finds before the change ships. It builds on the same GitHub integration and repository-to-scope mapping that unlock white-box testing, so once a repository is connected, turning on PR review is a single switch.
Step 1 — Connect GitHub
An Owner or Admin connects the GitHub integration once, at the organization level, and syncs the repositories you want available. The connection is read-only: the agent reads repositories to analyze code, and never pushes changes or alters repository settings.
Step 2 — Map the repository and turn on PR review
Open the scope that represents the system the repository backs, open Repositories, and connect the repository to it — mapping makes it available to the agent for source-aware analysis. Then turn on PR review for that mapping. That is the whole setup; every pull request from here is reviewed automatically.
Step 3 — Start a white-box assessment
A mapped repository also unlocks full source-aware assessments. From the home launcher, start a run the same way you would a pentest — the agent now works with the advantage of the source, reasoning about the code behind the surface. PR review, next, is the incremental version of this that runs on every change instead of on demand.
Step 4 — Every pull request gets reviewed
Once PR review is on, the loop repeats for every pull request with no further setup. A developer opens a PR; the agent fetches the diff, analyzes the changed files for security issues, validates them against the codebase, and posts a review with the exact code location, severity, and a fix. Each issue also becomes a finding in NullSquare, tied to the scope and worked through the same lifecycle as any other — validate, assign, remediate, or accept risk.
Access boundary
Code Review uses the same read-only, scope-bound GitHub access as white-box testing. The agent can read only the repositories a scope has explicitly mapped — no others, even ones the organization owns — and it does not push code or change repository settings.
Related articles
Last updated Jul 14, 2026
