Stop merging unreviewed AI code.
CodeVetter is a desktop review tool for the diffs your agent ships. It catches 14 vulnerability classes (SQLi, PII leaks, CSRF, broken auth, and more) that Cursor, Claude Code, and Devin routinely miss. Runs entirely offline.
36 import { db } from "@/lib/sql";
37 38 async function validateSession(token: string) {
39 // resolve session for the incoming request 40 const query = `SELECT * FROM sessions WHERE token = '${token}'`;
41 const result = await db.execute(query);
42 if (!result.rows[
0])
throw new Error(
"Invalid session");
43 return result.rows[
0];
44 } Token concatenated directly into query body. Allows arbitrary read/write against sessions table.
Built for the way agents ship code.
Cursor, Claude Code, Devin. They merge fast and miss things. CodeVetter is the second pair of eyes that runs on your laptop.
Diff-aware review engine
Parses your patch, traces affected call sites, and feeds the LLM a focused context window. The prompts stay narrow and the file references are real.
apps/api/src/users.ts
- return await db.raw(`SELECT * FROM users WHERE id = ${id}`); + return await db.query(`SELECT * FROM users WHERE id = $1`, [id]);
apps/api/src/cache.ts
~ ttl 60s → 86400s · review eviction
~ no invalidation on user.update
Bring your own key
Anthropic, OpenAI, OpenRouter. Keys are stored in local app settings on your machine. We never proxy the traffic.
Runs offline
Tauri binary. SQLite under the hood. You don't need a backend or an account.
Git-native
Staged diffs, ranges, branches. Drop into any repo.
Severity-tiered
Critical → high → medium. Mapped to CWE & OWASP.
Patch suggestions, not pep talks
Every finding ships with a concrete code edit you can apply or discard. The reasoning is there if you want it, but it doesn't talk down to you.
Three steps. Zero ceremony.
No accounts, no setup wizards. Open the app, plug in a key, ship safer code.
Drop in your diff
Stage changes, paste a patch, or hand it a branch range. CodeVetter parses files, hunks, and call-sites locally.
Pick the model
Choose Claude, GPT, or anything OpenRouter routes. Switch per-review. We track token usage live and never proxy it.
Triage the verdict
Findings ranked by severity, mapped to CWE, with concrete patch diffs. Apply, edit, or dismiss with one keystroke.
Any model. Your key.
CodeVetter is provider-agnostic. Test the same diff across models, pin one per repo, or rotate as new releases land.
Anthropic
Recommended for security review
OpenAI
Fast diffs · strong code reasoning
OpenRouter
300+ models · single API key
Local LLMs
100% private · air-gapped
Free for solo. Honest above it.
No tokens, no per-review fees. We don't see your code, so we can't bill on it.
The full desktop binary. Bring your own LLM key. Use it forever, free.
Shared review presets and org policy rules. Everything stays on each machine.
Air-gapped installs, custom model routing, and dedicated security engineering.
Stop trusting agents blindly.
Install in 30 seconds and run your first review in under a minute. Your code never leaves your machine.
Questions, answered.
Everything you need to know about how CodeVetter vets agent-generated code.