Built for the age of AI-assisted development

Merge with confidence.

Name: Vigil
Author: Vigil

AI agents and teammates write PRs fast. Vigil reads every claim, verifies it against the actual diff, and surfaces changes nobody mentioned. So you know exactly what you’re merging.

Install on GitHub View on GitHub

✓ Zero config·✓ No credit card·✓ 30-second install

See how Vigil verifies a real PR →

Vigil Confidence Score

0/100

\u2705 Safe to merge

✅Claims Verifier3/3

✅Undocumented Changes92

✅Credential Scan100

✅CI Bridge100

✅Test Execution12/12

⚠️Coverage Mapper50

✅Plan Augmentor5/5

✅Diff vs ClaimsPro

✅Gap Analysis96

✅Contract Checker100

2Verification Layers

6Signals per PR

30sSetup Time

0Config Required

See every line of code

Vigil is open source. Read the code, audit the logic, verify the claims.

Browse on GitHub →

Read a real PR review

See exactly what Vigil posts on a pull request. No mock-ups, no demos.

See PR #7 →

Check our uptime

Vigil runs on dedicated infrastructure. Check the health endpoint anytime.

View status →

We don't have a wall of logos yet. We have something better: radical transparency.

Your PR says one thing.
The code says another.

Your team merges 50 PRs a week. How many did someone actually read line by line? AI agents write code in minutes — complete with confident descriptions. “Adds auth middleware.” “Fixes the timeout bug.” “No breaking changes.” But who checks? Not CI — it tests if code runs, not if the PR is truthful. Not code review — your reviewer skimmed the diff in 30 seconds. The gap between what a PR claims and what the code does is the gap where bugs reach production.

How it works

Install

Add Vigil to your GitHub repos in one click. No code changes, no CI config, no setup.

Push a PR

Open a pull request. Any PR — from AI agents, teammates, or yourself. No test plan needed.

Get your score

Vigil verifies claims, surfaces undocumented changes, and analyzes impact. Results appear directly on the PR.

Three layers. Full verification.

Vigil reads your PR description, verifies every claim against the actual diff, and surfaces what you missed.

Trust VerificationIncluded

Reads your PR title and description. Extracts every claim — ‘adds auth middleware,’ ‘fixes timeout,’ ‘no breaking changes.’ Verifies each one against the actual diff. Then scans for everything the description didn’t mention: new dependencies, credentials, untested files.

Claims Verifier

LLM extracts and verifies each claim from your PR body against the actual diff. Confirmed, unverified, or contradicted.

Undocumented Changes

LLM scans the full diff for significant changes not mentioned in the PR description. New deps, env vars, schema changes.

Credential Scan

Scans the diff for hardcoded secrets, API keys, and passwords. Catches what code review misses.

Coverage Mapper

Checks if changed files have corresponding test files. Surfaces untested code before it ships.

Deep AnalysisIncluded

Goes deeper into structural impact. Detects when a PR touches both API and frontend, compares response shapes to ensure contracts still match, and performs granular diff analysis to find the gaps between what changed and what was documented.

Contract Checker

Detects when a PR touches both API and frontend. Compares response shapes to ensure they still match.

Diff Analyzer

Granular diff analysis comparing what the PR actually changed against what was documented. Finds the gaps between words and code.

Developer AssistIncluded

Provides additional context beyond the confidence score. Evaluates risk patterns across the PR and generates a description when the author didn’t write one. Informational signals that help you understand the PR faster.

Risk Assessment

Evaluates PR risk based on file patterns, change size, and structural indicators. Flags high-risk changes like auth, payments, and infrastructure.

Description Generator

When a PR has no description, Vigil generates one from the diff. Ensures every PR has context before review begins.

8 signals across three layers. 6 contribute to the confidence score. 2 provide additional context — risk assessment and description suggestions.

Example verification result

This appears on every PR.

No dashboard. No separate tool. The results live where you already work — right on the pull request.

🛡\ufe0f

vigilbot

🛡\ufe0f Vigil — PR Verification: 82/100

Review recommended

Claims

✅ "Add rate limiting to API endpoints" — confirmed, rate-limiter.ts created

✅ "Add tests for rate limiter" — confirmed, rate-limiter.test.ts has 12 tests

⚠️ "No breaking changes" — GET /api/users response now includes rateLimit field

Undocumented Changes

⚠️ New dependency: ioredis — not mentioned in PR description

⚠️ Environment variable added: REDIS_URL — not documented

Impact

✅ Credentials scan clean

⚠️ Coverage gap — src/middleware/auth.ts modified but no test file covers it

✅ No breaking API changes detected

Score: 82/100 — Review recommended

See a real result on GitHub →

Your code stays safe.

Security isn't an afterthought. Vigil was built from the ground up to keep your code and secrets protected.

🔒

Read-Only Analysis

Vigil reads your diff and PR description. It never modifies your code, never clones your repo to disk, never executes commands.

🛡️

No Data Retention

Vigil reads your PR, runs the analysis, posts the results, and forgets. No code is stored on our servers.

🔐

Fork PR Protection

Fork PRs read configuration from your default branch, not from the fork. Untrusted contributors can’t inject malicious config.

🔒 Read-Only🛡️ No Data Retention📜 MIT Licensed🌍 EU Servers

Open source under MIT · Read our security docs →

Frequently asked questions

Yes. The Free tier includes all 8 signals — Claims Verifier, Undocumented Changes, Credential Scan, Coverage Mapper, Contract Checker, Diff Analyzer, Risk Assessment, and Description Generator. Unlimited repos. No credit card required.

That’s exactly what it’s built for. Whether the PR comes from Claude Code, Cursor, Devin, or a teammate — Vigil verifies the claims against the actual diff. The faster code gets written, the more you need an independent verifier.

CodeRabbit reviews code quality — style, bugs, best practices. Vigil verifies truthfulness — does the PR actually do what it says? They’re complementary. Many teams use both.

Every Vigil comment starts with a PR at a Glance line — a compact summary showing files changed, key categories, test coverage, and estimated review time. It’s designed to give you instant context before reading the full report.

When a PR has an empty or missing description, Vigil’s Description Generator automatically creates one from the diff. This ensures every PR has context for reviewers, even when the author forgot to write one.

Yes. All tiers work with private repositories. Install the GitHub App and select which repos to enable.

Vigil reads the PR title, description, and diff. No code is stored after analysis completes. Vigil never clones your repo or executes any code.

No. Vigil works out of the box with zero configuration. Optionally add a .vigil.yml file to customize scoring weights or signal behavior.

Vigil posts a GitHub Check Run. You can configure branch protection rules to require Vigil’s check to pass before merging. Scores below 50 result in a ‘failure’ check.

Currently GitHub only. GitLab and Bitbucket are being considered for the future.