Open source · MIT License · Self-hosted→

AI code reviewthat stays yours.

Merlin reviews every pull request with configurable AI — inline comments, security scans, docs generation, and an autonomous agent — without sending code to a third-party SaaS. Written in Rust 🦀 for maximum performance.

Get started free →Star on GitHub

✓ No data leaves your infra✓ Bring your own API key✓ Free forever, MIT license🦀 Written in Rust

github.com/you/myapp/pull/247

OpenPR #247

refactor: migrate auth to JWT tokens

+89 −42 · 3 files changed

🪄 reviewing…

src/auth/handler.rs

@@ -87,12 +87,14 @@

pub async fn handle_request(req: Request) -> Response {

+ let secret = env::var("JWT_SECRET")

+ .expect("JWT_SECRET must be set");

+ let token = decode::<Claims>(&bearer, &secret);

// validate and continue...

Merlin·High Severity

Performance: JWT secret read on every request

env::var() is called per-request. Cache via once_cell::sync::Lazy to avoid repeated env lookups under load.

✓ Security clean⚠ 2 warnings● 0 critical

Fix →

Slash commands

AI providers

Git platforms

Rust 🦀

Blazing fast

Works with

GitHubGitLabGitLab Self-HostedBitbucketAzure DevOpsGitea

How it works

From push to reviewed in seconds

No dashboard. No signup. No data leaving your infra.

5 minutes

Add to CI

Drop a single GitHub Actions step (or GitLab CI job). No server to run, no signup required.

Automatic

Open a PR

Merlin triggers automatically. It reviews the diff in parallel chunks and posts inline comments sorted by severity.

Every PR

Ship confidently

Bugs caught, docs generated, tests suggested. Every PR reviewed as if your best engineer was watching.

Everything you need, nothing you don't

One binary. Drop it in any CI pipeline. Your code never leaves your infrastructure.

Inline PR comments

AI posts file- and line-level comments directly on the PR — bugs, security, style, and performance — sorted by severity.

6 AI backends

Claude, GPT-4o, Gemini, Bedrock, Ollama, Claude Code CLI. Swap providers with one config line. No vendor lock-in.

Security scanning

OWASP top-10 analysis, secret detection, and Snyk dependency scanning via the /security and /snyk commands.

Concurrent reviews

Tokio fan-out — diff chunks reviewed in parallel. Large PRs finish in seconds, not minutes.

Webhook bot mode

Run merlin webhook and let GitHub/GitLab trigger commands when someone comments @merlin /review on any PR.

Reflect & Review

Optional second AI pass removes false positives, merges duplicates, and corrects severity before comments are posted.

Live demo

See Merlin in action

Every feature, running live. Click any tab or watch it cycle automatically.

Code Review

Inline PR comments, ranked by severity

AI reviews every diff chunk in parallel — bugs, security, style, and performance — posting inline comments sorted by severity with actionable fix suggestions.

merlin /review

Code Review

$ merlin review

→ Fetching PR #247 diff (3 files, +89 −42)

→ Splitting into chunks and reviewing in parallel...

src/auth/handler.rs

⚠ HIGH L87 JWT secret read on every request

Fix → Cache via once_cell::sync::Lazy<>

src/db/pool.rs

⚠ MED L34 Connection pool unbounded

Fix → pool_max_size = 20 in config

✓ LOW L102 unused import `std::io`

✓ 3 inline comments posted · finished in 4.1s

Reflect pass removed 0 false positives

Built for everyone

Open source at heart.
Enterprise-ready by design.

Solo devs, startups, regulated banks, air-gapped defence labs — Merlin runs identically everywhere. One binary, zero telemetry, infinite control.

12 MBbinary size

MITlicense

0outbound SaaS calls

5+platforms supported

~$2/motoken cost (10 devs)

FREE FOREVER

Open Source

For developers, startups & OSS teams

Written in Rust

12 MB static binary — no runtime, no Docker required.

MIT License

Fork it, modify it, ship it. No contributor agreements.

Self-hosted

Your source code never leaves your own servers. Ever.

BYOK

Your API key, your bill. No Merlin account needed.

Estimated monthly cost for 10 engineers

~$2 – $5

AI token usage only — no per-seat fee, ever

Deploy in 5 minutes

AIR-GAP READY

Enterprise & Corporate

For teams with compliance & security needs

GitLab Self-Hosted

First-class support for on-prem GitLab EE & CE instances.

Audit trails

Every AI call logged locally — HIPAA / SOC2 friendly.

Custom review rules

Org-wide coding standards enforced on every PR, every team.

Full air-gap mode

Ollama + local Qdrant = 100% offline, zero external calls.

Compliance-friendly by default

GitLab Self-HostedAir-gap modeBYOKMIT LicenseLocal audit logsZero telemetry

Read deployment guide

19 commands

Slash commands, out of the box

Trigger from a PR comment, a CI step, or the autonomous agent.

/reviewFull inline code review

/describeAuto-generate PR title & description

/askQ&A about the diff

/improveInline code suggestion blocks

/generate_labelsAuto-label the PR

/update_changelogPrepend CHANGELOG entry

/add_docGenerate missing docstrings

/similar_issueFind related open issues

/testGenerate unit tests

/explainPlain-language walkthrough

/securityOWASP + secret detection scan

/approveAI-assisted review verdict

/commit_messageGenerate commit messages

/docsDocs (readme/api/adr/wiki)

/snykSnyk dependency scan

/coverageTest coverage analysis

/link_jiraLink related Jira issues

/link_linearLink related Linear issues

/triageCodeTriage issue search

RAG Pipeline

Context-aware reviews
from your own codebase

Merlin indexes your codebase and past review comments into a vector store. Before every AI call, relevant snippets are retrieved and injected into the prompt — so the AI knows your conventions, past issues, and architectural patterns.

Embeddings run locally via Ollama — no embedding API cost. Five vector store backends to match any infrastructure.

localNo infra

Zero setup, flat file

memoryNo infra

Ephemeral, great for tests

qdrantDocker

Self-hosted production DB

chromaDocker

Open-source alternative

pineconeCloud

Managed cloud vector store

merlin.toml

# Enable context-aware reviews
[rag]
enabled     = true
store       = "qdrant"     # or "local"
embed_model = "nomic-embed-text"
top_k       = 5
min_score   = 0.70

terminal

# One-time setup
$ ollama pull nomic-embed-text
$ docker run -p 6333:6333 qdrant/qdrant
$ merlin rag index .

# Reviews now have full codebase context
$ merlin review

merlin agent

$ merlin agent
🪄 Merlin Agent v0.1 — ready

> review the PR, run security scan, and approve if clean

Thought: Start with review, then security...
→ Tool: review      ✓ 2 warnings
→ Tool: security    ✓ 0 critical
→ Tool: rag_search  ✓ conventions matched
→ Tool: approve     ✓ PR #247 approved

Done. No critical issues found. PR approved.

Autonomous Agent

Reason. Act. Observe.
Repeat.

Merlin's ReAct-loop agent plans multi-step tasks autonomously. Give it a goal and it selects tools, observes results, and iterates until done.

All 19 slash commands available as tools, plus rag_search, post_comment, and get_pr_info.

CLI REPL

Interactive terminal session

Slack

Mention @merlin in any channel

Discord

Mention @Merlin to trigger tasks

Single-shot CI

merlin agent --task "..." (non-interactive)

Model-agnostic

Bring your own model.

Switch AI backends with one config line. No lock-in, ever.

Anthropic Claude

claude-sonnet-4-6

provider = "anthropic"

OpenAI GPT-4o

gpt-4o-mini

provider = "openai"

Claude Code CLI

No API key needed

provider = "claude-code"

Google Gemini

gemini-2.0-flash

provider = "gemini"

AWS Bedrock

claude-3-5-sonnet

provider = "bedrock"

Ollama (local)

100% private, free

provider = "ollama"

Why Merlin?

The only AI reviewer
you fully own.

Every other tool phones home to a SaaS cloud. Merlin runs entirely inside your infrastructure — no seat fees, no data sharing, no vendor lock-in.

✓ Fully supported~ Partial / Enterprise tier✗ Not available

Feature	Merlin You are here	Qodo Merge qodo.ai	CodeRabbit coderabbit.ai	GitHub Copilot code review add-on	Sourcery sourcery.ai
Self-hosted / air-gapⓘRun 100% inside your own infra, no outbound SaaS calls	✓	~	✗	✗	~
Bring Your Own KeyⓘUse your own API key — vendor never sees your code	✓	~	✗	✗	✗
Open source (MIT)ⓘFull source available, fork & self-host freely	✓	~	✗	✗	✗
GitLab Self-HostedⓘWorks with on-prem GitLab EE/CE instances	✓	~	~	✗	✗
Written in RustⓘSingle binary, <30 MB, minimal CPU/RAM footprint	✓	✗	✗	✗	✗
6+ AI providersⓘClaude, GPT-4o, Gemini, Bedrock, Ollama, Claude Code CLI	✓	✓	~	✗	✗
19 slash commandsⓘ/review, /security, /test, /improve, /agent and 14 more	✓	✓	~	✗	~
RAG codebase contextⓘSemantic search over your entire repo at review time	✓	~	✓	~	✗
Autonomous agent modeⓘReAct loop — multi-step tasks across files & PRs	✓	~	~	✗	✗
Free foreverⓘNo seat licenses, no monthly subscription	✓	~	~	✗	~

🔒

Zero data egress

Your source code never leaves your servers. Perfect for regulated industries — finance, healthcare, defence.

🦀

Rust performance

Single static binary. Boots in milliseconds, reviews a 1 000-line diff in under 10 seconds. Runs on a $5 VPS.

🔑

BYOK economics

Pay your AI provider at cost. No per-seat tax. A 10-engineer team spends ~$2–5/month on tokens.

Social proof

Trusted by engineers
who ship.

What teams are saying about Merlin.

via GitHub

Merlin caught a JWT secret being read on every request in our auth service. Would've killed us in prod. The OWASP scanning is genuinely sharp.

Sarah Chen

Staff Engineer · Series B fintech

via GitLab

We run 400+ PRs a month. Merlin reviews every single one in parallel — finishes before a human would even open the tab. Incredible for velocity.

Marcus Völler

Engineering Lead · DevTools startup

via GitHub

The RAG pipeline is the killer feature. It knows our coding conventions because we trained it on our own codebase. No SaaS can do that.

Priya Nair

Principal Engineer · Enterprise OSS team

Up and running in 60 seconds

Works on GitHub, GitLab (cloud + self-hosted), Bitbucket, Azure DevOps, and Gitea.

1GitHub Actions

.github/workflows/review.yml

on:
  pull_request:
    types: [opened, synchronize]
jobs:
  merlin-review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - run: |
          curl -L .../merlin-linux-amd64 -o merlin
          chmod +x merlin && ./merlin review
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

2GitLab CI (cloud + self-hosted)

.gitlab-ci.yml

merlin-review:
  image: ubuntu:22.04
  script:
    - curl -L .../merlin-linux-amd64 -o merlin
    - chmod +x merlin && ./merlin review
  variables:
    GITLAB_TOKEN: $GITLAB_TOKEN
    ANTHROPIC_API_KEY: $ANTHROPIC_API_KEY
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"