Using the DeepStack CodeWarden (Beta)
The DeepStack CodeWarden automatically reads the changes in a pull request and leaves a comment pointing out bugs, error handling gaps, security issues, and other problems it finds. Reviews are AI-generated and may contain inaccuracies — always use your own judgment. It reviews the following file types:
| Language | Extensions |
|---|---|
| Go | .go |
| Python | .py |
| PHP | .php |
| C | .c |
| C++ | .cpp |
| Java | .java |
| Ruby | .rb |
| Kotlin | .kt |
| Swift | .swift |
| TypeScript | .ts |
| JavaScript | .js |
| React (TSX) | .tsx |
| React (JSX) | .jsx |
| Rust | .rs |
| Dockerfile | Dockerfile, Dockerfile.*, *.dockerfile |
| Docker Compose | docker-compose*.yml/yaml, compose.*.yml/yaml |
| Shell | .sh |
| SQL | .sql |
| YAML | .yml, .yaml |
Files of other types are ignored.
Installation
- Go to github.com/apps/deepstack-codewarden
- Click Install
- Choose whether to install it on your entire account or on specific repositories
That's all. No configuration files, no changes to your code, nothing else to set up.
How it works
Whenever someone opens or updates a pull request in a repository where the app is installed, the agent reads the changed files and posts a comment on the pull request. The comment summarises any serious issues found, with each issue tagged as [CRITICAL], [WARNING], or [NOTE].
In addition to the summary comment, the agent posts inline review comments directly on the lines where issues were found, so you can see each problem in context without scrolling through the full summary.
If a pull request contains no supported file types, the agent does nothing.
For draft pull requests (or PRs with "WIP" in the title), the agent applies softer feedback and reports only critical issues.
On-demand review
You can trigger a fresh review at any time by commenting /review on a pull request. This is useful after you've addressed feedback and want the agent to take another look. The agent will react with a 👀 to acknowledge your request, then run a full review of the current PR state — even if the latest commit was already reviewed.
Customising the review
You can tailor the agent's focus for a specific repository by adding a .code-review.md file to the root of that repository. The agent will read it and apply the instructions to every PR it reviews in that repo.
For example:
This service handles payment processing. Flag any logging of card numbers,
CVVs, or PII as CRITICAL. Treat all SQL string concatenation as CRITICAL
regardless of context.
Or:
This is an internal tooling repo — ignore network security concerns.
Focus on correctness and error handling only.
There is no required format or schema. Write plain instructions in whatever way is clearest. If the file is absent, the agent uses its default review behaviour.
Severity threshold
If you find NOTE-level issues too noisy, you can add a severity: directive to .code-review.md to raise the minimum severity the agent reports:
severity: WARNING
| Directive | What gets reported |
|---|---|
severity: NOTE (default) |
CRITICAL, WARNING, and NOTE |
severity: WARNING |
CRITICAL and WARNING only |
severity: CRITICAL |
CRITICAL only |
The directive must appear on its own line. You can combine it with freeform instructions:
severity: WARNING
This service handles payment processing. Flag any logging of card numbers,
CVVs, or PII as CRITICAL.
When a non-default threshold is active, the review comment includes a banner noting the configured level.
Usage limits
The agent operates on a freemium model. Each organization gets a monthly allowance of reviews and tokens. If your organization exceeds its quota, the agent will post a comment on the PR explaining the limit and how to request an upgrade instead of running the review.
Organizations on the Pro tier have no usage limits. Contact the administrator (shown in the quota-exceeded comment) to upgrade your organization.
Removing it
Go to your GitHub account settings → Applications → Installed GitHub Apps, find DeepStack CodeWarden, and click Configure to remove it from specific repositories or uninstall it entirely.