PASSR Logo PASSR
PASSR PASSR
Performance + Availability + Security + Scalability

Recursive Code Review.
Continuous Quality.

PASSR monitors every pull request and commit via webhooks and CI/CD hooks - flagging issues across 8 dimensions the moment code lands. Structured findings flow into a unified portal for team-wide tracking and resolution.

Join Closed Beta See How It Works
Works with All Git providers
PASSR
bloggr/backend $ git push origin feat/auth-refactor
Enumerating objects: 8, done.
Counting objects: 100% (8/8), done.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (8/8), 2.34 KiB | done.
To github.com:bloggr/backend.git
a1b2c3d..f4e5d6c feat/auth-refactor
Branch set up to track origin/main.
PASSR webhook triggered - agent starting
PR #142 opened · feat/auth-refactor → main · 3 files
PASSR Agent v2.1
Initializing review pipeline...
Repository: bloggr/backend
Commit: f4e5d6c · 3 files · +89 −12
PR #142: feat/auth-refactor → main
Ruleset: passr-default v3 loaded
Loading 8 review dimensions...
Security Performance Availability Scalability Architecture Quality Error Handling Testing
Scanning 3 files · 247 lines ● Live
Security
2 ⚠
Performance
1 ⚠
Availability
Scalability
1 ⚠
Architecture
1 ⚠
Quality
Error Hdlg
Testing
1 ⚠
6 issues · 5 dimensions 5 fixes ready
Security · CriticalApply fix ↗

SQL injection via raw query concatenation - line 12

Performance · HighApply fix ↗

N+1 query in auth loop - use Promise.all

Scalability · MediumApply fix ↗

Unbounded result set - missing pagination on line 34

Review complete · 2.4s
+3 more in portal →

The Platform

What is PASSR?

PASSR is Flytebit's engineering intelligence platform that monitors every pull request and commit automatically - flagging issues across 8 dimensions the moment code lands, and surfacing structured findings in a unified portal for team-wide tracking.

The Recursive in the name is deliberate - not a one-time snapshot, but an always-running feedback loop.

Performance
·
Availability
·
Security
·
Scalability
+
Recursive
PR Agent

Autonomous Background Review

  • Reviews every PR and commit the moment code lands - no manual trigger
  • 8-dimension taxonomy: Performance, Availability, Security, Scalability - plus architecture, error handling, code quality, and observability
  • Zero developer action required - triggered by webhooks and CI/CD hooks
  • Every issue ships with a ready-to-apply fix - description, impact, and suggested code
PASSR Portal

Unified Engineering Portal

  • Cross-repo visibility - track issues, fix rates, and trends across all repositories
  • Live dashboards - severity distribution, category breakdown, and PR timelines
  • Full lifecycle tracking - every review run, issue, fix, and decision preserved
  • Merge protection - automatically block PRs with open critical issues

No setup friction. No dashboard to check. No noise - just the signal your engineering team needs.

The Problem

The Code Review Gap

Most issues are too subtle, too numerous, or buried in commits that never get looked at. Meanwhile, the cost of finding them in production is 10-100x higher.

80% of commits get no dedicated review
10-100x cost to fix in production vs at review
2-5 days average PR cycle without automation
Without PASSR
2-5 days PR open → merge

Commit with SQL injection lands unreviewed

Standalone commits are never reviewed. Vulnerability enters the PR silently.

Reviewer is busy - skims the diff

Subtle vulnerability missed. PR approved. Code ships to production.

Bug surfaces in production

Emergency patch, incident retro, post-mortem. Cost: 10-100x the original fix.

No audit trail, no trend data

Engineering leaders have zero visibility into what was missed or why.

With PASSR
< 60 min PR open → merge

Commit pushed - PASSR reviews in seconds

Webhook triggers recursive analysis across all 8 dimensions instantly.

Fix posted as inline comment with exact code

Issue, impact, and ready-to-apply replacement code — right in the PR.

Developer applies fix - PASSR re-reviews

Only changed files re-analyzed. Issue auto-resolved in the portal.

PR merges with full audit trail

Every review run, issue, fix, and decision stored in the PASSR portal.

Why It Matters

AI is shipping code faster thananyone can review it.

Vibe coding is real. Developers are shipping 40-55% more code per week with AI tools. The review process has not kept up - and the gap is widening with every sprint.

78%

of developers now use or plan to use AI coding tools in their workflow

Stack Overflow Developer Survey 2024 →
55%

more code written per week by developers using GitHub Copilot

GitHub Octoverse 2024 →
26%

increase in global PR volume year-over-year as AI tools accelerate output

GitHub Octoverse 2024 →

AI coding assistants are everywhere. Every team is shipping faster. But the DORA 2024 report is unambiguous: faster shipping without smarter review is not delivering better software - it's just delivering more of it, faster, with the same blind spots.

PR volume is up. Review thoroughness is down. The math is brutal.

2024 DORA Accelerate State of DevOps Report →
And that's only half the problem

AI-generated code creates review problems manual review was never built for.

The issues AI code introduces are subtle, high-volume, and architecturally complex. Human reviewers - already stretched - miss them at higher rates than ever.

Confident-looking, logically flawed

AI-generated code passes linters, follows style guides, and looks perfectly clean. The vulnerabilities hide in business logic, not syntax - exactly what automated style tools miss entirely and what reviewers under time pressure routinely skip over.

PASSR checks logic, not just style - security, performance, and correctness across 8 dimensions on every single commit.

No awareness of your architecture

AI tools generate code that works in isolation. They have no knowledge of your system's constraints, prior architectural decisions, or the failure modes specific to your stack. Reviewers need to catch this - and increasingly don't.

PASSR's architecture and scalability checks flag integration risks, coupling issues, and patterns that break under your system's real-world conditions.

Volume overwhelms human reviewers

When developers write 55% more code per week, PRs grow in both size and frequency. Reviewers approve faster just to keep pace. Every skipped or skimmed review is an open window for AI-generated bugs to ship to production completely undetected.

PASSR never skips, never skims, and never gets review fatigue - every PR gets the same depth of analysis regardless of size or frequency.

No traceability when it goes wrong

AI-assisted development produces code faster with less institutional memory. When a production incident occurs, teams cannot trace which commit introduced it, what was reviewed, or what the AI generated versus what was human-written.

PASSR creates a complete audit trail - every review, every issue, every fix - with full traceability across the PASSR portal.

AI coding tools are not going away.

The teams that win are the ones that pair AI output with AI-grade review.

The Dimensions

Three scanners. Eight dimensions.

Every PR and commit passes through three purpose-built AI scanners - security, architecture, and quality - run automatically on every push with no developer action required.

Security Scanner · Full OWASP A01–A10
Architecture Scanner · Structure · Resilience · Availability · Observability
Quality Scanner · READABILITY · KISS · DRY · YAGNI
Production Impact

Performance

High
  • N+1 queries in ORM loops - one DB call per record in a result set
  • SELECT * where only specific columns are needed
  • No pagination on list endpoints returning unbounded result sets
  • and many more patterns detected

Impact

API latency spikes under load. Database CPU pinned. A single unbounded query causes OOM on a 1M-row table.

PASSR

Batched queries, JOIN replacements, pagination guards, task queue deferral, and cache-aside patterns with estimated impact per fix.

Availability

High
  • No circuit breaker - one slow dependency takes down the whole system
  • Retry without exponential backoff causing thundering-herd storms
  • External HTTP, DB, and cache calls with no timeout set
  • and many more patterns detected

Impact

A single unprotected downstream call under load exhausts thread pools and takes the service offline.

PASSR

Pattern-based recommendations: circuit breaker, bulkhead isolation, bounded thread pools, exponential backoff with jitter.

Security

Critical
  • Full OWASP A01–A10 coverage on every commit
  • SQL, command, template, and header injection
  • Broken access control and IDOR - user A accessing user B's data
  • and many more patterns detected

Impact

Exploits ship silently. PASSR flags CWE-89, CWE-798, CWE-306, and 50+ additional CWEs before the branch merges.

PASSR

CWE-mapped findings with confidence levels and semantic analysis that catches novel patterns no rule-based tool has a signature for.

Scalability

High
  • Long-running work (image processing, webhook delivery) blocking request threads
  • Fire-and-forget threads with no retry, persistence, or failure visibility
  • Background jobs with no dead letter queue or max retry limit
  • and many more patterns detected

Impact

Horizontal scaling blocked. A process restart silently loses queued work with no visibility into failures.

PASSR

Task queue deferral (Celery, BullMQ, Sidekiq), fire-and-forget supervision, distributed cache-aside, stateless session migration.

Correctness & Maintainability

Architecture

Medium
  • Fat route handlers - business logic, data access, and formatting in one function
  • Repository pattern absent - SQL queries written directly inside controllers
  • Service layer absent - orchestration logic scattered across routes and views
  • and many more patterns detected

Impact

Code becomes untestable in isolation. A single rename requires edits across 8+ files. Breaking API changes have no safe migration path.

PASSR

Extract repository and service layers, RESTful route renaming, version prefix introduction, unified error schema pattern.

Error Handling

High
  • Swallowed exceptions (except: pass, catch(e){}) - failures disappear silently
  • Multiple related writes with no transaction wrapper - partial updates corrupt state
  • Non-idempotent mutations with no idempotency key - double charges, duplicate emails
  • and many more patterns detected

Impact

Silent data corruption. Duplicate financial operations. Raw stack traces exposed to end users on every unhandled failure.

PASSR

Centralized error middleware, transaction boundary wrappers, idempotency key guards, error classification by type (user / transient / fatal).

Code Quality

Medium
  • READABILITY - cryptic names (x, tmp, obj), boolean params that silently flip behaviour
  • KISS - over-engineered abstractions where 5 lines would suffice
  • DRY - copy-paste validation logic repeated across routes instead of a shared validator
  • and many more patterns detected

Impact

Unreadable code compounds onboarding time. Duplicated logic means bugs get fixed in one place and re-emerge in three others.

PASSR

Principle-tagged findings (READABILITY / KISS / DRY / YAGNI / CODE_SMELL) with a concrete refactor suggestion and effort estimate per issue.

Observability

Medium
  • Unstructured logging - print() and interpolated strings instead of a structured logger
  • No request/response logging middleware - method, path, status, duration not recorded
  • No correlation or trace ID propagated across service calls
  • and many more patterns detected

Impact

Production debugging starts from scratch after every incident. Distributed traces become 6 hours of log grepping.

PASSR

Structured logger adoption, request logging middleware, correlation ID injection, log level normalisation, metric emission hooks on critical paths.

PASSR Portal

Every finding flows into one place

Cross-repo dashboards, fix-rate tracking, severity trends, token usage, and PR timelines - all in the PASSR portal. Because fix rate is the metric that actually matters.

Auto PR Labels

feature, bugfix, security, breaking-change applied instantly on every PR open

Incremental Re-Review

Only changed files re-analyzed. Fixed issues auto-resolve with the commit SHA.

Per-Issue Chat

Developers reply to any finding. Context-aware answers scoped to the exact file and function.

Merge Protection

Block PRs with open critical issues. Auto-generate changelogs on merge.

How It Works

From webhook to resolution in five steps.

Zero workflow change. Connect once and every push is reviewed automatically — no CI edits, no config files, no developer action required.

01

Connect

Point PASSR at your repository. GitHub and Gitea supported natively. A webhook and CI hook are registered automatically — no code changes, no config files, no pipeline edits.

Connect repository
github.com/yourorg/repo
gitea.yourserver.io/...
push pull_request webhook ✓
02

Review

Core Engine

Every PR open and every commit push triggers an autonomous review. Three purpose-built AI scanners run in parallel — security, architecture, and quality — across all changed files.

PR #142 · scanning
Security
running
Architecture
running
Quality
queued
AST parsing · GPT-4o · LLMProxy
03

Surface

Findings post inline as GitHub or Gitea review comments. Each issue is a complete resolution package: a plain-language description, the concrete impact if unfixed, and a ready-to-apply code fix.

Issue · Security · CWE-89
CRITICAL SQL injection via unsanitized user_id
Impact Full DB read for any authenticated user
Fix cursor.execute(q, (user_id,))
Apply suggestion ↵
04

Track

Every finding flows into the PASSR portal. Cross-repo dashboards show fix rates, severity trends, category breakdowns, and full PR timelines. Nothing is ever lost or duplicated.

PASSR Portal · 3 repos
PRs reviewed1,247
Issues flagged3,891
Fix rate (30d)78%
Critical open2
05

Resolve

Push a fix and the issue auto-closes. Open critical issues block merges via Close Guard. Merge the PR and a changelog entry is generated automatically.

PR #142 · main ← feature/auth
3 issues resolved on last push
Critical open: 0
Close Guard: merge allowed
Merge pull request
changelog entry generated ✓
Recursive - every push triggers a new review cycle automatically

The Results

What changes when every PR is reviewed.

From slow, inconsistent reviews to continuous automated quality. The numbers speak for themselves.

40% Faster PR-to-merge Automated first-pass in minutes
30% Fewer post-merge bugs Caught before human review
8 Review dimensions Same taxonomy every PR
85%+ PR label accuracy Zero manual labeling effort

Ship Faster

Automated first-pass review fires in minutes. Human reviewers focus on architecture and business logic - not boilerplate catches.

Hours waiting for review feedback Instant inline feedback on every push

Catch Bugs Early

Security vulnerabilities, null dereferences, and performance issues flagged before a human reviewer ever opens the diff.

Bugs discovered in production Issues caught at commit and PR open time

Consistent Standards

The same rigorous 8-dimension review on every PR, every commit, regardless of reviewer fatigue, sprint pressure, or team size.

Review quality varies by reviewer Uniform standards across all repos

Zero Workflow Change

PASSR runs silently behind your existing Git workflow. No new tools, no new meetings, no developer re-training required.

New tools → new processes → pushback Invisible agent, zero adoption friction

Full Visibility

Engineering leaders get a live cross-repo view: fix rates, severity trends, category breakdowns, and full PR timelines - all in one portal.

"We do code review" is not a metric Fix rate dashboards across every repo

Cost-Effective & Private

Any LLM via LLMProxy - OpenAI, Anthropic, Groq, or self-hosted Ollama. Your code never leaves your infrastructure.

Expensive per-seat SaaS, data leaves infra Self-host with full model and data control

FAQ

Common questions.

Everything you need to know before requesting beta access.

What is PASSR?

PASSR is an engineering intelligence platform that autonomously reviews every pull request and commit the moment it lands. Three purpose-built AI scanners - Security, Architecture, and Quality - run in parallel across 8 dimensions. Findings post inline as review comments with a description, impact, and a ready-to-apply code fix. Everything flows into the PASSR portal for tracking and reporting.

How long does setup take?

Under two minutes. Point PASSR at your repository, register the webhook, and it starts reviewing. No code changes, no pipeline edits, no new tools for your developers to learn.

What Git platforms are supported?

All Git platforms are supported. Both PR reviews and commit-level reviews are supported.

What LLMs does PASSR use?

Any model you choose via LLMProxy - OpenAI (GPT-4o, GPT-4), Anthropic Claude, Groq, or any OpenAI-compatible endpoint including self-hosted models like Ollama or vLLM. You bring your own key; PASSR never calls an LLM on your behalf without your credentials.

Is my code sent to third parties?

Only if you configure a third-party LLM (e.g. OpenAI). If you self-host with Ollama or vLLM, your code never leaves your infrastructure. PASSR itself is self-hostable via Docker - you control the full stack.

How is PASSR different from GitHub Copilot or CodeRabbit?

Copilot is an in-editor autocomplete tool, not a review agent. CodeRabbit and similar tools run a single general-purpose scan. PASSR runs three dedicated scanners (Security, Architecture, Quality) covering 8 specific dimensions, supports self-hosting with any LLM, provides a cross-repo visibility portal, auto-closes issues on fix, and blocks merges on critical open issues via Close Guard.

What programming languages are supported?

PASSR uses tree-sitter AST parsing for deep structural analysis and LLMs for semantic review. The AST layer supports Python, JavaScript, TypeScript, Go, Rust, Java, C, C++, Ruby, and more. The LLM layer works with any language. There are no language restrictions.

Can PASSR block a merge?

Yes. Close Guard integrates with your repository's branch protection rules. When critical severity issues remain open on a PR, the status check fails and the merge is blocked. It unblocks automatically once the issues are resolved.

Is PASSR available now?

PASSR is currently in closed beta. Request access via the form on this page and we'll reach out within 24 hours to set up your environment.

Closed Beta

Your next PR is reviewed.Or it isn't.

Join engineering teams already shipping faster with fewer bugs, consistent standards, and full code quality visibility - from the first push.

40% faster PR-to-merge
30% fewer post-merge bugs
8 review dimensions per PR
Request Beta Access

No commitment. We'll reach out within 24 hours.