PR-Agent is an open-source tool to help efficiently review and handle pull requests. Qodo Merge is a paid version of PR-Agent, designed for companies and teams that require additional features and capabilities.
This document describes the security policy of PR-Agent. For Qodo Merge's security policy, see here.
When using PR-Agent with your OpenAI (or other LLM provider) API key, the security relationship is directly between you and the provider. We do not send your code to Qodo servers.
Types of self-hosted solutions:
- Locally
- GitHub integration
- GitLab integration
- BitBucket integration
- Azure DevOps integration
This section outlines which versions of PR-Agent are currently supported with security updates.
For the most recent updates, use our latest Docker image which is automatically built nightly:
uses: qodo-ai/pr-agent@mainFor a fixed version, you can pin your action to a specific release version. Browse available releases at: PR-Agent Releases
For example, to github action:
steps:
- name: PR Agent action step
id: pragent
uses: docker://codiumai/pr-agent:0.26-github_actionFor maximum security, you can specify the Docker image using its digest:
steps:
- name: PR Agent action step
id: pragent
uses: docker://codiumai/pr-agent@sha256:14165e525678ace7d9b51cda8652c2d74abb4e1d76b57c4a6ccaeba84663cc64We take the security of PR-Agent seriously. If you discover a security vulnerability, please report it immediately to:
Email: [email protected]
Please include a description of the vulnerability, steps to reproduce, and the affected PR-Agent version.