|
|
|
|
|
|
by DavidYoussef
134 days ago
|
|
|
The benchmark measures whether a tool finds known bugs. That's useful but it's the wrong question for most teams in 2026. The question auditors actually ask isn't "did your tool catch this bug?" It's "can you prove this change was reviewed, by whom, and that the code didn't change between review and merge?" None of the tools benchmarked here produce verifiable evidence. They produce comments. A green checkmark on a PR tells you someone clicked a button. It doesn't tell you what they saw, whether the diff changed after review, or what risk level the change carried. We took a different approach: instead of building another AI reviewer, we built a governance layer that wraps whatever review process you already use. Every PR gets a cryptographically sealed evidence bundle -- the exact diff, risk tier (L0-L4), findings, and a SHA-256 hash chain. Verifiable offline with one command. Open source, Apache 2.0. https://github.com/DNYoussef/codeguard-action Not a replacement for code review tools. An audit trail for them. |
|
|