Reviews every pull request the moment it opens — scans for secrets, CVEs, OWASP Top 10, architecture risk, test gaps, and more. Free-tier friendly. Optional Claude narrative layer.
Install on GitHub · Self-host · Features · Dashboard
Every PR in your repo deserves the same rigorous, five-second, senior-engineer review. Nova gives you that — without hiring one. It reads the diff, the git history, the dependency tree, the OWASP checklist, and posts a structured review with a risk score, inline fix suggestions, and auto-generated tests in ~3-8 seconds flat.
| Before Nova | After Nova |
|---|---|
| Secrets leak into main | Never merged — caught in regex + semantic pass |
| Vulnerable deps slip through | Every package.json change cross-checked against OSV.dev |
| 800-line PRs land unreviewed | Auto-split suggestions before a human wastes hours |
APPROVED rubber-stamps |
Every PR gets a risk score 0-100 + colored label |
| "Tests? We'll add them later." | Nova writes the missing tests and posts them |
There are three ways to run Nova, pick whichever fits:
Best for: teams, multiple repos, zero ongoing maintenance. See docs/install-as-github-app.md for the 4-step app creation (~3 minutes) or jump to the quick version.
Best for: solo devs, personal repos, zero-signup setup.
git clone https://github.com/yourusername/nova
cd nova
npm install
npm run wizard # interactive setup, writes .env
npm start # in one terminal
npm run tunnel # in another — gives you a public https URLThen paste the https://…trycloudflare.com/github-webhook URL + the secret printed by the wizard into Settings → Webhooks on any repo you own. Done.
Best for: always-on hosting, zero local setup. All free tiers.
| Platform | Click | Notes |
|---|---|---|
| Vercel ★ | serverless + Upstash Redis — full guide | |
| Render | |
persistent disk, simplest |
| Railway | |
similar to Render |
| Heroku | |
requires credit card |
| Fly.io | flyctl launch --copy-config |
edge CDN |
After deploy, set GITHUB_TOKEN + GITHUB_WEBHOOK_SECRET in the platform's env vars, then point your GitHub webhook at https://<your-app>/github-webhook.
Note for Vercel: you must also add Upstash Redis (free tier) for persistent state — serverless functions have no filesystem. The storage layer auto-detects and uses it. See docs/deploy-vercel.md for the 8-minute walkthrough.
One-click-to-use experience for everyone who wants to install your bot on their own repos.
Host it once, let anyone install it.
- Deploy Nova anywhere (Render/Railway/Fly — see above)
- Create a GitHub App pointing at your deployment — step-by-step guide →
- Share
https://github.com/apps/<your-app-slug>— users click Install, pick repos, done.
No PAT. No webhook secret. No .env editing for end users. They just click Install.
docker build -t nova .
docker run -d -p 3000:3000 --env-file .env -v $(pwd)/data:/app/data novaOr use the included compose file to run the full stack (backend + dashboard + landing) with one command:
npm run docker:prod:up # builds and runs backend + landing (+ dashboard served at /dashboard)
npm run docker:prod:logs # follow logs
npm run docker:prod:down # stop stack
# Optional public tunnel
docker compose --profile tunnel up -d # full stack + public URL for backendopenclaw-pr-reviewer/
├─ SKILL.md # OpenClaw skill definition
├─ Dockerfile / docker-compose.yml
├─ render.yaml / railway.toml / fly.toml / app.json
├─ scripts/
│ ├─ setup-wizard.js # npm run wizard
│ ├─ tunnel.js # npm run tunnel (cloudflared)
│ ├─ seed.js # demo data for dashboard
│ └─ simulate-pr.js # end-to-end dry run
├─ src/
│ ├─ config.js # env-driven config
│ ├─ index.js # Express server + landing page + /setup
│ ├─ api.js # /api/* dashboard endpoints
│ ├─ pipeline.js # review orchestration
│ ├─ webhook/ # verifier · router · dispatcher
│ ├─ github/ # REST client + App auth + PAT fallback
│ │ └─ app-auth.js # JWT signing + installation tokens
│ ├─ installations/ # multi-tenant registry
│ ├─ analyzer/ # 20 analyzers (bugs · security · OWASP · …)
│ ├─ formatter/ # GitHub comment · risk meter · cards
│ ├─ personality/ # strict · mentor · fast · senior
│ ├─ learning/ # history · patterns · leaderboard
│ ├─ notifications/ # slack · telegram · discord
│ ├─ integrations/ # jira · linear · CVE · SPDX
│ └─ utils/ # logger · retry · truncator · language
├─ prompts/ # 9 AI prompt templates
├─ dashboard/ # React 18 + Vite + Tailwind + Framer Motion
│ └─ src/pages/ # Overview · Reviews · Leaderboard · Security · Settings
├─ data/ # lowdb JSON — reviews, patterns, leaderboard, installations
├─ docs/ # setup, features, security, personalities, GitHub App
└─ tests/ # node --test
All 20 run in parallel on every PR. Any one can be toggled via a FEATURE_* env var.
Intelligence — Auto-fix suggestions · Risk score (0-100) · Dependency CVEs · PR size enforcer · Git history context · Multi-language awareness Security — Secret scanner · License compliance · OWASP Top 10 · Sensitive data leak detection Team — Smart auto-assign (git-blame) · Jira/Linear linking · Auto-changelog · Team leaderboard UX — Personality modes · Slack/Telegram/Discord cards · Pattern learning per author · Praise good code Advanced AI — Architecture impact analysis · Auto-generated unit tests
Full detail: docs/features.md
npm run dashboard # dev server on :5173
npm run dashboard:build # prod build served by the backend at /dashboard- Overview — animated arc gauge, count-up stats, live review feed
- Reviews — full history table, filter by repo/author/verdict
- Leaderboard — per-dev rankings with gold/silver/bronze
- Security — OWASP breakdown, CVE timeline, secrets found
- Settings — toggle every feature, set personality, test webhook
Premium dark theme (Linear-meets-Vercel), Framer Motion animations, Recharts visualizations.
The wizard writes this for you, but here's the full list:
# Auth (pick one)
GITHUB_TOKEN= # Personal Access Token
GITHUB_APP_ID= # App ID if using GitHub App
GITHUB_APP_CLIENT_ID=
GITHUB_APP_PRIVATE_KEY= # PEM contents (with \n) — or path below
GITHUB_APP_PRIVATE_KEY_PATH=
GITHUB_APP_SLUG= # for /install redirects
# Webhook signature
GITHUB_WEBHOOK_SECRET=
# Optional AI (everything works without this)
FEATURE_AI=false # set true + key for Claude narrative
ANTHROPIC_API_KEY=
ANTHROPIC_MODEL=claude-opus-4-5
# Server
PORT=3000
NODE_ENV=production
PUBLIC_URL=https://your-deployment.example.com
REVIEW_PERSONALITY=senior # strict | mentor | fast | senior
# 20 feature flags — all default on except notifications/jira
FEATURE_SECRET_SCANNER=true
FEATURE_OWASP=true
# ...see .env.example for the full listnpm run setup # installs backend + dashboard + landing deps
npm run dev # backend with nodemon on :3000
npm run dashboard # dashboard on :5173
npm run landing:dev # landing page on :3001
npm run dev:all # backend + dashboard + landing in one command
npm test # unit tests (node --test)
npm run verify # test + dashboard build + landing build
npm run seed # populate fake reviews for dashboard demo
node scripts/simulate-pr.js # dry-run the entire pipeline end-to-end- Backend root (
/) redirects toLANDING_URL(defaulthttp://localhost:3001) - Dashboard is served at
/dashboardby backend when built (npm run dashboard:build) - In production, set these env vars explicitly:
PUBLIC_URL=https://your-backend-domainLANDING_URL=https://your-landing-domainCORS_ORIGINS=https://your-backend-domain,https://your-landing-domain
PRs welcome. Nova will review itself — meta-eat-your-own-dogfood style.
MIT — do whatever you want with it.
Built with ❤️ · Secrets handled securely · Zero telemetry