$ phreaker init

AI code review
yang tak pernah tidur.

Analisis pull request setara senior engineer di setiap push. Tangkap bug, celah keamanan, dan code smell sebelum merge. Powered by Xiaomi MiMo.

Install di GitHub →Lihat demo live

30 PR/bulan gratis · Tanpa kartu kredit

14.2k

PRs reviewed

2,847

Bugs caught

312

Security issues

98.4%

Dev satisfaction

// FEATURES

Yang Phreaker tangkap

Dilatih dari jutaan PR nyata dan CVE.

[01]

Celah keamanan

SQL injection, XSS, secret bocor, unsafe deserialization, command injection. Cross-ref CVE database.

[02]

Bug logika

Off-by-one, null deref, race condition, transisi state salah, side effect di render.

[03]

Masalah performa

Query N+1, re-render ga perlu, IO blocking di hot path, event listener bocor, loop tanpa batas.

[04]

Style & konvensi

Style spesifik project, dipelajari dari history repo. Bukan rule generic spam.

[05]

Test coverage

Flag logika baru tanpa test. Sarankan test case untuk edge case.

[06]

Architecture drift

Deteksi perubahan yang langgar arsitektur (ADR, AGENTS.md, CONTRIBUTING.md).

// LIVE DEMO

Lihat dia review PR beneran

Ini output MiMo asli di endpoint Express yang vulnerable. Ga ada cherry-pick.

PR #142 · feat: get user by id

phreaker-bot

api/users.ts

diff --git a/api/users.ts b/api/users.ts
@@ -12,8 +12,15 @@ export async function getUser(req: Request) {
   const id = req.params.id;
-  const user = await db.query(
-    `SELECT * FROM users WHERE id = '${id}'`
-  );
+  const user = await db.query(
+    `SELECT * FROM users WHERE id = ${id}`
+  );
   return Response.json(user);
 }

3 issue ditemukan · 1 kritis · 1 tinggi · 1 sedang

KRITISkeamanan

L14

Celah SQL injection

Input user di-interpolate langsung ke query SQL. Attacker bisa kirim `1 OR 1=1; DROP TABLE users;--` dan curi atau hapus data. Pakai parameterized query.

const user = await db.query('SELECT * FROM users WHERE id = $1', [id]);

TINGGIvalidasi

L13

Field `id` ga divalidasi

Field `id` dipakai tanpa validasi. Kalau kolomnya integer, input non-angka bikin query crash dan bocorin stack trace.

if (!/^[0-9]+$/.test(id)) return new Response('Bad Request', { status: 400 });

SEDANGerror-handling

L16

Ga ada error boundary

Kalau DB query reject, promise unhandled langsung ke runtime, return 500 tanpa log context. Bungkus try/catch dan log error terstruktur.

// HARGA

Mulai gratis. Bayar saat scale.

Semua plan: repo tanpa batas. Limit dihitung per-PR-per-bulan.

Hobby

Rp 0/selamanya

+30 PR / bulan
+Repo public aja
+Discord komunitas

Install

Pro

Rp 449k/bulan

+500 PR / bulan
+Repo private
+Custom rule per repo
+AGENTS.md aware
+Email support

Trial 14 hari

Team

Rp 3.1jt/bulan

+PR unlimited
+5 seat
+SSO + audit log
+Slack + Linear
+Priority support

Hubungi sales

AI code reviewyang tak pernah tidur.