heygrc
Guide

Run heygrc alongside CodeRabbit

CodeRabbit reviews pull requests for bugs, quality, and best practices, and summarizes what changed. heygrc adds the missing citation: the compliance control a change touches. How to run both without doubling the noise.

the heygrc team

CodeRabbit's stated job is code review: it reviews pull requests for bugs, code quality, and best practices, and summarizes what changed. What no code reviewer gives you is the sentence a compliance-minded reader needs: this change touches ISO 27001:2022 A.8.15, here is why, here is what evidence it affects. That is heygrc's whole job, and it is why the two run well side by side: the same diff, read for a different obligation.

A summary, a review, and a citation

Think of the pull request thread as answering three reader needs. What changed: a summary. Is the code good: a code review. Does it change what we owe a framework: a control citation. CodeRabbit covers the first two by its own description; heygrc covers the third, grounded in the frameworks you selected and your company context. We make no claim about what CodeRabbit flags or misses; the categories are simply different, which is exactly why neither tool makes the other redundant.

Configure heygrc as code

heygrc installs as a GitHub App from github.com/apps/heygrc and is configured through a small REST API: one PUT to api.heygrc.com/v1/config carrying a free-form company profile (what you build, the data you handle, where you host) and your framework list. Your coding agent can run the whole setup from a single pasted prompt. The richer the profile, the sharper the reviews, because heygrc injects your context and the selected frameworks' knowledge into every pass.

Nothing about your CodeRabbit setup changes. Each app authenticates, reviews, and posts independently.

Triage: who fixes what

The practical win of running both is that findings route themselves. A code finding is the author's to fix in the diff, now. A compliance finding sometimes is too (remove the personal data from that log line), but often it reaches past the diff: update an access-control policy, capture new evidence, record a decision. Treat heygrc's findings as their own small queue with an owner, rather than mixing them into code-review back-and-forth, and neither conversation slows the other down.

If you want to adopt gradually, start heygrc in mention_only mode: it stays silent until someone comments /heygrc on a pull request, which makes the first weeks opt-in per PR instead of a new default everyone has to absorb at once.

Public repositories

If your work is open source, the pairing is free on both sides as the vendors publish it today: CodeRabbit's pricing page offers free reviews for public repositories, and heygrc reviews public repositories free, always, with no monthly cap. Private-repo pricing for each tool is on its own page.

Adding the line to the bill

For private repositories, heygrc is free for 25 reviews a month, then $19 per organization per month with 100 reviews included and $0.49 per review beyond that, never blocking a review. It bills the organization, not seats, so the compliance line on your bill tracks how much you ship, not how many engineers you hire. The cost comparison page puts that next to each vendor's own published pricing at your volume.