CodeRabbit's stated job is code review: it reviews pull requests for bugs, code quality, and best practices, and summarizes what changed. What no code reviewer gives you is the sentence a compliance-minded reader needs: this change touches ISO 27001:2022 A.8.15, here is why, here is what evidence it affects. That is heygrc's whole job, and it is why the two run well side by side: the same diff, read for a different obligation.
A summary, a review, and a citation
Think of the pull request thread as answering three reader needs. What changed: a summary. Is the code good: a code review. Does it change what we owe a framework: a control citation. CodeRabbit covers the first two by its own description; heygrc covers the third, grounded in the frameworks you selected and your company context. We make no claim about what CodeRabbit flags or misses; the categories are simply different, which is exactly why neither tool makes the other redundant.
Configure heygrc as code
heygrc installs as a GitHub App from github.com/apps/heygrc and is configured through a small REST API: one PUT to api.heygrc.com/v1/config carrying a free-form company profile (what you build, the data you handle, where you host) and your framework list. Your coding agent can run the whole setup from a single pasted prompt. The richer the profile, the sharper the reviews, because heygrc injects your context and the selected frameworks' knowledge into every pass.
Nothing about your CodeRabbit setup changes. Each app authenticates, reviews, and posts independently.
Triage: who fixes what
The practical win of running both is that findings route themselves. A code finding is the author's to fix in the diff, now. A compliance finding sometimes is too (remove the personal data from that log line), but often it reaches past the diff: update an access-control policy, capture new evidence, record a decision. Treat heygrc's findings as their own small queue with an owner, rather than mixing them into code-review back-and-forth, and neither conversation slows the other down.
If you want to adopt gradually, start heygrc in mention_only mode: it stays silent until someone comments /heygrc on a pull request, which makes the first weeks opt-in per PR instead of a new default everyone has to absorb at once.
Public repositories
If your work is open source, the pairing is free on both sides as the vendors publish it today: CodeRabbit's pricing page offers free reviews for public repositories, and heygrc reviews public repositories free, always, with no monthly cap. Private-repo pricing for each tool is on its own page.
Adding the line to the bill
For private repositories, heygrc is free for 25 reviews a month, then $19 per organization per month with 100 reviews included and $0.49 per review beyond that, never blocking a review. It bills the organization, not seats, so the compliance line on your bill tracks how much you ship, not how many engineers you hire. The cost comparison page puts that next to each vendor's own published pricing at your volume.