Free core — Apache-2.0 · Pro is a one-time buy · Launching <date>

AI code review for Drupal
on your hardware. Free to run.

A Drupal-aware reviewer that runs inside your network. The core — CLI reviewer, fine-tuned model, Claude Code skill — is free and open-source. It knows #[Hook], cache contexts, DI, and render-array XSS. Pro adds auto-fix, IDE (MCP), and the PR bot — bought once, no subscription. Nothing leaves the building either way.

Apache-2.0 core 0% data egress No subscription

Illustration of the Pro PR-bot — the findings shown are real catches from our public demo diff.

A real diff in. Real JSON out.

No screenshots, no mockups. Below is a hunk from our public 10-issue demo diff and the finding the CLI returns for it — verbatim from a real run in --use-mock mode, which exercises the deterministic detectors and shows the exact output shape with no GPU and no model download. The full fine-tuned model (24 GB GPU) caught 8–9 of the 10 seeded bugs on this diff, including the SQL injection and the unserialize() RCE.

demo.diff · DashboardController.php
+  public function importConfig(Request $request) {
+    $payload = unserialize($request->query->get('data'));
+    $expected = $this->config('acme_demo.settings')->get('api_token');
+    if ($request->query->get('token') == $expected) {
+      \Drupal::service('acme_demo.importer')->import($payload);
+    }
+    return ['#markup' => 'ok'];
+  }
drureview review · findings[3] of 4
{
  "severity": "medium",
  "category": "security",
  "file": "web/modules/custom/acme_demo/src/Controller/DashboardController.php",
  "line": 41,
  "message": "Loose comparison (`==`/`!=`) on a security-sensitive value (token/secret/hash). PHP type-juggling can bypass the check and non-constant-time comparison leaks via timing.",
  "suggestion": "Use strict comparison `===`; for secret/token/HMAC equality use hash_equals($known, $user_supplied) (constant-time).",
  "cwe": "CWE-697",
  "owasp_category": "A07:2021",
  "confidence": 0.6,
  "citation": "CWE-697: Incorrect Comparison (see also CWE-208 timing)"
}
$ git clone https://github.com/bartek-filipiuk/drureview-core && cd drureview-core && uv sync
$ curl -LO https://hardsocket.com/demo.diff
$ drureview review --diff-file demo.diff --output json --use-mock # runs in seconds — no GPU, no model pull

The same --use-mock run returns 3 more findings on this diff: a hardcoded sk_live_… Stripe key (CWE-798), an entityQuery() without accessCheck() (CWE-285), and removed-API drupal_set_message(). Point the CLI at a local model (ollama pull, one command — it's free) and the LLM passes take over: SQLi, XSS, cache-context leaks, DI violations, access-logic bugs. Download the demo diff and score it yourself — it seeds 10 labeled issues.

Three problems generic AI reviewers miss on Drupal.

CodeRabbit / Greptile / Copilot are trained on a generic corpus. They don't know #[Hook], cache contexts, or Drupal's service container — so they either silently pass or hallucinate.

Review queue bottleneck

Senior devs spend 6–9 hrs/week reviewing routine MRs. By the time they get to yours, the context is gone and the comment is "LGTM, ship it."

MR waits days · context evaporates
+AI first pass in minutes, full diff, while it's fresh

D11.1+ migration burden

Hook attributes, OOP plugins, deprecated drupal_get_path(). The lint rules catch some — but missing them in review costs a sprint of refactor later.

function my_module_node_view(...) {
+#[Hook('node_view')]
+public function nodeView(...) {

Subtle Drupal idioms

Missing #cache.contexts, raw entity loads in loops, render arrays that won't BigPipe. Generic tools don't flag any of these — your prod alerts do.

$build['#markup'] = $node->getTitle();
// no #cache.contexts → leaks
+'#cache' => ['contexts' => ['user']]

Five hops, all of them inside your network.

The MR webhook fires, the model reviews, GitLab gets a comment back. The whole pipeline runs on infrastructure you already own — no API calls leave your VPC.

01

GitLab MR

Webhook on push or comment trigger.

GitLab CE 16+
02

Diff parse

FastAPI extracts changed hunks + file context.

FastAPI · Python 3.12
03

Drupal-RAG lookup

Pulls relevant core docs, contrib patterns, prior fixes.

Qdrant
04

Local LLM review

Ollama runs gemma4-12b-dcr-v7 on your hardware.

Ollama · gemma4-12b-dcr-v7
05

MR comment

Findings posted inline. Severity, file, line.

GitLab API v4

Minutes, not days

A full deep review of a typical MR finishes in a few minutes on one RTX 4090 — we parallelized the pipeline 3.4× and measured it, findings bit-identical.

Drupal-RAG

Grounded in api.drupal.org docs, coding standards, and security advisories. Pro also indexes your own custom modules — so the model knows your hooks too.

Run it where you already work.

Same review pipeline, same local model, reached three ways. The CLI is the free core; the IDE (MCP) and PR-bot doors are Pro.

CLI & git hook FREE

Pipe a diff in, get JSON or markdown back. Wire it into a pre-push hook so nothing merges unreviewed.

$git diff main | drureview review --diff-stdin

In your IDE (MCP) PRO

An MCP server, so Cursor, Claude Code, and Windsurf call it natively. Ask your agent to review the diff; it answers with Drupal-aware findings.

review_diff · review_pr · propose_fix

PR bot on every MR PRO

Drop it in CI. On each merge request it posts inline findings — severity, file, line — before a human opens the tab.

+posted to MR · 2 critical, 4 medium

It fixes, not just flags

For mechanical Drupal mistakes — static calls that should be injected, missing cache metadata, deprecated APIs, render-array XSS — it writes the corrected code as a one-click suggestion block. Every patch is checked against PHPCS before you see it.

The fix never leaves either

A cloud reviewer round-trips your code and the patch to a vendor to "fix it." Drureview generates and validates the fix inside your network. For agencies and regulated shops, that's the whole point.

Claude Code skill — free

Core ships a dcr-review skill. Add it to Claude Code, then just say "review this Drupal diff" — your agent answers with Drupal-aware findings from your local model. Nothing leaves the machine.

Real numbers. Measured, with the method in the open.

Drureview is a high-specificity second reviewer — Drupal-idiom-aware, tuned for low false alarms. Not a magic 100% bug catcher; an extra pair of Drupal-trained eyes that never sees your code leave the building. Here is what we actually measured.

1.00
Specificity · board v2

On 58 inverted real-fix pairs, the fine-tuned model raised zero false alarms on the clean side. A second reviewer that doesn't cry wolf.

0.66
Recall · board v2

Caught two-thirds of reintroduced real defects on the same 58-pair set — balanced accuracy 0.828 vs 0.655 for the untuned base model.

+12.5pp
Verdict accuracy · A/B

Fine-tuning lifted verdict accuracy 83.3% → 95.8% on a held-out set (n=48), specificity to 100%, and dropped invalid-JSON outputs to zero.

Where Drureview sits

How we measured →
Tool Self-host Data leaves your network Drupal-aware Auto-fix on-prem Billing
Drureview Yes Never Native Yes One-time
CodeRabbit No Vendor cloud Generic Cloud only $24/seat/mo
Greptile Enterprise only Tier-dependent Generic Cloud only $30+/seat/mo
GitHub Copilot No Microsoft cloud Generic Cloud only $19/seat/mo
PHPStan / Drupal rules Yes Never Static-only No $0

Buy it once. Run it forever.

A perpetual license — twelve months of updates included, then keep what you have for good. No seats, no monthly bill.

Core

$0/ forever

The local engine, open-source (Apache-2.0) on GitHub. Review Drupal diffs on your own machine, free — forever.

  • CLI review + Claude Code skill
  • The public fine-tuned models
  • Base Drupal RAG (core + standards)
  • Personal & evaluation use
Get the core on GitHub

Solo

$39/ one-time

For an individual developer who wants the Pro layer locally.

  • DCR Fix — one-click fix suggestions
  • MCP server (Cursor / Claude Code)
  • Web panel
  • Index your own private modules
Buy Solo

Site license, air-gapped install, or done-for-you setup?

Org-wide perpetual license ($1,250), full install + RAG + CI wiring, or a ~2-hour Quickstart session from $390. The code is the cheap part — we sell getting it running on your hardware.

Talk to us

Frequently asked

Is the local Core really free?
Yes. The CLI reviewer, the Claude Code skill, and the public fine-tuned models are free to run on your own machine, forever. The one-time license unlocks the Pro layer: auto-fix, the MCP server, CI/PR-bot, and indexing your private modules.
What does 'buy once' actually mean?
A perpetual license. Your purchase includes twelve months of updates; after that you keep everything you have and can buy another year of updates if you want the newer versions. No subscription, no seat counting per month.
Does anything leave my network?
No code, ever. Reviews run on your hardware against a local model. That's the entire reason this exists.
What hardware do I need?
One box with a 24 GB GPU (RTX 3090/4090, L4, A10) is comfortable. A Mac runs it on CPU/Metal via Ollama, a bit slower. No GPU at all still works for smaller diffs.
Can you just set it up for me?
That's the Quickstart and Done-for-you packages above. We get it running on your infra, tuned to your Drupal, wired into your CI — so you don't burn a sprint on plumbing.

Paste any public Drupal MR. See what it catches.

A free, public scanner: drop in a drupal.org / GitHub / GitLab merge request and get a shareable Drupal-aware review. Public URLs only — for your private code, you run Drureview locally.

Preview the report format

What a shared scan result will look like — severity, file:line, suggestion, one link you can drop in a Slack thread. (Sample data until the scanner is live; real runs from public MRs will replace it.)

View a sample report

No code leaves your network — the scanner only runs on public URLs you paste.

Own your Drupal reviewer.

Grab the free core, or claim a founding Agency seat. Set up in an afternoon — or have us do it.

Free core, no card · Founding seats limited · Drupal community priority