Repo review subscription, a recurring senior look at code, CVEs and architecture
A GitHub repo is alive: every week brings new commits, PRs and dependencies. A repo review subscription gives you a fixed, recurring senior look at code, CVEs and architecture, a monthly code review instead of a one-off audit that is outdated within weeks.
- Monthly or weekly
- Code + CVE + architecture
- Async sparring included
- German point of contact
Direct point of contact
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director
I review code, security and infrastructure and surface what is technically risky before launch, customer use or due diligence.
I have delivered production software, infrastructure and cloud systems for clients worldwide, including Europe, the UAE, Asia, Australia and the Americas: from automated multi-location platforms and cloud migrations to remote access systems for industrial plants.
For questions like:
- Is this release production-ready?
- Which CVEs are really critical?
- Are auth, data access and tenant isolation clean?
Monthly or weekly, matched to your pace
How often a GitHub repo review makes sense depends on how fast your code moves. We offer two cadences, both at a fixed price:
What we check on commits and PRs
We do not re-read every line, we look specifically at what changed since the last review and where new risk appears. We keep an eye on:
- new and changed endpoints: auth, input validation, rate limiting
- data access: tenant isolation, RLS policies, exposed fields
- newly added dependencies and their known CVEs
- secrets and keys that slipped into the repo by accident
- architecture drift: patterns that move away from the original design
- tests and error handling on the critical paths
Why AI code needs different review routines
AI tools produce working code in minutes, but that speed changes the risk profile. A single prompt can rebuild a whole file, pull in a new library or quietly shift a security pattern, without the diff making obvious what moved structurally. Classic review routines built for a few thoughtful commits per week fall short here.
On top of that, AI-generated code looks clean and consistent even when it makes wrong assumptions. Plausible-looking auth logic, unchecked inputs or outdated packages barely stand out on a quick read-through. A review rhythm for AI code therefore has to watch dependency changes and architecture drift continuously, not just style and function.
That is exactly what the subscription is built for: a recurring senior look that keeps pace with AI development and finds the spots where speed turns into silent risk.
CVE and dependency monitoring as part of the review
A review that only looks at the code you wrote misses half the attack surface. The larger part often sits in the dependencies: packages that were clean at the last review can carry a known vulnerability today. That is why CVE and dependency monitoring is a fixed part of every review cycle.
We watch the packages you use continuously against known CVEs, rank every hit by relevance to your product and tell you what is truly urgent and what can wait. On critical vulnerabilities you get a prompt heads-up instead of hearing about it only in the next monthly report.
That turns a pure code review into a look at the whole system: your own code and third-party dependencies, both watched in the same rhythm.
Async questions between reviews
Not every question fits into a fixed review cycle. Sometimes you want a quick read on whether an approach holds before a PR, or to sanity-check an architecture decision before it lands in the code. That is what the async channel in the subscription is for: a technical sparring partner you can reach between reviews.
You write your question with context, we reply asynchronously with an assessment, no meeting required. That gets you a second senior opinion exactly when the decision is due, not weeks later in hindsight. The scope of the channel depends on your plan.
Example: what stood out since the last review
Here is what a review cycle looks like in practice. A trimmed excerpt of what we typically find and prioritise between two reviews:
- new endpoint /api/export without an auth check, to close before release
- dependency with a fresh CVE pulled in, update available, medium urgency
- RLS policy missing for a new table, tenant isolation at risk (critical)
- API key committed in a test file, rotate it and remove from history
- retry logic duplicated across three services, consolidation suggested (low)
- architecture drift: business logic moving into the UI layer, steer back early
How the repo review subscription works
- 01
Baseline review
Before the ongoing support starts, the initial state is assessed: architecture, auth, data model, dependencies, deployment, infrastructure, monitoring and open risks.
- 02
Set the review rhythm
Depending on the plan, the review runs monthly or weekly. What matters are new commits, pull requests, dependency changes, security alerts and architecture decisions.
- 03
Ongoing review
I look at new changes and assess whether they affect security, data model, architecture, auth, infrastructure or production readiness.
- 04
Sparring between reviews
Technical questions can be raised async or booked as a 30-minute call. The sparring quota is used for architecture, security, CVE and release questions.
- 05
Monthly overview
There is a short risk status, open findings and clear priorities. This keeps it visible whether the product is getting technically more stable or risks are growing.
Many projects start with a snapshot or baseline review. If the product keeps being developed with AI afterwards, I can support it on an ongoing basis.
What I need for the review
- read-only access to the repository
- a short description of stack, tool and goal
- details on hosting and deployment
- the preferred review cadence: monthly or weekly
- an overview of core dependencies and update paths
- open questions or specific concerns
What the review delivers
- an understandable risk status per cycle
- top risks at a glance
- prioritised findings from code, CVEs and architecture
- concrete recommended actions
- classification: fix now, fix before launch, plan for later
- a trend across multiple reviews: more stable or more risky
What a finding looks like
Since the last review a package with a known CVE was pulled in, exploitable through an open endpoint. Recommendation: bump to the patched version and secure the endpoint.
AI code review tool or repo review subscription?
| AI code review tool | Veriploy repo review subscription | |
|---|---|---|
| Level | Comments on individual PRs and diffs | Assesses the product as a system over time |
| CVEs and dependencies | Partly covered, depending on the tool | Ongoing monitoring with human judgement |
| Architecture drift | Usually sees only the current diff | Watches patterns and drift across multiple reviews |
| Prioritisation | Many equally weighted comments | Findings ranked by severity and product relevance |
| Questions in between | No point of contact | Async sparring with a senior |
Frequently asked questions
What is the difference from an AI code review tool?
A tool comments on individual pull requests and diffs, automated and in real time. That is useful and complements us well. The repo review subscription works one level up: we assess the product as a system over time, watch architecture drift and CVEs, prioritise by product relevance and stay reachable. Tool and subscription do not rule each other out.
Monthly or weekly, what fits me?
It depends on your repo's pace. With calm development a monthly code review (Oversight) is often enough. If you ship weekly or more and have releases coming up, Guard or Launch fit better. In the fit-check we take a quick look at your repo and recommend the right cadence.
Do you need write access to the repo?
No, read-only is enough. Read access to the repository is sufficient for the review. We do not need write access, because we do not commit the fixes ourselves, we review, prioritise and explain.
Do you also do the fixes?
Not within the subscription. We review, assess and explain what needs to be done. Implementation runs through your own team or separately through Wevelsiep Advisory or WZ-IT. That keeps the review independent from the implementation.
How does a review cycle work in practice?
We look at what changed since the last review: new commits and PRs, new dependencies with their CVEs and possible architecture drift. You get a report with findings ranked by severity and can ask questions async between reviews. On critical CVEs we reach out promptly.
What does the repo review subscription cost?
Prices are fixed: Oversight 990 €, Guard 1.950 € and Launch 3.900 € per month, Scale on request for multiple repos and teams. If you want a baseline first, start with a 790 € Baseline as a one-off. All prices net plus VAT. Ongoing packages start with a 3-month minimum term, then cancelable monthly, unless agreed otherwise.
Do you recognize these risks in your own app?
The AI-app risk self-check assesses product status, stack, auth, data access, infrastructure, CVEs and your technical knowledge, and shows whether a review makes sense.
Repo review subscription, a recurring senior look at your repo.
Book the fit-check and find the right review cadence in the plan that fits.
Check repo fit
Briefly describe the project.
Direct contact with me, no anonymous ticket system. I get back to you with a first assessment and the right entry point.
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director