Repo review subscription, a recurring senior look at code, CVEs and architecture
A GitHub repo is alive: every week brings new commits, PRs and dependencies. A repo review subscription gives you a fixed, recurring senior look at code, CVEs and architecture, a monthly code review instead of a one-off audit that is outdated within weeks.
- Monthly or weekly
- Code + CVE + architecture
- Async sparring included
- German point of contact
Technical point of contact
Timo Wevelsiep
Software engineer, cloud architect, founder & managing director
I review code, security and infrastructure and surface what is technically risky before launch, customer use or due diligence.
For questions like:
- Is this release ready for production?
- Which CVEs are really critical?
- Will the architecture carry the next users?
Monthly or weekly, matched to your pace
How often a GitHub repo review makes sense depends on how fast your code moves. We offer two cadences, both at a fixed price:
What we check on commits and PRs
We do not re-read every line, we look specifically at what changed since the last review and where new risk appears. We keep an eye on:
- new and changed endpoints: auth, input validation, rate limiting
- data access: tenant isolation, RLS policies, exposed fields
- newly added dependencies and their known CVEs
- secrets and keys that slipped into the repo by accident
- architecture drift: patterns that move away from the original design
- tests and error handling on the critical paths
Why AI code needs different review routines
AI tools produce working code in minutes, but that speed changes the risk profile. A single prompt can rebuild a whole file, pull in a new library or quietly shift a security pattern, without the diff making obvious what moved structurally. Classic review routines built for a few thoughtful commits per week fall short here.
On top of that, AI-generated code looks clean and consistent even when it makes wrong assumptions. Plausible-looking auth logic, unchecked inputs or outdated packages barely stand out on a quick read-through. A review rhythm for AI code therefore has to watch dependency changes and architecture drift continuously, not just style and function.
That is exactly what the subscription is built for: a recurring senior look that keeps pace with AI development and finds the spots where speed turns into silent risk.
CVE and dependency monitoring as part of the review
A review that only looks at the code you wrote misses half the attack surface. The larger part often sits in the dependencies: packages that were clean at the last review can carry a known vulnerability today. That is why CVE and dependency monitoring is a fixed part of every review cycle.
We watch the packages you use continuously against known CVEs, rank every hit by relevance to your product and tell you what is truly urgent and what can wait. On critical vulnerabilities you get a prompt heads-up instead of hearing about it only in the next monthly report.
That turns a pure code review into a look at the whole system: your own code and third-party dependencies, both watched in the same rhythm.
Async questions between reviews
Not every question fits into a fixed review cycle. Sometimes you want a quick read on whether an approach holds before a PR, or to sanity-check an architecture decision before it lands in the code. That is what the async channel in the subscription is for: a technical sparring partner you can reach between reviews.
You write your question with context, we reply asynchronously with an assessment, no meeting required. That gets you a second senior opinion exactly when the decision is due, not weeks later in hindsight. The scope of the channel depends on your plan.
Example: what stood out since the last review
Here is what a review cycle looks like in practice. A trimmed excerpt of what we typically find and prioritise between two reviews:
- new endpoint /api/export without an auth check, to close before release
- dependency with a fresh CVE pulled in, update available, medium urgency
- RLS policy missing for a new table, tenant isolation at risk (critical)
- API key committed in a test file, rotate it and remove from history
- retry logic duplicated across three services, consolidation suggested (low)
- architecture drift: business logic moving into the UI layer, steer back early
What a finding looks like
Since the last review a package with a known CVE was pulled in, exploitable through an open endpoint. Recommendation: bump to the patched version and secure the endpoint.
AI code review tool or repo review subscription?
| AI code review tool | Veriploy repo review subscription | |
|---|---|---|
| Level | Comments on individual PRs and diffs | Assesses the product as a system over time |
| CVEs and dependencies | Partly covered, depending on the tool | Ongoing monitoring with human judgement |
| Architecture drift | Usually sees only the current diff | Watches patterns and drift across multiple reviews |
| Prioritisation | Many equally weighted comments | Findings ranked by severity and product relevance |
| Questions in between | No point of contact | Async sparring with a senior |
Frequently asked questions
What is the difference from an AI code review tool?
A tool comments on individual pull requests and diffs, automated and in real time. That is useful and complements us well. The repo review subscription works one level up: we assess the product as a system over time, watch architecture drift and CVEs, prioritise by product relevance and stay reachable. Tool and subscription do not rule each other out.
Monthly or weekly, what fits me?
It depends on your repo's pace. With calm development a monthly code review (Watch) is often enough. If you ship weekly or more and have releases coming up, Guard or Launch fit better. In the fit-check we take a quick look at your repo and recommend the right cadence.
Do you need write access to the repo?
No, read-only is enough. Read access to the repository is sufficient for the review. We do not need write access, because we do not commit the fixes ourselves, we review, prioritise and explain.
Do you also do the fixes?
Not within the subscription. We review, assess and explain what needs to be done. Implementation runs through your own team or separately through Wevelsiep Advisory or WZ-IT. That keeps the review independent from the implementation.
How does a review cycle work in practice?
We look at what changed since the last review: new commits and PRs, new dependencies with their CVEs and possible architecture drift. You get a report with findings ranked by severity and can ask questions async between reviews. On critical CVEs we reach out promptly.
What does the repo review subscription cost?
Prices are fixed: Watch 299 €, Guard 749 € and Launch 1.490 € per month, Scale from 2.900 € per month for multiple repos and teams. If you want a baseline first, start with a 249 € Snapshot or a 490 € Baseline as a one-off. All prices are net plus VAT, plans cancellable monthly.
Repo review subscription, a recurring senior look at your repo.
Book the fit-check and find the right review cadence in the plan that fits.