Open Source PR Trust Report Tools
A practical guide to building an open source pull request trust report with self-hosted checks for tests, risky files, secrets, ownership, and AI code review.
AI-generated pull requests are not a future problem anymore. They are already in maintainers' inboxes, already passing superficial lint checks, and already forcing reviewers to answer a harder question than "does this diff look plausible?"
The real question is trust. Who owns this change? Which files are risky? Did anyone add tests? Did the author understand the subsystem, or did a model produce a confident patch across a codebase it cannot be accountable for?
That is why an open source pull request trust report is becoming more useful than another faster AI coding demo. If your team accepts code from contributors, contractors, internal AI agents, or auto-fix bots, you need a compact audit trail attached to every PR.
Quick answer: The best open source pull request trust report stack in 2026 is usually Danger JS for report composition, Reviewdog for inline annotations, Semgrep Community Edition for security rules, Gitleaks for secrets, CODEOWNERS plus GitHub or GitLab rules for ownership, and SonarQube Community Build when you want a heavier self-hosted quality dashboard. Start with a small GitHub Actions or GitLab CI job before buying another AI reviewer.
This guide focuses on tools you can self-host or run inside your own CI. If you are already planning a broader move away from managed developer platforms, pair this with our guide to self-hosted GitHub alternatives. The trust report pattern works on GitHub, GitLab, Forgejo, Gitea, and most CI systems that can comment back on a pull request.
Test Setup
Resource figures in this guide are drawn from each project's official docs, release notes, and community reports, then normalized to a Hetzner CX22 reference box: 2 vCPU, 4 GB RAM, 40 GB NVMe. You can price a similar test machine through Hetzner Cloud.
I evaluated the tools as building blocks for one job: generate a useful PR trust report before a human reviewer spends serious attention. The target report should answer five questions:
- Did the PR modify high-risk files?
- Did the PR add or update tests near the change?
- Did a relevant owner review or approve it?
- Did automated security checks find secrets or suspicious code?
- Can a maintainer understand the change quickly without reading the whole diff first?
This is not a benchmark of who finds the most bugs. It is a practical stack design for teams that want a self-hosted, auditable review layer around human and AI-written pull requests.
Comparison Table
| Tool | Best role in PR trust report | Self-hosted footprint | PR comment quality | Watch-outs |
|---|---|---|---|---|
| Danger JS | Compose the final trust report | Very light | Excellent summary comments | You write the policy logic yourself |
| Reviewdog | Convert linter output into PR annotations | Very light | Excellent inline comments | Needs each checker wired correctly |
| Semgrep CE | Security and code pattern checks | Light to medium | Good with SARIF or Reviewdog | Rule quality matters more than tool choice |
| Gitleaks | Secret scanning for diffs | Very light | Good pass or fail signal | Tune allowlists to avoid noisy history scans |
| SonarQube Community Build | Quality dashboard and maintainability gate | Medium to heavy | Good dashboard, weaker PR UX in free setups | Needs server maintenance and project setup |
| CODEOWNERS plus branch rules | Ownership proof | Built into Git platforms | Strong approval signal | Only as good as your ownership map |
| OpenGrep | Community fork option for code pattern scanning | Light to medium | Similar pattern-check role | Ecosystem maturity still matters |
1. Danger JS
Danger JS is the most flexible way to turn raw CI signals into a readable pull request trust report. It runs during CI, reads the pull request metadata and diff, then posts a comment with warnings, failures, markdown tables, links, and custom messages.
What's good
Danger is not a security scanner by itself. That is the point. It is the report writer.
You can use it to check whether a PR changed database migrations, billing code, auth middleware, CI pipelines, dependency manifests, or infrastructure files. Then you can turn those checks into a concise reviewer-facing message:
- "This PR touches auth and payment code. Require owner review."
- "No tests were changed near modified source files."
- "This PR modifies GitHub Actions workflows. Treat as high risk."
- "Generated files changed without corresponding source files."
For AI-generated pull requests, that human-readable layer matters. Most reviewers do not need another raw log. They need the reason a PR deserves more attention.
Danger also works well with GitHub Actions, GitLab CI, Bitbucket Pipelines, CircleCI, Buildkite, and self-hosted runners. If you can expose a token that allows PR comments, you can usually make Danger post the report.
What's not
Danger requires you to write policy. If your team does not know what "risky" means, Danger will not invent it for you.
The first version can become a bag of random warnings if you copy every example from the docs. Keep the report small. A trust report should prioritize reviewer attention, not recreate the whole CI output.
Another limitation: Danger is only as reliable as the CI context it receives. Forked PRs, restricted tokens, private repositories, and self-hosted Git platforms may need extra setup.
Install
A minimal GitHub Actions setup looks like this:
name: pr-trust-report
on: [pull_request]
jobs:
trust:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
- run: npm install danger --save-dev
- run: npx danger ci
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Then create dangerfile.ts:
import { danger, warn, fail, markdown } from "danger";
const files = danger.git.modified_files.concat(danger.git.created_files);
const risky = files.filter((file) =>
file.includes("auth") ||
file.includes("billing") ||
file.startsWith(".github/workflows") ||
file.includes("migrations")
);
const tests = files.filter((file) => file.includes("test") || file.includes("spec"));
if (risky.length > 0) {
warn(`High-risk files changed: ${risky.slice(0, 8).join(", ")}`);
}
if (tests.length === 0) {
warn("No test files changed in this PR. Explain why in the PR description.");
}
markdown(`## PR Trust Report\n\nChanged files: ${files.length}\n\nTests touched: ${tests.length}`);
Verdict
Use Danger JS as the top-level report composer. It is the glue that turns scattered checks into one readable trust layer.
2. Reviewdog
Reviewdog takes the output from linters, scanners, and custom scripts, then posts results as pull request review comments or annotations. If Danger is the summary writer, Reviewdog is the inline evidence collector.
What's good
Reviewdog supports many reporters and CI providers. It can annotate GitHub PRs, GitLab merge requests, local checks, and review APIs depending on the environment.
This is useful because reviewers hate jumping between ten CI logs. If Semgrep finds a risky pattern, ESLint finds a suspicious rule break, or a custom script detects a missing migration note, Reviewdog can put the signal directly on the relevant line.
For a PR trust report, the best pattern is:
- Reviewdog posts precise inline findings.
- Danger summarizes what happened and what needs human attention.
- Branch rules decide whether the PR can merge.
That separation keeps the report readable.
What's not
Reviewdog can become noisy fast. If you pipe every linter warning into PR comments, reviewers will start ignoring the bot.
The second issue is wiring. Each tool has its own output format. Reviewdog supports common formats, but real-world teams still spend time normalizing output, filtering warnings, and deciding what should block a merge.
Install
A typical GitHub Actions example using Reviewdog with a linter looks like this:
- uses: reviewdog/action-setup@v1
- run: npm ci
- run: npm run lint -- --format checkstyle > lint.xml || true
- run: |
reviewdog -f=checkstyle -name="eslint" -reporter=github-pr-review -filter-mode=diff_context < lint.xml
env:
REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
For a trust report, you can also feed Reviewdog custom output from scripts that check risky files or missing test changes.
Verdict
Use Reviewdog when the trust report needs line-level evidence. Keep the inline findings focused on changed lines and high-confidence warnings.
3. Semgrep Community Edition
Semgrep Community Edition is one of the strongest open source choices for code pattern scanning in pull requests. It can find security issues, framework-specific mistakes, dangerous API usage, and organization-specific anti-patterns.
What's good
Semgrep's biggest advantage is the rule model. You can start with community rules, then add custom rules for your own trust policy.
Examples:
- Flag raw SQL string interpolation.
- Detect insecure JWT handling.
- Block direct access to secrets in application code.
- Warn when auth middleware is changed without tests.
- Find dangerous deserialization patterns.
For AI-generated PRs, Semgrep is useful because generated code often looks plausible while repeating known insecure patterns. A reviewer may skim past a small helper function; a rule can catch it every time.
Semgrep also supports SARIF output, which can be consumed by GitHub code scanning or transformed into PR comments via Reviewdog.
What's not
Semgrep is not magic. Weak rules generate false confidence. Broad rules generate noise. The useful setup is usually a small curated rule set for your stack plus a few high-signal community packs.
Community Edition is enough for many teams, but advanced enterprise workflows may require paid features from the vendor. If your goal is a self-hosted trust report, keep the dependency simple and run the CLI in CI first.
Install
A minimal CI command:
pipx install semgrep
semgrep scan --config p/ci --sarif --output semgrep.sarif
To wire it into a PR report, either upload SARIF to your platform or convert findings into Reviewdog comments.
Verdict
Use Semgrep CE as the security and code-pattern layer. Start narrow, then add rules only when they produce reviewer-useful signals.
4. Gitleaks
Gitleaks scans repositories and diffs for secrets. In a PR trust report, it has one clear job: stop credentials from entering the codebase.
What's good
Gitleaks is fast, easy to run in CI, and simple to understand. It checks for API keys, tokens, private keys, credentials, and other secret-like patterns.
For PR review, this is a trust baseline. If a generated PR adds a token, connection string, or private key, you do not want that buried inside a green build log.
Gitleaks can scan the current working tree, git history, or only changed code depending on how you configure CI. For PR trust reports, scanning the diff is often the least noisy starting point.
What's not
Secrets scanning needs tuning. Real projects often contain test fixtures, examples, fake tokens, and documentation snippets. Without allowlists, the scanner may block harmless PRs.
There is also a workflow issue: once a real secret lands in a PR, the response is not just "fix the PR." You may need to rotate the credential. Your trust report should make that clear.
Install
Example command:
gitleaks detect --source . --redact --report-format json --report-path gitleaks.json
Then add a Danger summary:
import fs from "fs";
if (fs.existsSync("gitleaks.json")) {
const report = JSON.parse(fs.readFileSync("gitleaks.json", "utf8"));
if (report.length > 0) {
fail(`Gitleaks found ${report.length} possible secrets. Rotate any real exposed credential.`);
}
}
Verdict
Use Gitleaks in every PR trust report. It is cheap, fast, and high value.
5. CODEOWNERS Plus Branch Rules
CODEOWNERS is not a scanner, but it is one of the most important trust signals. It maps files or directories to responsible people or teams, then allows your Git platform to require review from those owners.
What's good
Ownership is exactly what AI-generated PRs lack. A generated patch can compile, format, and pass tests while still changing a subsystem nobody on the PR understands.
A CODEOWNERS file gives the trust report a concrete question:
"Did the right owner approve this change?"
This is especially useful for:
- Auth and identity code
- Billing and invoices
- Infrastructure and deployment files
- Database migrations
- Security policies
- AI agent permissions
- CI workflow files
CODEOWNERS is built into GitHub and GitLab, and similar ownership patterns exist in other platforms.
What's not
CODEOWNERS rots if nobody maintains it. Teams change. Directories move. Ownership gets too broad. Eventually every PR asks the same overloaded group for review.
Also, ownership approval is not proof of correctness. It is proof that someone accountable saw the change.
Install
Create .github/CODEOWNERS or your platform equivalent:
/.github/workflows/ @platform-team @security-team
/src/auth/ @identity-team
/src/billing/ @billing-team
/db/migrations/ @backend-leads
Then enable branch protection that requires CODEOWNERS review.
Danger can also read changed files and add a summary line:
const ownerSensitive = files.filter((file) =>
file.startsWith("src/auth/") || file.startsWith("src/billing/")
);
if (ownerSensitive.length > 0) {
warn("Owner-sensitive files changed. Confirm CODEOWNERS approval before merge.");
}
Verdict
Use CODEOWNERS as the accountability layer. It is not flashy, but it answers the most important trust question.
6. SonarQube Community Build
SonarQube Community Build is a heavier option for teams that want a self-hosted dashboard for maintainability, bugs, duplication, and code smells.
What's good
SonarQube gives you persistent project history, quality gates, and a central UI. If your team wants a long-running view of code quality, it is more complete than a one-off CI script.
For PR trust reporting, SonarQube can provide a quality gate signal: pass, fail, or needs attention. That is useful when the report needs to include maintainability and reliability, not only security.
It also works across many languages, which helps polyglot teams.
What's not
SonarQube is a service, not just a binary. You need to run the server, database, backups, user access, upgrades, and project configuration. On a small team, that may be more operational weight than the problem deserves.
The free community setup may not give the same pull request decoration experience as paid editions, depending on your platform and needs. If your main goal is PR comments, Danger plus Reviewdog may feel lighter.
Install
For a quick test, run the official container with a persistent database for real use. For experiments only:
docker run --rm -p 9000:9000 sonarqube:community
In production, use a proper PostgreSQL-backed deployment and allocate enough memory. A Hetzner CX22 can handle small experiments, but larger monorepos need more headroom.
Verdict
Use SonarQube when you want a self-hosted quality dashboard. Do not start here if all you need is a small PR trust report.
7. OpenGrep
OpenGrep is worth watching as an open source code-search and pattern-scanning option in the Semgrep ecosystem. For teams that care deeply about community governance and open tooling, it may become part of the PR trust report stack.
What's good
The value proposition is similar to Semgrep-style scanning: define patterns, run them in CI, and turn matches into review signals. That model is a natural fit for PR trust reports because many risky changes are structural, not just syntactic.
What's not
For most teams, maturity matters more than ideology. Documentation, rule ecosystem, CI examples, editor support, and long-term maintenance all affect whether a scanner saves time or creates chores.
If you already have Semgrep CE running well, do not switch just to switch. Evaluate OpenGrep when your team has a concrete governance, licensing, or ecosystem reason.
Install
Because project packaging and recommendations can change, use the official installation instructions for your environment and test it on a small repository first. Then export findings into SARIF, Reviewdog, or a JSON summary consumed by Danger.
Verdict
Watch OpenGrep if open governance is important to your team. For a first trust report, Semgrep CE is still the safer default.
A Practical PR Trust Report Template
A good report is short. The reviewer should see the risk shape in under one minute.
Here is a useful structure:
## PR Trust Report
Risk level: Medium
### What changed
- 18 files changed
- Auth middleware touched
- 2 migration files added
### Trust signals
- Tests changed: yes
- CODEOWNERS approval: pending
- Secrets scan: passed
- Security pattern scan: 2 warnings
- CI workflow changes: no
### Reviewer notes
This PR changes owner-sensitive auth code. Please wait for identity-team approval before merge.
That is enough. Link to detailed logs below the summary. Do not paste every finding into the top comment.
Frequently Asked Questions
What is an open source pull request trust report?
It is a generated PR summary that combines risk signals, test coverage signals, ownership checks, security scans, and reviewer notes into one readable comment. The goal is not to replace reviewers. The goal is to show reviewers where trust is weak.
Is this only for AI-generated pull requests?
No. AI-generated PRs make the need obvious, but the pattern also helps with dependency bot updates, contractor patches, drive-by open source contributions, and internal changes from teams that do not know the subsystem.
Can GitHub Actions alone do this?
Yes for many teams. GitHub Actions can run Danger, Reviewdog, Semgrep, Gitleaks, tests, and custom scripts. If you later migrate to GitLab, Forgejo, or another self-hosted platform, keep the report logic portable by writing simple scripts and markdown summaries.
Should the report block merges?
Only high-confidence failures should block merges: leaked secrets, missing required owners, failing tests, or known dangerous patterns. Softer signals should warn reviewers instead of blocking every PR.
How do I avoid noisy bot comments?
Start with one summary comment and a few high-signal checks. Avoid posting every linter warning. Reviewers ignore noisy automation faster than they ignore no automation.
Do I still need human review?
Yes. A trust report is a map, not a judgment. It tells humans where to look, what changed, and which signals are missing. Accountability still belongs to people.
The Bottom Line
The next wave of code review tooling will not be about making pull requests look more confident. It will be about making accountability visible.
For most teams, the best open source pull request trust report stack is simple:
- Danger JS writes the summary.
- Reviewdog posts precise inline evidence.
- Semgrep CE checks risky code patterns.
- Gitleaks scans secrets.
- CODEOWNERS proves accountable review.
- SonarQube adds a heavier self-hosted quality dashboard when needed.
Start small. Pick three checks: risky files, tests changed, and secrets scan. Post one comment. Watch whether reviewers actually use it. Then add ownership and security rules as the team learns what risk looks like in its own codebase.
AI-generated PRs need audit trails, not faster demos. A pull request trust report is the lightweight way to build that trail before the next suspiciously polished diff lands in your queue.