Code review that never leaves your datacenter.
CodePatrol runs entirely on your infrastructure. Native support for Forgejo and Gitea. No telemetry. No outbound calls to US clouds. The kind of setup your CISO can actually approve.
PR #428 · auth: rotate session keysfunction rotateSessionKey(userId) {- const key = randomBytes(16);+ const key = randomBytes(32);return store(userId, key);}▸ codepatrol · runs on your forgejo instance16-byte keys fall short of OWASP guidancefor session tokens. 32 bytes is appropriate.Consider also rotating the HMAC secret.
Every AI review tool sends your code somewhere else.
CodeRabbit, Greptile, Cursor BugBot — all routed through US-hosted inference. For most teams that's fine. For European teams shipping into regulated sectors, it's a non-starter.
Self-hosting is locked behind Enterprise tiers with five-figure minimums. Forgejo and Gitea — the platforms European teams actually migrate to — are unsupported across the board.
An AI reviewer that runs where your code does.
Native Forgejo and Gitea
Webhooks, OAuth, PR comments. First-class — not retrofitted from GitHub.
Single binary deploy
Docker image or static binary. No Kubernetes mandatory. Runs on a €20 VPS.
Zero telemetry
No phone-home. No analytics. License check is offline-signed. Verifiable in source.
Teams who already chose sovereignty over convenience.
- →European fintech and healthtech shipping into BaFin, ANSSI, NÚKIB scope
- →Public sector procurement (Bundes-, Land-, kraj-level) with sovereignty requirements
- →Teams who migrated off GitHub to Forgejo or Codeberg this year
- →Defense, energy, telco — anyone whose lawyer flinches at "US subprocessor"