Spinal FAQ: AI code review, security, and pricing.
What Spinal is, how it compares to other AI code review tools, what it supports, how it handles your code, and what to expect before rollout. Still have a question? Start a free trial and see it run on your own repository.
The basics
What is Spinal?
Spinal is production-aware code review for AI-era teams. It reviews every enabled pull request — human-written, AI-generated, or a mix — against your schemas, dashboards, and architecture, then validates risky changes by writing tests and running them. It works above the tools your developers already use, like Claude Code, Cursor, and Codex.
How does Spinal compare to CodeRabbit, Greptile, and Cursor Bugbot?
Tools like CodeRabbit, Greptile, Cursor Bugbot, and GitHub Copilot review your diff and leave comments. Spinal also reads your production system — metrics, logs, and alerts — and validates risky changes by writing focused tests and running them, so a finding comes with the evidence that reproduces it. Spinal also supports GitHub and GitLab, self-hosting, and EU data residency.
See the full comparisonIs Spinal a CodeRabbit alternative?
Yes — teams evaluate Spinal alongside CodeRabbit, Greptile, Graphite, and Cursor Bugbot. The difference is evidence: rather than only commenting on the diff, Spinal reads production context and proves risky findings by running tests, and it offers self-hosting and EU data residency that most alternatives gate behind enterprise tiers or do not offer at all.
Compare AI code review toolsWhy can't I just use Claude with my own tools to review PRs?
You can prompt Claude or any model to review a diff — the model is not the hard part. The hard part is everything around it: triggering a review on every pull request across every repo automatically, writing and running tests in your CI to confirm findings, sharing one configuration (instructions, knowledge, custom tools, validation, and privacy rules) across the whole team instead of each person rigging their own, connecting production signals, and adding PII redaction, audit trails, and SSO. Spinal is that harness, already built and maintained — using an LLM directly means rebuilding it yourself and keeping it running.
How per-repo tooling and config workDoes Spinal replace my existing code review or CI?
No. Spinal wraps the tools you already run. It reviews pull requests on GitHub or GitLab, understands your CI, and reads context from your observability stack — without asking you to migrate off any of them.
Capabilities
Does Spinal review AI-generated code?
Yes. Spinal reviews every enabled pull request the same way, whether the code was written by a person, generated by an agent, or somewhere in between. As agents open more pull requests than a team can read, that consistent system-level check is the whole point.
Does Spinal write and run tests?
Yes. When a change looks risky, Spinal writes a focused test — for example a webhook idempotency check or a migration backfill assertion — and runs it in your CI to confirm the finding before reporting it. It works with common test runners including pytest, Jest, Vitest, Mocha, go test, and JUnit, on GitHub Actions and GitLab CI.
Why validation beats diff-only reviewHow is Spinal's validation different from my CI (GitHub Actions or Jenkins)?
Your CI runs the tests you already wrote on a fixed pipeline and tells you whether the existing suite still passes. Spinal's validation is different: when a change looks risky, it writes a new, targeted test for that specific risk — one that is not in your suite — and runs it in your CI to confirm or rule out the finding. It does not replace your pipeline; it uses it as the place to execute. Your CI answers "did this break a known test"; Spinal answers "is this particular suspected bug real" by writing the test that settles it.
Does Spinal produce false positives?
Spinal is designed to keep noise low. Risky findings are validated by a test that actually runs, not inferred from the diff alone, so a reported issue arrives with reproducing evidence rather than a speculative comment. The goal is a review developers trust enough to act on before merge.
Which programming languages does Spinal support?
Spinal's review reads any language, because it reasons about the change the way a senior engineer would. Its deeper parse-level analysis and test writing currently cover Go, Rust, Ruby, Java, Kotlin, Scala, TypeScript, JavaScript, Python, PHP, and C#.
What happens if my language or framework is not on that list?
Spinal can still review the pull request, read the surrounding repository context, and use CI output and connected production signals. The deeper parser-aware analysis and generated tests are strongest for the listed languages, so teams with another stack usually start in review-only or on-mention mode and expand validation once the repo profile is confirmed.
Integrations & platforms
Does Spinal work with GitHub and GitLab?
Yes. Spinal installs as a GitHub or GitLab App and reviews pull and merge requests on both. Reviews are webhook-triggered the moment a request opens — there is no CI step to add and no bot to invite.
What integrations does Spinal support?
Observability tools like Grafana, Datadog, and Sentry; notifications like Slack and Microsoft Teams; and any custom tools you expose through MCP servers. With these connected, findings can cite real production behavior on the paths a change touches.
Which repository permissions does Spinal need?
Spinal only reviews repositories you enable. It needs source-control access to read pull or merge request metadata, diffs, relevant file contents, and CI status; receive webhooks when requests open or change; and post review comments or statuses back to the request. Validation features may require additional CI or repository permissions depending on the mode you choose.
Security & data
Can I self-host Spinal?
Yes. Spinal can run in your own VPC or fully on-prem, so source never has to leave a boundary your compliance team has approved. Managed EU-region and single-tenant deployments are also available.
How self-hosted, EU-resident review worksIs Spinal GDPR compliant and where is my data stored?
EU data residency is available by default, not gated behind a top tier. Spinal authenticates through SAML or OIDC SSO, keeps a full audit trail of every review, and offers an Art. 28 GDPR Data Processing Agreement with a published sub-processor list.
Read the security overviewDoes my code leave my environment when Spinal reviews it?
Spinal analyzes pull requests with large language models configured by the customer. In the launch configuration, workspace administrators provide their own Anthropic / Claude API key; if an Order Form says Spinal supplies managed model access, that provider is covered through Spinal's processing terms. If you need code to stay inside your perimeter, Spinal can run self-hosted in your VPC or on-prem.
Read the Data Processing AgreementIs my code used to train models?
Spinal does not train its own models on your code. For the launch configuration, your workspace supplies its own Anthropic / Claude API key, so model-provider training, retention, and transfer terms are governed by your Anthropic agreement unless an Order Form expressly says Spinal supplies managed model access.
Review sub-processor detailsHow long does Spinal retain code, pull request data, and logs?
Service Data such as pull requests, code, and logs is retained while the account is active, then deleted within 30 days after account deletion unless customer instructions or legal requirements say otherwise. Application logs are retained for 90 days and product telemetry for 13 months.
Read the retention summaryWhat data is sent to model providers?
Spinal sends the prompts needed to review the pull request, which can include pull request metadata, diffs, selected file context, CI output, and relevant connected engineering signals. The launch deployment applies server-side PII redaction before LLM submission, and customers can add custom redaction patterns for identifiers specific to their environment.
Read the security overviewGetting started & pricing
How do I start using Spinal?
Install the GitHub or GitLab App, pick the repositories Spinal should review, and set the mode per repo — auto-review, auto-review with tests, or on-mention. Then open a pull request and Spinal reviews it against your system. The trial is 15 days and needs no credit card.
Can I try Spinal on one repository before rolling it out?
Yes. Start with a single repository and use on-mention or auto-review mode depending on how much coverage you want. That lets you evaluate review quality, permissions, CI behavior, and noise level before enabling more repositories.
How much does Spinal cost?
You can start with a 15-day free trial, no credit card required. Trial and evaluation limits are shown in the product or agreed with Spinal. Public pricing is on the way; after the trial, access depends on the workspace plan or Order Form you choose.
What happens after the 15-day free trial?
The trial lets you evaluate Spinal on real pull requests before entering a paid plan. If the workspace does not move to a plan or Order Form after the trial, review access can be limited until billing is set up.
See it on your next pull request.
Connect a repo, open a PR, and Spinal reviews it against your system — 15 days free, no credit card.
Start free trial