Bugbot

Bugbot is a specialized cloud agent that monitors your pull requests for potential bugs, logic errors, and security issues. When it finds a problem, it posts an inline review comment with an explanation and suggested fix.

How Bugbot Works

Bugbot runs as a cloud agent triggered by pull request events. When a PR is opened or updated, Bugbot clones the repository, checks out the PR branch, and analyzes the diff in the context of the full codebase.

PR opened or updated
  -> Webhook triggers Bugbot
    -> Repository cloned at PR branch
      -> Diff analyzed against full codebase context
        -> Agent reasons about each change
          -> Bug candidates identified
            -> Inline review comments posted on the PR

Unlike static analysis tools that check individual files in isolation, Bugbot understands how your changed code interacts with the rest of the codebase. It can catch bugs that only manifest when multiple files are considered together, such as breaking an API contract or using a function with the wrong argument order.

Setup

Setting up Bugbot takes about two minutes.

Step 1: Connect GitHub

If you have not already connected your GitHub account, go to Dashboard > Settings > Integrations and click "Connect GitHub". Authorize the Creor GitHub App with access to the repositories you want Bugbot to monitor.

Step 2: Enable Bugbot

Go to Dashboard > Cloud Agents > Bugbot.
Click "Enable Bugbot" for each repository you want to monitor.
Choose which PR events trigger Bugbot: opened, synchronize (new commits), or both.
Optionally set a file path filter to only analyze changes in specific directories.

Step 3: Verify

Open a test pull request on one of the enabled repositories. Within 30-60 seconds, you should see Bugbot appear as a reviewer and begin posting comments if it finds issues. If the PR has no bugs, Bugbot posts a single summary comment confirming it found no issues.

Note

Bugbot uses the default model configured for your workspace. You can override this per repository in the Bugbot settings. Claude Sonnet or GPT-4o are recommended for the best balance of speed and accuracy.

What Bugbot Detects

Bugbot checks for a wide range of issues beyond what linters and type checkers catch.

Category	Examples
Logic errors	Off-by-one, wrong comparison operator, inverted boolean, unreachable code paths
Null/undefined risks	Missing null checks, optional chaining needed, unsafe type assertions
Race conditions	Shared mutable state, missing await, unhandled promise rejections
Security issues	SQL injection, XSS, insecure deserialization, hardcoded secrets, path traversal
API contract violations	Wrong parameter types, missing required fields, changed return shapes
Performance issues	N+1 queries, missing indexes, unnecessary re-renders, large bundle imports
Error handling	Swallowed exceptions, missing error boundaries, incomplete try/catch
Resource leaks	Unclosed file handles, unregistered event listeners, missing disposable cleanup

Review Comments

Bugbot posts inline review comments on the specific lines of code where it found an issue. Each comment includes three parts.

Comment Structure

Bug description: A clear explanation of what the issue is and why it matters.
Impact: What could go wrong if this bug reaches production -- a crash, data corruption, security vulnerability, etc.
Suggested fix: A code snippet showing how to fix the issue. You can apply this directly or use it as guidance.

Severity Levels

Level	Label	Meaning
Critical	bug: critical	Will cause a crash, data loss, or security vulnerability in production.
Warning	bug: warning	Likely to cause incorrect behavior under certain conditions.
Suggestion	bug: suggestion	Potential improvement. Not necessarily a bug, but worth reviewing.

Bugbot labels each comment with a severity badge so you can prioritize which comments to address first.

Configuration

Customize Bugbot's behavior per repository.

Setting	Default	Description
Trigger events	opened, synchronize	Which PR events trigger Bugbot.
File patterns	All files	Glob patterns for files to analyze (e.g., "src/*/.ts").
Ignore patterns	None	Glob patterns for files to skip (e.g., "*/.test.ts").
Min severity	warning	Only post comments at this severity or higher.
Max comments	10	Maximum number of comments per PR review.
Model	Workspace default	Override the LLM model used for this repository.
Custom instructions	None	Additional prompt context (e.g., "This is a financial app, pay extra attention to decimal precision").

# Example: configure Bugbot via API

curl -X PUT https://api.creor.ai/v1/bugbot/repos/acme/backend \

-H "Authorization: Bearer $CREOR_API_KEY" \

-H "Content-Type: application/json" \

-d '{

"enabled": true,

"triggers": ["opened", "synchronize"],

"filePatterns": ["src/**/*.ts", "src/**/*.tsx"],

"ignorePatterns": ["**/*.test.ts", "**/*.spec.ts"],

"minSeverity": "warning",

"maxComments": 10,

"model": "claude-sonnet-4-20250514",

"instructions": "This is a healthcare application. Flag any HIPAA compliance concerns."

False Positives

Bugbot is not perfect and may occasionally flag code that is actually correct. Here is how to handle false positives.

React to the comment with a thumbs-down emoji. Bugbot learns from this feedback to reduce similar false positives.
Reply to the comment explaining why the code is correct. This adds context for other reviewers.
Add an inline comment in your code (// bugbot:ignore) to suppress Bugbot on specific lines.
Adjust the min severity setting to reduce low-confidence suggestions.
Add custom instructions explaining domain-specific patterns that Bugbot may not understand.

Tip

False positive rates typically decrease over time as Bugbot processes more PRs in your repository and receives feedback. The first few PRs may have more noise than later ones.