CodeRabbit Expands Into AppSec Platform
CodeRabbit
This pushes CodeRabbit beyond code review and into real security budget. By running 40 plus linters and security scanners on top of its code graph, then turning the output into pull request comments, SBOMs, secret alerts, and IaC findings, CodeRabbit starts to look less like a reviewer that spots bugs and more like a developer facing AppSec product that can catch and help fix security issues before merge.
-
The product wedge is concrete. A developer opens a pull request, CodeRabbit maps how the change touches the broader codebase, runs static analysis tools, and posts review comments in the same PR. Adding SBOM generation, secret scanning, and cloud config checks lets it sell into security workflows without asking teams to adopt a separate console first.
-
The closest comp is Snyk, which built a large business by putting security scans into developer workflows. Snyk reached about $300M ARR by October 2024, and Snyk Code alone reached about $100M ARR, showing how much spend exists when security findings are delivered where developers already write and review code.
-
The market is moving toward bundled platforms rather than single point scanners. Semgrep, Snyk, Endor Labs, and GitHub Advanced Security all combine multiple checks with remediation. CodeRabbit's advantage is that it starts inside review workflows and can package security as an easy upsell to teams already paying for faster PR review.
The next step is a broader shift from review tool to lightweight developer security platform. If CodeRabbit keeps expanding local CLI scans, automated patching, and enterprise controls, it can pull spend from AppSec teams as well as engineering managers, which raises contract value and makes the product harder to replace with a basic AI reviewer.