AI Remediation Moves Into Pull Requests
CodeRabbit
AI remediation is turning application security from a scanner that files tickets into a tool that writes the patch, which pulls vendors like Snyk much closer to CodeRabbit's core workflow inside the pull request. Snyk already uses LLMs to find vulnerable code and suggest fixes as developers write, and that product grew into roughly a third of Snyk's revenue. That matters because Snyk brings a large vulnerability database, enterprise security buyers, and a broader suite across code, containers, and cloud.
-
Snyk's move is not just feature creep. By October 2024 it had reached about $300M ARR, with Snyk Code at about $100M ARR and growing 150% YoY, showing that remediation tied to AI generated code is already large enough to reshape product priorities and sales motions.
-
CodeRabbit approaches the same moment from the developer review layer. It sits in GitHub, GitLab, and Azure DevOps pull requests, while Snyk and Semgrep start from security findings and are adding PR comments, fix suggestions, and auto fix workflows. The user experience is converging around the same screen, the code review diff.
-
The competitive edge still differs. CodeRabbit can win on speed and natural fit with day to day review. AppSec vendors win when a security team wants one system for SAST, SCA, containers, IaC, policy, and remediation, with fewer vendor approvals and a clearer chain from finding to fix.
The market is heading toward merged code review and security remediation. The likely winners will be products that can both explain risk in plain language and generate safe fixes directly in the pull request, while also satisfying enterprise security teams that want broad coverage, auditability, and one buying decision instead of several.