Now in public beta — free for early adopters

Your codebase deserves a reviewer who reads everything

Not just the diff. The linked issue. The commit history. The CI status. The security alerts. The team patterns. The blast radius.

6 specialized AI agents. Full codebase context. Context-aware fixes. Configurable with .grapple.yml

Start Reviewing for Free Install GitHub App
Real findings from real codebases

What we found in code that passed human review

We ran Grapple PR's codebase audit on two popular open-source projects. Here's what our 6 AI agents uncovered that traditional review missed.

Netflix/metaflow

8.2k

Human-friendly Python library for building and managing real-life ML, AI, and data science projects

Files Scanned

100

Total Findings

42

Critical

4

Major

12

Minor

26

Top Findings

critical

Unvalidated input in subprocess call

security

User-controlled path passed directly to subprocess.run() without validation, enabling command injection

metaflow/runtime.py

critical

Circular import risk

architecture

Dynamic imports create potential circular dependency between runtime and metadata modules

metaflow/metadata/metadata.py

major

N+1 query pattern in task dependency resolution

performance

Each task iterates through parent steps individually instead of batching metadata queries

metaflow/task.py

major

Race condition in concurrent step execution

logic

Multiple workers can read stale state when a step is transitioning between running and completed

metaflow/runtime.py

major

Missing authentication on debug endpoint

security

Debug HTTP endpoint accessible without auth token, exposes internal metadata

metaflow/plugins/debug_logger.py

Remediation Themes

  • Subprocess calls need input validation patterns
  • Concurrency primitives missing around shared state
  • Metadata queries should batch when iterating task graphs

NVIDIA/physicsnemo

1.3k

A deep learning framework for physics simulation and inverse problems

Files Scanned

100

Total Findings

58

Critical

6

Major

18

Minor

34

Top Findings

critical

Path traversal in model loading

security

load_model() accepts user paths without sanitization, allows reading arbitrary files via ../ sequences

physicsnemo/models/loader.py

critical

Division by zero in loss calculation

logic

Normalization step divides by variance without checking for zero, causes NaN propagation in training

physicsnemo/losses/pinn_loss.py

critical

Memory leak in CUDA tensor cleanup

architecture

Tensors moved to GPU in training loop but never explicitly freed, accumulates until OOM

physicsnemo/trainer/distributed.py

major

Inefficient tensor reshape in forward pass

performance

Multiple sequential reshape operations create intermediate copies when a single view would suffice

physicsnemo/models/fno.py

major

Off-by-one in boundary condition sampling

logic

Collocation point generation includes boundary twice due to inclusive range endpoint

physicsnemo/utils/sampling.py

Remediation Themes

  • Numerical safety checks missing around division and exponential ops
  • GPU memory management needs explicit cleanup in long-running loops
  • Input validation consistently missing on file I/O paths

How we found these

1

Fork & Install

Forked each repo, installed the Grapple PR GitHub App. Graph build ran automatically.

2

Run Audit

Triggered codebase audit — 6 agents scan the top 100 files by complexity and bug-fix history.

3

Review Results

LLM-powered executive report generates priority fixes, effort estimates, and remediation themes.

These findings are from public repositories. We are not affiliated with Netflix or NVIDIA. Findings are samples for demonstration purposes.

Run this on your codebase

Every repo has hidden issues. Find yours in under 10 minutes.

Get Started Free Compare to Others