How do I install DiffPilot?

DiffPilot is a local plugin. Install it using the provided package and add the generated configuration snippet to your AI app's MCP config file. Then restart your AI app.

What AI apps work with DiffPilot?

DiffPilot uses the Model Context Protocol (MCP) and works with any MCP-compatible AI app, including Claude, ChatGPT / Codex, Gemini, Copilot, Cursor, and more.

Back to Browse

DiffPilot MCP Server

by bkalafat

Developer ToolsLow Risk10.0Local

Free

MCP server for PR code review, commit messages, changelogs, and secret detection.

About

MCP server for PR code review, commit messages, changelogs, and secret detection.

Security Report

10.0

Low Risk10.0Low Risk

Valid MCP server (1 strong, 1 medium validity signals). No known CVEs in dependencies. Imported from the Official MCP Registry.

5 files analyzed · No issues found

Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.

Permissions Required

This plugin requests these system permissions. Most are normal for its category.

file_system

Check that this permission is expected for this type of plugin.

HTTP Network Access

Connects to external APIs or services over the internet.

Documentation

View on GitHub

From the project's GitHub README.

🔍 DiffPilot

Local AI Code Review Before You Push

💡 Why DiffPilot?

Review your code locally before creating a PR. DiffPilot is an MCP server that lets you:

Self-Review Before PR - Run AI code review on your local changes after your last commit, before pushing
Reviewer Workflow - As a code reviewer, checkout the source branch locally and get AI-assisted review
Auto Branch Detection - No need to specify main - DiffPilot finds your base branch automatically

🔒 100% Local - No cloud, no external APIs. Works with Azure DevOps, TFS, air-gapped environments.

🚀 Quick Start

Install

# VS Code Marketplace
ext install BurakKalafat.diffpilot

# Or NuGet (.NET tool)
dotnet tool install -g DiffPilot

Use with GitHub Copilot

# Review my changes (auto-detects base branch)
@workspace #review_pr_changes

# Review with focus areas
@workspace #review_pr_changes focus on security and error handling

# Generate commit message
@workspace #generate_commit_message

# Scan for secrets before committing
@workspace #scan_secrets

🛠️ 9 MCP Tools

PR Review Tools

Tool	Example Prompt
`#get_pr_diff`	"Show diff between my branch and main"
`#review_pr_changes`	"Review my PR for security issues"
`#generate_pr_title`	"Generate a conventional PR title"
`#generate_pr_description`	"Create PR description with checklist"

Developer Tools

Tool	Example Prompt
`#generate_commit_message`	"Generate commit message for staged changes"
`#scan_secrets`	"Check for API keys in my changes"
`#diff_stats`	"Show change statistics"
`#suggest_tests`	"What tests should I write?"
`#generate_changelog`	"Generate changelog from commits"

✨ Key Features

Feature	Description
🔄 Auto Branch Detection	Automatically finds `main`, `master`, or `develop`
🔐 Secret Scanning	Detects API keys, passwords, tokens, JWT
📊 Diff Statistics	Lines added/removed, file breakdown by type
🧪 Test Suggestions	Pattern-based test case recommendations
📝 Conventional Commits	Generate `feat:`, `fix:`, `refactor:` messages
🛡️ Enterprise Security	Bank-grade input validation, rate limiting, output sanitization

🛡️ Security

DiffPilot implements enterprise-grade security features:

Security Feature	Description
Input Validation	All parameters validated against strict patterns
Injection Prevention	Command injection, path traversal protection
Output Sanitization	Auto-redacts secrets from tool outputs
Rate Limiting	Prevents DoS attacks (120 req/min)
Secure Errors	No internal details exposed to clients
Audit Logging	Security events logged to stderr

Auto-Redacted Patterns: API keys, AWS credentials, GitHub/Slack tokens, JWTs, passwords, private keys, connection strings.

See SECURITY.md for full documentation.

📋 Use Cases

1. Self-Review Before PR

# After finishing your work, before creating PR:
@workspace #review_pr_changes

# AI reviews your changes and provides feedback
# Fix issues locally, then push with confidence

2. Code Reviewer Workflow

# Checkout the feature branch locally
git checkout feature/user-auth

# Use DiffPilot to review
@workspace #review_pr_changes focus on security

# Get structured review with AI assistance

3. Pre-Commit Secret Check

@workspace #scan_secrets

# Catches API keys, passwords, tokens before they're committed

⚙️ Configuration

{
  "diffpilot.defaultBaseBranch": "main",
  "diffpilot.prTitleStyle": "conventional",
  "diffpilot.commitMessageStyle": "conventional"
}

📦 Installation Options

Method	Command
VS Code	`ext install BurakKalafat.diffpilot`
NuGet	`dotnet tool install -g DiffPilot`
Manual	`git clone` + `dotnet build`

Requirements: .NET 9 SDK, VS Code 1.101+, Git

📜 Version History

1.2.0 (2025-12-09)

Security Hardening - Bank-grade security features
- Input validation (CWE-20)
- Command injection prevention (CWE-78)
- Path traversal protection (CWE-22)
- Output sanitization - auto-redacts secrets (CWE-200)
- Rate limiting (CWE-400)
- Secure error handling
Added SECURITY.md documentation
80 new security unit tests