Hi HN, I'm building Whisper (https://usewhisper.dev), an AI code reviewer that does both code quality and security analysis. It traces execution flow to catch SQL injections, auth bypasses, and race conditions that standard PR reviewers miss.

The Problem

AI code reviewers catch style issues. Security scanners only check dependencies. But logical security flaws in YOUR code slip through. The SQL injection that happens because user input flows through three functions before hitting your database. The race condition in payment processing. The auth bypass hidden in middleware.

I've shipped these bugs. Your PR reviewer said "looks good." Your security scanner was green (only checks deps anyway). Two weeks later, a pentester finds the vulnerability that was visible in the PR all along.

Why Compete Against Well-Funded Startups?

Fair question. Greptile raised millions. Codacy, SonarQube, Snyk are giants. Here's my thesis: they're solving the wrong problem.

Most AI reviewers are linters with GPT. They look at the diff and comment on style. Security scanners either only check dependencies or dump 1000+ false positives. The ones that do both? Separate products that don't talk.

I'm building something different: execution flow tracing with semantic understanding. Whisper traces data from user input through your logic to find where it reaches sensitive operations.

The big players can't easily copy this. They're built on pattern matching. Tracing execution flow requires different architecture. And I have advantages:

- Speed: I ship features in days vs their enterprise compliance process - Focus: One problem (security in PRs) vs everything to everyone - Pricing: $30/dev vs their $100-300/seat enterprise model - DX: 2-minute setup vs 45-minute enterprise onboarding

They optimize for enterprise contracts. I optimize for devs who want PRs to stop shipping bugs.

How It Works

Example: Standard reviewers say "looks good"

const user = await getUser(req.headers.auth); const data = await db.query( `DELETE FROM users WHERE id = ${user.id}` );

Whisper traces user.id from JWT payload through getUser() to the SQL template literal. Flags SQL injection. Suggests parameterized queries.

Race condition example:

async function processPayment(userId, amount) { const balance = await getBalance(userId); if (balance >= amount) { await charge(userId, amount); await updateBalance(userId, balance - amount); } }

Whisper spots concurrent requests could cause double-charging between check and update.

Status

Private beta with early engineering teams. 2.4M+ lines analyzed, 1,247 bugs caught, 47s avg scan time. Supports all major languages with deep framework understanding for Next.js, React, and tRPC.

What I Want

Feedback from engineers who: - Are drowning in false positives from scanners - Keep shipping bugs visible in PRs - Think competing here is crazy (tell me why!)

Building mostly solo, no VC. Just solving a problem I kept hitting.

Try free: https://usewhisper.dev