GRUG CRUSH BUG. GRUG BLOCK EVIL CVE. GRUG GUARD STRONG CODE. GRUG RUN PROJECT SMOOTH LIKE ROCK. GRUG KNOW SDLC. GRUG OPEN SOURCE. GRUG SELF-HOSTABLE. GRUG CRUSH BUG. GRUG BLOCK EVIL CVE. GRUG GUARD STRONG CODE. GRUG RUN PROJECT SMOOTH LIKE ROCK. GRUG KNOW SDLC.
v0.7.0

Grug code monkey.
Grug whole cave.

One grumpy caveman. Whole software lifecycle. Grug crush bug, block evil CVE, gate weak code, run project smooth like rock. Grug know SDLC. Grug live in GitHub, post Check Runs, never spam comments. You ship. Grug guard.

AGPL-3.0 Posts as GitHub Check Runs Many personas, one app $0 to self-host
GRUG.MOOD = ANGRY
Grug, the grumpy caveman, holding a wooden club
+ 4 personas active
CLUB.SWING() ←
checks/grug PR #358 · main ← graphify
×

Grug · 4 of 5 personas blocking

11/16 pass · 3 blocking
PersonaVerdict
smasher 2 null-deref paths in parser.goblock
guard CVE-2026-1144 in lodash@4.17.20block
elder complexity 18 in resolveTree()warn
chief missing acceptance criteriablock
warder changelog · semver hint minorpass
// what's in grug's cave
01
Grug crush bug

Static analysis, symbolic execution, and LLM diff review on every PR.

02
Grug block evil CVE

Vulnerable dependencies and known exploits get gated before merge.

03
Strong code only

Complexity, coverage, dead code, and review hygiene held to a line.

04
Grug run project

Stale PRs, sprint burndown, changelog drafts, semver hints. No yaml.

02 · what grug do

Grug do whole cave.
From idea to ship.

// One GitHub App. Many personas. Posts as Check Runs so branch-protection rules can require any of them. Toggle the ones your team needs.

F-01 / smasher

Grug crush bug before bug ship.

Static analysis + symbolic execution + LLM diff review. Finds null-derefs, race conditions, off-by-ones, and the sneaky logic bugs your linter misses.

null-derefparser.go:142 · req.body may be nilblock
racecache.go:88 · concurrent map writeblock
off-by-oneslice[i+1] when len-1warn
err-checkall returns handledpass
F-02 / guard

Grug block evil virus at gate.

SCA on every dependency, secret scanning, SAST on the diff, and a CVE database refreshed hourly. Evil shall not pass.

CVE-2026-1144lodash 4.17.20 · prototype pollution · CVSS 8.8block
secretAWS_SECRET_ACCESS_KEY in .env.exampleblock
SASTSQL string concat · users.go:201warn
deps317 packages · 0 unmaintainedpass
F-03 / elder

Strong code only. Grug not approve weak loop.

Line-by-line review for naming, complexity, test coverage and dead code. Posts inline suggestions you can accept with one click.

parser.go @@ -142,7 +142,12 @@
- for i := 0; i < len(items); i++ {
+ for i, item := range items {
grug Grug see C-style loop. Go have range. Use range.
× resolveTree() · cyclomatic 18 (max 10)
! coverage 67% on changed lines (target 80%)
0 dead exports · 0 unused vars
F-04 / chief + warder

Grug run project. Grug ward off bad release.

Definition-of-Ready on every PR. Stale-PR pulse. Auto-changelog with semver hint. Sprint burndown that lives in your repo, not a Jira tab. Warder gates the deploy before virus infect tribe.

# on PR open
grug.chief ✓ acceptance · ✓ estimate · ✗ rollback plan
grug.sprint burndown · 12 / 18 pts · on track
grug.warder changelog drafted · semver: minor
grug.pulse 3 PRs stale > 4d · review blocked
# merge gated until rollback plan present
03 · the personas

Five Grugs. One cave.

// Each persona is its own Check Run. Require any of them in branch protection. Toggle per-repo. BYO model key on Pro.

F-01 Smasher Grug, holding a stone club
F-01 · SMASHER

Smasher

Static analysis, symbolic exec, LLM diff review. Catches null-derefs, races, off-by-ones, sloppy error handling.

  • Languages: Go, TS, Py, Rust, Java, Ruby
  • Posts inline suggestions you can accept
  • Blocks merge on critical findings
F-02 Guard Grug, wearing a stone helmet, arms crossed
F-02 · GUARD

Guard

SCA, secret scanning, SAST on the diff, hourly CVE feed. Quarantines evil dependencies before they reach main.

  • NIST + OSV + GHSA feeds merged
  • Inline secret revoke + rotate hint
  • License compliance gate (GPL/AGPL/MIT/...)
F-03 Elder Grug, grizzled with white hair
F-03 · ELDER

Elder

Style, naming, complexity, test coverage, dead code. "Strong code only" is the motto. Grumpy but fair.

  • Cyclomatic + cognitive complexity caps
  • Per-file test coverage thresholds
  • Style profiles or BYO ruleset
F-04 Chief Grug, wearing a skull-and-feather crown
F-04 · CHIEF

Chief

Definition of Ready, sprint burndown, stale-PR pulse, milestone roll-ups. Project management without leaving the repo.

  • 5-check DoR · strict / lenient modes
  • Burndown chart on every release branch
  • Auto-pings reviewers blocked > 48h
F-05 Warder Grug, shaman with a glowing staff
F-05 · WARDER

Warder

Stand at cave mouth. Drafts the changelog from merged PRs, picks semver, gates the deploy on staging health, posts release notes to Slack. Bad release not get past warder. Virus not infect tribe.

  • Conventional Commits or freeform
  • Semver hint: major / minor / patch
  • Deploy gate on Datadog SLO breach
BYOG Hooded Grug — bring your own persona
CUSTOM

Bring your own Grug.

Define a persona in YAML or TS. Hook into the same Check Run pipeline. Grug ecosystem, your rules.

  • grug.config.ts in repo root
  • Reuse Grug's diff parser + GitHub plumbing
  • Publish to the marketplace if you want
04 · skill marketplace

Teach Grug a new trick.
Or a new tie.

// Drop-in skills extend Grug. Some are capabilities (Terraform plan review, GraphQL breaking-change). Some are cosmetic skins. Classic Grug is free forever.

// Two kinds of skills. Capabilities are extra checks Grug runs on your PRs — turn them on and Grug starts reviewing that thing too. Skins just change how Grug looks and talks.

CAPABILITY

Terraform Reviewer

Grug reads your Terraform changes before you apply them. Yells if you're about to delete a database, change permissions, or break something already running.

$6/mo
CAPABILITY

API Breaking-Change Guard

Watches your GraphQL or OpenAPI schema. If a PR removes a field or renames a type that callers still use, Grug blocks the merge until someone owns the migration.

$5/mo
CAPABILITY

Accessibility Checker

Renders any UI components your PR touched and checks contrast, labels, and screen-reader behaviour. Won't let you ship a button no one can read.

$4/mo
CAPABILITY

Database Migration Sitter

Reads your Postgres or MySQL migrations and warns about ones that lock big tables, can't be re-run, or have no rollback. Catches the migrations that take prod down at 2am.

$5/mo
Classic Grug
SKIN INCLUDED

Classic Grug

Caveman. Wooden club. Orange polka-dot vest. The Grug your repo deserves.

FREE
Professional Grug, suit and tie
SKIN

Professional Grug

Suit and tie. Replaces caveman speak with passive-aggressive memos. For repos that take themselves seriously.

$4/mo
Mullet Grug, business in front, party in back
SKIN PACK

Mullet, Mohawk, Bald

Three haircuts and a leather jacket. Includes a "club smash" reaction GIF.

$9 once
Custom Grug
CUSTOM

Custom Reactions

Bring your own emoji set and override Grug's failure copy. For in-jokes and angrier teams.

$3/mo
05 · the dashboard

Sign in. Toggle. Done.

// After GitHub OAuth you land here. Three columns: repos, personas, configuration. No yaml. No setup wizard.

grug.lol/dashboard
signed in as @you
Installed repos 7
YO
api-gatewayyour-org/ · 142 PRs
GH
gruggithumps/ · 38 PRs
YO
edge-routeryour-org/ · main
YO
platform-apiyour-org/ · paused
YO
retro-archiveyour-org/ · main
+ Add repository
Active personas api-gateway
📁 your-org/api-gateway main
T
Chief — Definition of Ready
Blocks merge until DoR passes. 5 checks · strict mode
312 runs / mo98% pass-rate1 blocking now
R
Elder · beta waitlist
Comment-style review for naming, tests, complexity
est. release · Q3BYO model key
M
Warder
Ward off bad release · changelog, semver, deploy gate
coming soon
P
Stuck-PR Pulse
Nudges stale PRs · highlights blocked reviewers
coming soon
Grug configuration
Active skin
Daily PR-check budget
19/ 50 used today
38%
Failure tone
CAVEMAN PROFESSIONAL DEADPAN CUSTOM…
Customize Grug →
06 · pricing

Pay Grug, or be Grug.

// Self-host is free forever — Grug is AGPL-3.0. SaaS tiers exist because someone has to pay the AWS bill.

Free
$0/forever
  • 50 PR checks / day
  • Classic Grug skin
  • 1 persona (Chief)
  • 1 repo
  • Custom reactions
  • Multi-org
Sign up →
GRUG PICK
Pro
$12/mo · per seat
  • Unlimited PR checks
  • All personas
  • Up to 10 repos
  • Professional Grug skin
  • Custom reactions add-on
  • Audit logs
Start Pro →
Org
$48/mo · org
  • Everything in Pro
  • Unlimited repos
  • Multi-org
  • Audit logs · SAML
  • Priority support
  • Custom personas (beta)
Talk to Grug →
Self-host
$0+ AWS bill (~$2/mo)
  • AGPL-3.0 source
  • Pulumi up · 15 min
  • Your data, your VPC
  • All features unlocked
  • Hosted SLA
  • Skill marketplace
Read the docs →
07 · grug speak

What Grug say.

// Lifted verbatim from real check-run output. Unedited.

"You import lodash 4.17.20. Lodash 4.17.20 have hole. Hole let bad man in cave. Grug not let bad man in cave. Grug block."
— GUARD persona · CVE-2026-1144 · blocking
"resolveTree() have eighteen branch. Grug brain have ten branch. If Grug brain explode, you fix. Refactor."
— ELDER persona · run #20114 · warning
"Bug in parser.go line 142. Body of request maybe nil. You crash on Tuesday. Grug fix Monday. Grug heroic."
— SMASHER persona · run #20119 · blocking

Stop merging half-baked PRs.

Install Grug on GitHub → Read the source