MCPFind's devtools category sits at 3,616 servers as of May 2026. A small slice of that pile actually helps with code review: catching defects in a PR, applying a team style guide, flagging a vulnerable new dependency, or working out what else a change might break. The HEALTHY-tier candidates, ranked by stars, are GitHub MCP (12,000+), rsdoctor (1,144), Packmind MCP (247), Code Pathfinder (113), Sonatype Dependency Management MCP (69), and CodeScene MCP (32). I compared them on four axes: how cleanly they fit a PR workflow, how well they enforce documented standards, what they catch on the security side, and whether they say anything useful about long-term code health. Browse the full set at the MCPFind devtools category.
Selection Criteria
Two filters did most of the work. First, HEALTHY classification in the MCPFind quality audit, which means at least 50 GitHub stars (or vendor-official status) plus a commit in the prior 90 days. GitHub MCP gets one carve-out: 12,000+ stars on github.com/github/github-mcp-server, but the MCPFind entry hasn't been enriched with that count yet. It's in on official-vendor status and obvious adoption. Second, code quality or PR review had to be the actual reason the server exists, not a side effect of something broader. Star counts are from the MCPFind directory snapshot taken May 20, 2026.
Comparison Table
| Server | Stars | Transport | Auth | Read/Write | Best for |
|---|---|---|---|---|---|
| GitHub MCP | 12,000+ | stdio | PAT / GitHub Apps | R+W | PR diffs, review comment creation |
| rsdoctor | 1,144 | stdio | None (local) | R | Rspack/webpack bundle quality analysis |
| Packmind MCP | 247 | stdio | API key | R+W | PR review against team coding standards |
| Code Pathfinder | 113 | stdio | None (local) | R | Impact analysis, caller mapping, AST queries |
| Sonatype Dependency MCP | 69 | stdio | None (OSS) / API key (IQ) | R | Dependency vulnerability scanning |
| CodeScene MCP | 32 | stdio | API key | R | Hotspot analysis, code health, complexity trends |
GitHub MCP
GitHub publishes and maintains this one directly at github.com/github/github-mcp-server. For an AI-assisted PR review loop on GitHub, it's where everything starts. The server wraps GitHub's REST and GraphQL APIs as typed MCP tools, so an agent can pull diffs, read file contents, walk review threads, check CI status, and post review comments without leaving the chat. Open source, MIT license, commits landing weekly.
Four tools do the heavy lifting for code review. get_pull_request returns the full diff plus metadata (base branch, CI status, reviewer assignments). get_pull_request_files lists every changed file with its patch. create_review_comment puts an inline comment on a specific line of the diff. submit_pull_request_review submits the whole review with APPROVE, COMMENT, or REQUEST_CHANGES. Chained together, those four let an agent fetch a PR, reason over each changed file, and post a structured first pass with specific line comments in one loop.
Reach for this when your team lives on GitHub and you want the agent either summarizing what a PR changes or actually leaving comments that show up in the thread. It pairs with every other server in this list: the others do the analysis, GitHub MCP does the delivery. Auth is a fine-grained personal access token scoped to specific repos and operations, or a GitHub Apps installation if you're rolling this out across an org.
Skip it if you're on GitLab, Bitbucket, or Azure DevOps. GitHub MCP only talks to GitHub. For multi-provider teams, GitKraken GK-CLI (covered in the Repo Intelligence listicle) gives you cross-platform PR access, though with less depth on the review-action side.
12,000+ stars on github.com/github/github-mcp-server. The MCPFind directory star count is pending enrichment, but maintenance is strong: open issues see responses within days. Apache 2.0 license.
Setup Snippet
{
"mcpServers": {
"github": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "ghp_yourtoken"
}
}
}
}rsdoctor
rsdoctor sits at github.com/web-infra-dev/rsdoctor, maintained by the Rspack ecosystem team. It's a build analyzer and code quality diagnostic tool for Rspack and webpack projects, and at 1,144 stars on MCPFind it's the most adopted specialized analyzer in the HEALTHY devtools tier. Worth saying upfront: this one stretches the definition of "code review." rsdoctor doesn't look at diffs or post comments. What it does is answer build-quality questions about a PR, which often go unasked because answering them takes a separate CLI run. The MCP server wraps rsdoctor's analysis so an agent can query bundle composition, module dependency trees, duplicate package detection, and build performance from inside a review conversation. Last push March 24, 2026.
The tools give an agent build-time signals that rarely show up in PR review today. analyze_bundle runs the full bundle analysis and returns a structured report on module sizes, chunk composition, and tree-shaking effectiveness. find_duplicate_packages flags the same package appearing at multiple versions in the dependency graph, a quiet source of bundle bloat that creeps in when a new library brings its own transitive deps. get_module_graph returns the full dependency graph for an entry point, useful when a PR adds a new import and you want to know what it pulls in behind it. analyze_build_performance surfaces which loaders and plugins are eating the most build time, which catches slow additions before they compound across CI runs.
The specific workflow this fits: a PR adds a new library and the reviewer wants to know the actual cost. Does it ship 800KB to the client. Does it duplicate something already in node_modules at a different version. What does the import graph look like after this lands. Those questions almost never get answered in review today because nobody's going to run the analyzer manually for every PR. With rsdoctor wired in, the agent answers them as part of the first pass.
It won't help with source-level concerns. rsdoctor reads the build output, not the code itself, so it has nothing to say about style, complexity, or correctness. It also only covers Rspack and webpack. If your project is on Vite, Turbopack, or an esbuild-based setup, this isn't the right tool.
1,144 stars, last push March 24, 2026. Maintained by the Rspack team (ByteDance open source). MIT license. Open issues get active responses.
Setup Snippet
{
"mcpServers": {
"rsdoctor": {
"command": "npx",
"args": ["-y", "@rsdoctor/mcp-server"],
"env": {
"PROJECT_ROOT": "/path/to/your/project"
}
}
}
}Packmind MCP
Packmind (247 stars on MCPFind, at ai.packmind/mcp-server) fills a gap no linter covers. ESLint enforces JavaScript conventions. TypeScript checks types. Neither one knows your team decided to put error handling inside the use-case layer, or that all repository methods return Result types, or that domain events go through the bus rather than direct calls. Those rules live in Confluence pages, ADRs, and Notion docs that reviewers are supposed to remember and don't, consistently. Packmind reads from a workspace where those guidelines are stored and applies them to a PR diff, returning specific violations with suggested fixes. Last push March 24, 2026.
packmind_review_pr takes a repo and PR identifier and returns the list of guideline violations found in the diff, organized by file and line number. packmind_get_guidelines pulls your team's full rule set as structured data, which is helpful when the agent needs to explain why a pattern is required rather than just flag the violation. packmind_suggest_fix generates a proposed code change for a specific violation that the agent can either apply directly or surface as a review comment through GitHub MCP. End to end: GitHub MCP fetches the diff, Packmind applies the rules, GitHub MCP posts the comments. The human reviewer sees structured feedback before they open the file.
The right pick if your team has already put the work in to document standards and wants the enforcement step automated. Teams that run regular architecture reviews, maintain an engineering handbook, or have style guides that pre-date their linter setup are the natural fit. You'll get the most out of this when the gap between "what's written down" and "what actually lands in PRs" is already friction your reviewers feel.
Packmind doesn't ship its own rules. It applies the rules you defined. Teams without written standards have nothing to enforce, and a generic linter or static analysis tool is a better starting point. Packmind is the automation layer on top of standards work you've already done.
247 stars, last push March 24, 2026. Auth is a Packmind API key generated from your workspace settings. Commercial product with a free trial and per-seat pricing for teams. Issues see responses from the Packmind team.
Setup Snippet
{
"mcpServers": {
"packmind": {
"command": "npx",
"args": ["-y", "@packmind/mcp-server"],
"env": {
"PACKMIND_API_KEY": "your-api-key"
}
}
}
}Code Pathfinder
Code Pathfinder comes from the team at codepathfinder.dev (113 stars on MCPFind). It answers the question every reviewer has to mentally answer before approving anything that touches shared code: what breaks if this lands. Instead of scanning text, it parses source at the AST level, so structural queries return precise answers. Every call site of a function. Every class that implements an interface. Every module that depends on the file you're about to change. These are the questions that matter most when a PR touches a shared utility or modifies a public API signature. Last push March 24, 2026.
pathfinder_find_callers returns every call site for a given function across the codebase, the tool to reach for before approving a change to any function other code depends on. pathfinder_find_symbol locates function definitions, class declarations, and variable assignments by name. pathfinder_find_implementations lists every concrete class or function that implements an abstract interface, which matters when a PR adds a field to an interface and every implementation site needs updating. pathfinder_dependency_graph returns a module-level dependency map showing which files import which others, useful when you're estimating the blast radius of a structural change.
The specific reviewer workflow that fits: a PR modifies a utility function used in a dozen places. Before approving, you want to know that every caller handles the new behavior correctly. Code Pathfinder lists each caller with file and line number, and the agent (or the human) walks through them. That's a mechanical task that usually means grep plus careful reading; Code Pathfinder answers it as a typed query.
There's nothing here for PR state, comment delivery, or standards enforcement. The scope is the local codebase. It works on code sitting on disk and has no GitHub connection. Pair it with GitHub MCP when you need both impact analysis and the ability to post review comments in one conversation.
113 stars, last push March 24, 2026. Runs locally, no credentials needed. Open source. Documented language support: TypeScript, JavaScript, Python, and Go.
Setup Snippet
{
"mcpServers": {
"code-pathfinder": {
"command": "npx",
"args": ["-y", "@codepathfinder/pathfinder-mcp"]
}
}
}Sonatype Dependency Management MCP
Sonatype publishes this one at github.com/sonatype-nexus-community/mcp-sonatype (69 stars). It connects Sonatype's component database to the review workflow. Sonatype built the OSS Index, a free vulnerability database covering millions of open-source components across Maven, npm, PyPI, NuGet, and the rest. The MCP server exposes that database as typed tools so an agent can check every new dependency in a PR against known CVE records and license policy. The MCP layer hasn't seen a push since January 14, 2026, which sounds stale but isn't quite: the actual vulnerability data lives in the OSS Index service and updates continuously, independent of the MCP server's release cadence. The tools are stable enough that they don't need monthly pushes.
check_component takes a package identifier (name plus version, in the ecosystem's format) and returns the OSS Index report: CVE identifiers, severity scores, affected version ranges, and whether the installed version is patched. analyze_manifest accepts a package manifest file (package.json, pom.xml, requirements.txt) and returns a full report for every dependency at once, which is the tool to run against the diff when a PR modifies a manifest. For teams running Sonatype Lifecycle (the commercial product), policy_evaluation runs the component list against your organization's defined license and security policies and returns pass/fail per component.
Security-aware teams reviewing PRs that touch dependencies should have this in the stack. The pattern works like this: GitHub MCP pulls the changed manifest out of the PR diff, Sonatype checks every new or updated package for CVEs, the agent surfaces any findings before merge. It catches the case where a routine dependency update quietly brings in a transitive package with a known exploit, the kind of thing a reviewer won't spot reading the diff.
Teams working exclusively with private or internal packages won't get coverage from OSS Index, which only tracks public open-source components. The server is also read-only by design. It reports findings, but remediation belongs upstream in the development workflow.
69 stars, last push January 14, 2026. OSS Index queries are free with no API key needed; Sonatype IQ Server integration requires a commercial license. Open source, Apache 2.0.
Setup Snippet
{
"mcpServers": {
"sonatype": {
"command": "npx",
"args": ["-y", "@sonatype/mcp-server"],
"env": {
"OSS_INDEX_USERNAME": "your-email",
"OSS_INDEX_TOKEN": "your-oss-index-token"
}
}
}
}CodeScene MCP
CodeScene comes from Empear (32 stars, at github.com/codescene-oss/codescene-vscode) and takes a longer-horizon view than the others here. Instead of looking at style or vulnerabilities, it identifies where in the codebase problems tend to recur, based on change history and complexity analysis. The core idea is that technical debt clusters in predictable places: files that change frequently and carry high cyclomatic complexity are the ones that slow teams down and produce most of the bugs. The MCP server surfaces those signals as typed queries so an agent can fold CodeScene's health data into a review. Last push March 24, 2026.
analyze_file_health takes a file path and returns CodeScene's code health score along with the specific issues driving it: deeply nested logic, oversized functions, missing function abstractions, high coupling. get_hotspots returns files ranked by change frequency combined with complexity, the combination that predicts where defects are most likely to cluster. get_refactoring_targets surfaces specific functions or modules CodeScene identifies as high-priority cleanup candidates based on health trends over time. For teams running CodeScene's commercial platform, get_delivery_risk returns a risk assessment for a set of changed files based on their historical defect correlation.
The fitting workflow: a PR touches a file already flagged as a hotspot, or pushes a module's complexity score past a threshold. CodeScene lets the agent surface that context in the review, so the human reviewer sees the quality signal alongside the diff. That's a different category of feedback than a linter flag. It's historical context about how much trouble this file has caused before.
CodeScene doesn't catch bugs or enforce style. It surfaces complexity and health trends. Teams without an existing CodeScene account need to set one up before the MCP server has data to return. A fresh codebase with no analysis history has nothing to query against. The platform is commercial; small teams use the free tier.
32 stars, last push March 24, 2026. Auth is a CodeScene API key. Commercial product with a free tier. Issues see responses from the Empear team.
Setup Snippet
{
"mcpServers": {
"codescene": {
"command": "npx",
"args": ["-y", "@codescene/mcp-server"],
"env": {
"CODESCENE_API_KEY": "your-api-key",
"CODESCENE_URL": "https://app.codescene.io"
}
}
}
}How to Choose: Decision Framework
The first decision isn't which server, it's what you want the agent to do during a review. If you want comments posted on the PR thread itself, GitHub MCP is the only server here that can write back to GitHub. Every other server does analysis and hands back findings, but turning those findings into actual review comments needs GitHub MCP in the chain. If you'd rather just have a summary in chat, you can skip it.
For rule violations specific to your engineering standards, Packmind is the right layer. It catches the documented patterns generic linters miss. The catch is the prerequisite: those standards have to exist in written form. If a rule isn't in the workspace, it can't be checked. Teams that are still figuring out their standards are better off writing them down first and wiring Packmind in once they're stable.
Dependency security belongs in every review stack where PRs can touch package manifests. OSS Index is free, covers Maven, npm, PyPI, and NuGet, and runs without an API key. Adding Sonatype to the chain means a dependency update that quietly imports a CVE gets caught automatically rather than relying on a reviewer to spot it. Low setup, high payoff.
For larger codebases where "what else does this change affect" is genuinely hard to answer quickly, Code Pathfinder handles the AST-level impact query. Run it against functions or interfaces being modified and you get a precise list of call sites and implementations. CodeScene adds the longitudinal dimension: which files have been the most problematic historically, and does this PR touch any of them. The two are complementary rather than overlapping. Code Pathfinder tells you what this change touches now; CodeScene tells you whether what it touches has been trouble before.
rsdoctor is the specialist pick. If you ship a webpack or Rspack bundle and bundle quality is something you'd actually act on in review (size budgets, duplicate packages, dependency-graph surprises), it adds real signal. If your stack is Vite or esbuild, skip it. If bundle quality isn't part of the review conversation, skip it.
To browse all servers in the MCPFind devtools category with the star filter set to 50+, the current adoption leaders in adjacent areas (CI/CD integration, local code execution, multi-language analysis) are visible alongside the code review tier. The category grows weekly as new servers are submitted.
Adam Bush
Gus Marquez