Qodo is a paid AI code review and code-generation platform for pull requests and IDEs. It offers no permanent free plan, prices access through pooled team credits rather than flat per-seat fees, and has a documented multi-year security disclosure history that reached remote code execution before being fixed.
Qodo started in 2022 as CodiumAI and rebranded to Qodo in September 2024, alongside a $40 million Series A round. The company's main product, Qodo Merge, reviews pull requests automatically on GitHub, GitLab, Bitbucket, and Azure DevOps. A companion IDE extension, Qodo Gen, adds in-editor code generation, chat, and test writing for VS Code and JetBrains. A third product, Qodo Cover, generated unit tests as a standalone agent but is now in limited or discontinued status. As of mid-2026, Qodo prices all of this through a single credit-based plan rather than separate products, and there is no permanent free tier.
Add the Qodo app to GitHub, GitLab, Bitbucket, or Azure DevOps, or install the Qodo Gen extension for VS Code or JetBrains.
Opening a pull request triggers Qodo Merge's review pipeline, which checks the diff for bugs, standards violations, and risk, then posts a structured comment within minutes.
Each flagged issue includes an explanation and a remediation prompt that can be pasted into an AI coding assistant to fix it.
Inside VS Code or JetBrains, Qodo Gen's Agent Mode and slash commands such as /review, /improve, and /test can generate code, answer questions about the codebase, and write unit tests.
EDITORIAL NOTEApplied a modest negative adjustment for the documented 2024-2025 vulnerability chain that reached remote code execution and a twice-leaked, unrotated AWS admin key; the issue was fixed with no evidence of exploitation found, but the response timeline warrants caution beyond what the subscores alone capture.
AI synthesis of external reviews · not on bestaiq
Synthesized from 6 external reviews. Independent signal (Trustpilot / Reddit / verified aggregators) weighted higher than commission-carrying review sites.
No. Qodo's own FAQ states it does not offer a permanent free tier. New users get a 14-day free trial with no credit card required and unlimited credits during that window; after the trial, a paid Pro Team or Enterprise plan is needed. Qualifying open-source projects can apply separately for free access.
Pro Team plans are credit-based and pooled across up to 30 users, starting at $30/month for 2,500 credits and going up to $240/month for 20,000 credits, at a flat rate of $0.012 per credit. Credits do not roll over between monthly cycles. Enterprise pricing is custom and requires contacting sales.
It depends on the plan. Qodo says paid and trial-period code is never used to train its models. Free-tier code is used to improve its models by default, with an opt-out available in the user portal.
Qodo Cover was a standalone test-generation agent launched as a free preview for Python projects in December 2024. Its open-source repository now carries a notice that it is no longer maintained, and it is not listed on Qodo's current pricing page.
Yes. A security researcher disclosed vulnerabilities in Qodo Merge at the 38C3 conference in December 2024, and a more detailed writeup published in January 2026 described an exploit chain that reached remote code execution and an AWS admin key that was leaked twice. Qodo confirmed and fixed the issues, and says it found no evidence the vulnerabilities were exploited or that customer data was accessed.
CodiumAI was the company's original name before its September 2024 rebrand to Qodo. Qodo Merge is the pull request review product, built on the open-source PR-Agent project, and Qodo Gen is the IDE extension for code generation, chat, and test writing. As of mid-2026, both are covered by the same unified pricing plans rather than priced separately.
Qodo automates a meaningful part of pull request review and offers real deployment flexibility for enterprises, but it charges for all of it from day one, with no free tier beyond a two-week trial. Its accuracy claims are self-reported, and its security history includes a serious, since-fixed vulnerability chain. Teams should weigh the credit-based pricing and confirm current data-training terms for their plan before rolling it out broadly.