Inside Clerk’s 40% faster merge workflow with CodeRabbit
40% Faster Merge Times
Enhanced Security & Spec Compliance
70% of bug findings accepted
Higher Developer Confidence & Productivity
Overview
For Brandon Romano, Senior Staff Software Engineer at Clerk, shipping authentication and user-management infrastructure means zero tolerance for security lapses or spec violations.
But that can be hard when working across distributed time zones. Benjamin Werner, a Software Engineer on the team, recently drove significant OAuth work but struggled to get timely early reviews since he was collaborating with teammates in Europe and around the world.
Before CodeRabbit, Clerk’s review process was entirely human and was still constrained by reviewer availability and geography. They wanted to improve their code review process so they could catch minutiae and edge cases earlier, get reviews while teammates in other time zones were asleep and raise the overall confidence in their team’s shipped code.
Challenge: Scale quality without slowing down
The cost of issues and bugs was significant: Clerk handles authentication, user data, and standards-driven protocols like OAuth. A weak encryption configuration or an off-spec error code can pose significant security and compliance risks. It could also erode trust in Clerk’s solution. Their review process needed to be as thorough as possible.
Need for early reviews: Even in a responsive team culture, it was hard to get quick reviews, especially on early-stage work. “Humans who are busy take time to review PRs and that means it’s a longer time to first feedback,” Brandon noted. That was complicated even more by the fact that some team members at Clerk work remotely from Europe. Without an always-on first reviewer, subtle bugs could slip through from early-stage code into PRs or production, creating costly rework cycles.
Reviewers wanted to focus on higher-level issues: "When I’m reviewing somebody’s code and I see a for loop, I’m just going to assume that they’ve done this correctly, there are 400 other lines of code,” Ben explained. But subtle off-by-one or edge condition errors are easy to miss when reviewers focus on architecture and design. Clerk wanted a solution that would automatically check for common mistakes so their reviewers could focus on higher-level tasks.
Why Clerk loves CodeRabbit
Catches hard-to-find security issues
One thing Clerk likes about CodeRabbit is that it repeatedly flags security issues, helping them improve their security posture. For example, Brandon was implementing AES-256-CBC encryption for symmetric encryption when CodeRabbit flagged a configuration weakness in its application.”I accidentally introduced a bug that would have passed in a static initialization vector into our encryption service, and CodeRabbit caught the issue." Brandon explained. A static IV in symmetric encryption can weaken the encryption's effectiveness, a subtle mistake that's easy to overlook during human review when reviewing architecture and logic.
It increased our security posture.
Brandon Romano, Senior Staff Software Engineer
This prevented a configuration that could have weakened Clerk's data protection.
Helps with standards compliance
Another area CodeRabbit has been helpful in is flagging standard compliance issues. Ben was building an OAuth endpoint and returning an error code but it was not the correct error code and CodeRabbit caught that. “The tool’s ability to cross-check against published OAuth specifications proved 'really useful' for maintaining protocol compliance.
Minutes to feedback
Another benefit has been how quickly CodeRabbit can provide feedback – including in IDEs and CLIs.
I personally find it really nice that the time first to review is now minutes. I can fix it in my editor before I waste any time.
Brandon explained.
CodeRabbit acts as an always-on CI system, catching issues before human reviewers even see the PR. Ben shared: “95% of the PRs that I open, I can get a review really quickly. But we're a global team and recently I was working on a piece of code that someone in Europe wrote. I wanted him to review the PRs. Before CodeRabbit, I would open the pr, then I'd wait until the next day for him to review it, and then I would fix it. But with CodeRabbit, I can get a first pass review and save a whole day.”
Frees humans up to focus on design and architecture
CodeRabbit checks if the code actually does what it claims and flags edge cases. Taking care of this part of the review lets reviewers operate at a higher level of abstraction. Brandon even values CodeRabbit’s “non-actional” comments because they force reflection. Even dismissed suggestions create opportunities for documentation or clearer code. “It forces me to reflect on my code, where maybe I need to add a comment because it is actually unclear,” he shared. The time CodeRabbit saves him also frees him up to do more. "Merging code allows me to focus on other tasks," Brandon explained. "Each unmerged pull request is another plate I'm balancing." The faster PRs merge, the less context-switching he has to deal with, and the more he can focus on building new features.
Learnings that stick
Clerk loves that CodeRabbit adapts to their team’s specific patterns without requiring manual configuration. All they have to do is respond naturally in PR threads. But Brandon finds that CodeRabbit also helps him learn. "I consistently apply what I've learned from CodeRabbit comments. By responding within the same interface, I find that the same types of issues rarely reappear," Brandon shared.
Results: Measurable improvements across the development lifecycle
40% faster merges
Thanks to CodeRabbit, the Clerk team was able to merge their PRs 40% faster. Brandon credits CodeRabbit for catching bugs early, before they trigger rejection cycles.. "CodeRabbit catches bugs before they reach human reviewers, issues that would have gotten flagged as 'you need to fix this before I approve,” Brandon explained. Instead of the typical back-and-forth, developers fix issues flagged by CodeRabbit in minutes, then get a clean human review focused on design and architecture, rather than bugs. Ben agrees that CodeRabbit helps reduce their review time. “It makes me more confident in my PRs and I save a lot of time in reviews,” Ben shared. “That means I can spend my time on more important parts of the review cycle.”
70% acceptance rate on potential bugs
CodeRabbit is also extremely accurate at flagging bugs. Brandon noted, "CodeRabbit probably catches one to three things per day that I accept." Clerk’s 70% acceptance rate of all potential bugs CodeRabbit flags shows the tool has earned trust. Developers read the comments and implement the suggestions, making Clerk’s applications safer.
Reduced cognitive overhead for code reviewers
Thanks to CodeRabbit, Brandon's changed how he reviews code: "I can kind of skim a little bit heavier and focus a little bit more on the design-oriented comments." CodeRabbit handles the tedious stuff, checking syntax, catching off-by-one errors, so that senior engineers can spend their time on what actually requires human judgment: architecture decisions, API design, and how everything fits together.
Preventing "paper cuts" that compound over time
CodeRabbit's ability to catch bugs during active development, when context is fresh, prevents the expensive context-switching that comes from debugging production issues weeks later. "It catches the bugs when you're already thinking about the code, not two months down the line when you've forgotten what the code does. It identifies issues as you're actively working on the code, rather than discovering them months later when the code's purpose is no longer fresh in your mind,” shared Brandon.
CodeRabbit = Confidence & velocity for security-critical infrastructure
Before CodeRabbit
- •Subtle bugs and spec violations slipped through
- •Reviewers spent time on correctness instead of design
- •Multiple review cycles delayed merges
After CodeRabbit
40% faster merges with instant AI feedback- 70% of bug findings accepted = trusted reviews
- Security and spec issues caught early
- Reviewers focus on architecture, not syntax
For Clerk, CodeRabbit is the ideal tool for augmenting human reviews. It catches subtle bugs, security weaknesses, and spec violations before they cost a day of back-and-forth or, worse, ship to production.
What sets CodeRabbit apart in Clerk's security-focused environment is its ability to understand, not just syntax but specifications, from OAuth error codes to cryptographic best practices. As Brandon emphasized, "CodeRabbit excels at understanding published specifications. It'll catch when you're doing something off spec, which is incredibly useful." The platform's success at Clerk shows how fast-moving teams with strong review cultures can benefit from an always-on first reviewer.
Since adopting CodeRabbit, our confidence is up and our bugs are down; it catches the edge cases humans skim past and helps us merge faster with more confidence.
Brandon Romano, Senior Staff Software Engineer
By handling routine correctness checks and catching edge-case bugs in complex control flow, CodeRabbit lets Clerk's developers focus on what they do best: building secure, performant authentication infrastructure.
San Francisco, United States
https://www.clerk.com/Team size
100+
Languages
Go, JavaScript/TypeScript
Challenge
Maintain high code quality and security standards while accelerating review cycles across multiple time zones.
