In the last few weeks, code reviews with Qodo Merge got a big boost with the latest updates. From contextual conversations in code suggestions to personalized best practices and deeper insights, there’s a lot to explore.

Qodo Gen also introduces the MCP Allow List, giving organizations tighter control over which custom tools (MCPs) can be used in their environments—adding a critical layer of governance and security for AI-assisted development.

Smarter conversations with the Qode Merge agent

The Qodo Merge agent is now more than just a responder—it’s an orchestrator agent. In the latest update, the agent can choose the best course of action based on your comment, selecting between commands like /implement, /ask, or /help commands automatically.

This change simplifies how users interact with Qodo Merge in code suggestion threads:

• Chat-enabled suggestions: When a user runs the /improve command or ticks “Apply / Chat” on a generated recommendation, Qodo Merge opens a dynamic inline discussion.
• No manual commands needed: Once the conversation begins, Qodo Merge listens and replies to follow-up comments without needing tool-specific commands.
• Integrated documentation: Replies from Qodo Merge often include helpful links via the /help command for quick reference.

This feature is now live for users on GitHub and GitLab, enabling seamless in-line discussion within code suggestions (docs).

Enhanced Bitbucket support and RAG expansion

We recently released support for retrieval-augmented generation (RAG) in Qodo Merge, bringing full codebase context-awareness to code reviews. For enterprise teams working on complex projects with large codebases, this change makes a big difference. It doesn’t just improve the accuracy of AI suggestions—it also helps reviewers, who are often looking at code they didn’t write, understand how each pull request fits into the bigger picture.

Released first for GitHub, RAG capabilities are now extended to Bitbucket Data Center (DC) server deployments for our enterprise customer. To learn more, book a demo with us. (docs)

In addition, we’ve expanded Bitbucket support more broadly:

• Manual “More Suggestions” support has been added for Bitbucket Cloud, Bitbucket Data Center, as well as older versions of GitLab Server. This allows users to request additional Qodo Merge suggestions even without interactive button support. See how it works.
• Implemented suggestions now show impact in Bitbucket DC. Suggestions that are applied will be marked with a ✅, and Qodo Merge will log it for better visibility into suggestion adoption.
• We also updated the Bitbucket DC plugin to support pr:merged events, enabling more accurate tracking and usage analytics.

Generate best practices from past pull request discussions

If you’ve ever wondered what your team’s code review habits say about your development process, the new scan_repo_discussions tool might have some answers. It looks at review comments from merged pull requests over the last 12 months and pulls out patterns that highlight how your team collaborates. From there, it generates a best_practices.md file that captures insights tailored to your actual workflow. This file feeds directly into Qodo Merge, helping it offer smarter, more relevant suggestions in future PRs.

To get started, your repo needs to have at least 50 merged PRs, since the tool needs a solid amount of data to work with. Once installed, the tool runs automatically and generates an initial best_practices.md file based on the latest 250 PRs. You can also trigger it manually at any time by commenting /scan_repo_discussions on any PR. A few minutes later, you’ll receive a new pull request with the generated best practices file.

And this isn’t a one-and-done thing—you can keep editing and refining the file as your team grows and evolves. It’s a lightweight way to turn everyday code reviews into lasting improvements. (docs)

MCP allow list: centralized control for secure MCP usage

Qodo Gen now supports an MCP Allow List—a security feature designed to enforce centralized control over which Model Code Providers (MCPs) can run in your development environment. While custom MCPs enable powerful workflows, they can also introduce security vulnerabilities if not properly validated. With the allow list enabled, only pre-approved MCPs explicitly registered by the organization are permitted to run. All other MCPs, including potentially compromised ones, are blocked by default.

This feature ensures that developers operate within a trusted set of tools without needing to manually manage risk. Admins can define which MCPs are approved at the organization level and optionally configure shared environment variables. Developers still retain flexibility to override these variables locally where needed. The allow list applies to all supported Qodo environments, including Codogen, and is especially critical in enterprise settings.

To learn how to configure and register MCPs for your organization, refer to the setup guide here.