
SpaceX Bought Cursor: Your Review Gate Can't Live There
GitHub announced on June 16 that Code Quality becomes generally available on July 20, 2026. It stops being free. The base price is $10 per active committer per month on any repository where Code Quality is enabled, plus usage-based charges for AI features and Actions minutes for CodeQL scans.
More than 10,000 enterprises used the public preview. Many of them now face a purchase decision before July 20, or they need to disable it to avoid charges. This article breaks down what Code Quality actually gates, what it doesn't review, and why the distinction matters for teams evaluating the spend.
The billing has three components, and they stack.
$10 per active committer per month is the base license. An "active committer" is anyone who pushed a commit to an enabled repository in the last 90 days, regardless of when the commit was authored. This covers access to findings, scoring, rulesets integration, quality gates that block PRs, organization-wide deployment, and the quality dashboards.
AI-powered features are billed on consumption via GitHub AI Credits (1 credit = $0.01 USD). This applies to Copilot code review on PRs, AI-assisted detection, and Copilot Autofix generation. You don't need a separate Copilot license to use these features within Code Quality, but every AI interaction costs tokens.
GitHub Actions minutes power the deterministic CodeQL scans. These are the rule-based maintainability and reliability checks that run on every PR and on the default branch. If you're on self-hosted runners, you absorb the compute cost instead of paying GitHub's per-minute rate.
For a 50-person team where every developer commits, the base license alone is $500/month before AI usage or Actions compute. That's real money, and it raises a fair question: what exactly does this quality gate enforce?
Code Quality's enforcement mechanism works through GitHub's rulesets. You set thresholds on three dimensions, and PRs that violate them can't merge:
On top of the deterministic CodeQL rules, Code Quality also runs AI-powered analysis on files pushed to the default branch, covering languages beyond the seven CodeQL supports (C#, Go, Java, JavaScript, Python, Ruby, TypeScript). Findings from that AI layer appear on a separate dashboard tab.
The new GA release also adds organization-level quality dashboards and org-wide deployment, so engineering leaders can track maintainability and reliability scores across all repositories from one view. That's genuinely useful for visibility.
None of this is new technology. SonarQube, Codacy, and CodeClimate have offered maintainability scoring and quality gates for years. GitHub's advantage is integration: the gate lives inside the same platform where PRs already merge, and rulesets enforce it without external webhook plumbing.
Here's the gap. Code Quality's gate evaluates structural signals. It doesn't read the diff and reason about what the code change actually does.
A PR can pass every Code Quality threshold and still contain:
Coverage thresholds make this even trickier. A PR can maintain 80% coverage while the new code itself has no meaningful assertions. The threshold checks quantity of lines exercised, not quality of test logic.
There's a hard constraint in the announcement that's easy to miss. GitHub Code Quality is only available on GitHub Enterprise Cloud and GitHub Team plans. It's not available on GitHub Enterprise Server.
That's a significant gap. Enterprises running GHES (often for compliance, data residency, or air-gapped environments) have no path to these quality gates. They can run CodeQL on their own, but without the integrated scoring, rulesets enforcement, or dashboards that Code Quality bundles.
For GHES teams evaluating how to enforce code quality at the PR level, the tooling decision has to come from outside GitHub's product surface.
The quality gate and the code review are different jobs. Code Quality answers: does this code meet structural standards? A reviewer (human or automated) answers: is this change correct, safe, and well-designed?
GitHub's own Copilot code review layer (which is part of Code Quality's AI usage) does attempt semantic analysis. But its scope is limited: it runs on PR diffs, comments inline, and suggests fixes. It doesn't operate as a standalone gating mechanism. And its accuracy on real-world bugs still varies, with GitHub noting that model switching isn't supported because it "is likely to compromise the reliability and accuracy of analysis results."
This is where a dedicated code review tool adds value alongside Code Quality rather than instead of it. Tenki's Code Reviewer reviews the actual diff at the CI boundary, analyzing what the code change does rather than measuring its structural profile. In benchmarks against 122 known bugs, Tenki caught 68.9% of them (84/122), compared to 24.6% for Copilot (30/122). The review runs as a GitHub Action, so it works on any Actions-compatible setup, including GHES instances where Code Quality isn't available.
The pricing model is also different. Tenki charges $1.00 per review, not per committer per month. For teams that merge fewer PRs than they have committers (which is most teams), that's a lower total cost.
If your org used Code Quality during the preview, you'll start getting billed on July 20 unless you disable it first. GitHub's docs are clear on this: go to your organization settings and turn it off on each repository, or disable it org-wide.
But whether you keep it or not, it's worth understanding what the $10/committer buys and what it leaves uncovered. The quality gate is a structural filter. It catches code smells and enforces coverage floors. Those are worth having. They're just not the same thing as knowing whether the code is correct.
The question isn't whether to use Code Quality. It's whether to treat it as your only gate.
Tags
Recommended for you
What's next in your stack.