The pull request. That moment when you push your code and wait—sometimes nervously—for feedback. What if you could get instant, thorough feedback before your teammates even look at it?
That's exactly what AI code review tools now offer. They sit in your CI/CD pipeline, analyse every PR, and flag issues ranging from security vulnerabilities to style inconsistencies. Let's look at what's available and how they actually work in practice.
How These Tools Work
Most AI code review tools follow a similar pattern. You install a GitHub App or Azure DevOps extension, grant repository access, and configure your preferences. When someone raises a PR, the tool automatically:
Analyses the diff (changed lines)
Checks against security rules, best practices, and your custom guidelines
Posts comments directly on the PR—inline where relevant
Sometimes suggests fixes you can apply with a single click
The better tools understand context. They don't just look at the changed lines in isolation—they consider the surrounding code, your project's patterns, and even documentation.
The Major Players
CodeRabbit
CodeRabbit has become popular for its conversational approach. It posts a summary of changes, highlights potential issues, and you can actually reply to its comments to ask for clarification or tell it to ignore false positives.
Works with: GitHub, GitLab, Azure DevOps
Installation:
# Visit GitHub Marketplace and install the CodeRabbit app
# Or add via URL:
https://github.com/apps/coderabbitailanguage: en
reviews:
auto_review:
enabled: true
base_branches:
- main
- develop
path_filters:
- "!**/*.test.ts"
- "!**/*.spec.ts"
- "!**/node_modules/**"
profile: assertive # Options: chill, assertive, pedantic
chat:
auto_reply: true
knowledge_base:
learnings:
enabled: trueInteracting with CodeRabbit in PR comments:
@coderabbitai review this file again
@coderabbitai ignore this suggestion
@coderabbitai explain why this is a problem
@coderabbitai generate docstrings for this file
@coderabbitai summarize this PRExample PR comment from CodeRabbit:
## Summary
This PR adds user authentication middleware with JWT validation.
## Changes
- `src/middleware/auth.ts`: New authentication middleware
- `src/routes/user.ts`: Protected routes added
## Issues Found
### 🔴 Critical: Potential JWT Secret Exposure
`src/middleware/auth.ts` line 12
```typescript
const secret = "hardcoded-secret-key"; // ❌ Never hardcode secrets
```
**Suggestion:** Use environment variables
```typescript
const secret = process.env.JWT_SECRET;
```
### 🟡 Warning: Missing Error Handling
`src/routes/user.ts` line 45
The async handler doesn't catch potential errors.
```
---
### GitHub Copilot Code Review
GitHub's native offering integrates seamlessly if you're already in their ecosystem.
**Works with:** GitHub
**Enabling in repository settings:**
```
Repository → Settings → Code review → Enable Copilot Code ReviewTriggering review via comment:
@github-copilot review
@github-copilot review src/utils/GitHub Actions integration (.github/workflows/copilot-review.yml):
name: Copilot Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Copilot Review
uses: github/copilot-code-review-action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
model: gpt-4
review-level: thorough # Options: basic, thorough, comprehensiveAmazon CodeGuru Reviewer
AWS's offering focuses heavily on security and performance, trained on Amazon's internal codebase.
Works with: GitHub, Bitbucket, CodeCommit, GitLab
AWS CLI setup:
# Associate a repository
aws codeguru-reviewer associate-repository \
--repository "GitHubEnterpriseServer={Name=my-repo,ConnectionArn=arn:aws:codestar-connections:...}" \
--region us-east-1
# Check association status
aws codeguru-reviewer describe-repository-association \
--association-arn arn:aws:codeguru-reviewer:us-east-1:123456789:association/xxx
# List recommendations for a code review
aws codeguru-reviewer list-recommendations \
--code-review-arn arn:aws:codeguru-reviewer:us-east-1:123456789:code-review/xxxGitHub Actions integration:
name: CodeGuru Reviewer
on:
pull_request:
branches: [main]
jobs:
codeguru:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: CodeGuru Reviewer
uses: aws-actions/codeguru-reviewer@v1
with:
s3_bucket: codeguru-reviewer-my-bucket
- name: Upload results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: codeguru-results.sarif.json
```
**Example finding from CodeGuru:**
```
Issue: Resource leak detected
File: src/services/database.py
Line: 45
The database connection opened on line 45 may not be closed if an
exception occurs on line 52. Consider using a context manager.
Before:
connection = db.connect()
result = connection.execute(query)
connection.close()
Recommended:
with db.connect() as connection:
result = connection.execute(query)Sourcery
Sourcery focuses on code quality and refactoring suggestions, teaching better patterns rather than just flagging issues.
Works with: GitHub, GitLab, VS Code, PyCharm
Installation:
# Install CLI
pip install sourcery
# Authenticate
sourcery login
# Run locally before committing
sourcery review src/
# Review specific file
sourcery review src/utils/helpers.py --diffConfiguration file (.sourcery.yaml):
version: '1'
ignore:
- tests/*
- migrations/*
rule_settings:
enable:
- default
- refactoring
disable:
- docstrings-for-classes
python_version: '3.11'
refactor:
skip:
- low # Only show medium and high impact suggestions
metrics:
quality_threshold: 25
github:
labels: true
request_review: authorExample Sourcery suggestion:
# Before (Sourcery flags this)
result = []
for item in items:
if item.is_active:
result.append(item.name)
# Sourcery suggests (list comprehension)
result = [item.name for item in items if item.is_active]# Before
if x == True:
return True
else:
return False
# Sourcery suggests
return x == True
# Or even better
return bool(x)Pre-commit hook integration (.pre-commit-config.yaml):
repos:
- repo: https://github.com/sourcery-ai/sourcery
rev: v1.14.0
hooks:
- id: sourcery
args: [--diff, git diff HEAD^]Qodana (JetBrains)
Brings JetBrains IDE inspections to your CI/CD pipeline.
Works with: GitHub, GitLab, Azure DevOps, TeamCity
Local execution:
# Using Docker
docker run --rm \
-v $(pwd):/data/project \
-v $(pwd)/qodana:/data/results \
jetbrains/qodana-js:latest
# Using CLI
qodana scan --project-dir . --results-dir ./qodana-results
# For specific linter
qodana scan --linter jetbrains/qodana-python:latestConfiguration file (qodana.yaml):
version: '1.0'
linter: jetbrains/qodana-js:latest
include:
- name: CheckDependencyLicenses
- name: VulnerableLibrariesGlobal
exclude:
- name: SpellCheckingInspection
- name: Eslint
paths:
- node_modules
- dist
- coverage
failThreshold: 100 # Fail if more than 100 problems
profile:
name: qodana.recommended
bootstrap: npm installGitHub Actions integration:
name: Qodana
on:
pull_request:
push:
branches: [main]
jobs:
qodana:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
checks: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Qodana Scan
uses: JetBrains/qodana-action@v2024.1
with:
args: --baseline,qodana.sarif.json
pr-mode: true
env:
QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}Azure DevOps pipeline:
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: Docker@2
inputs:
command: run
arguments: |
--rm
-v $(Build.SourcesDirectory):/data/project
-v $(Build.ArtifactStagingDirectory):/data/results
jetbrains/qodana-js:latest
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: $(Build.ArtifactStagingDirectory)
artifactName: qodana-reportCodacy
All-in-one platform combining static analysis, security scanning, and coverage tracking.
Works with: GitHub, GitLab, Bitbucket, Azure DevOps
CLI installation and usage:
# Install
curl -Ls https://coverage.codacy.com/get.sh -o codacy-coverage.sh
chmod +x codacy-coverage.sh
# Upload coverage report
./codacy-coverage.sh report -r coverage/lcov.info
# Or using Docker for analysis
docker run \
--rm \
--env CODACY_PROJECT_TOKEN=xxxx \
--volume $(pwd):/src \
codacy/codacy-analysis-cli analyzeConfiguration file (.codacy.yaml):
engines:
eslint:
enabled: true
plugins:
- "@typescript-eslint"
stylelint:
enabled: true
pylint:
enabled: true
python_version: 3
security:
enabled: true
exclude_paths:
- "node_modules/**"
- "dist/**"
- "**/*.test.ts"
- "**/*.spec.ts"
- "coverage/**"
languages:
typescript:
extensions:
- .ts
- .tsx
thresholds:
issues: 100
complexity: 25
duplication: 5
coverage: 80GitHub Actions integration:
name: Codacy Analysis
on:
pull_request:
push:
branches: [main]
jobs:
codacy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Codacy Analysis
uses: codacy/codacy-analysis-cli-action@master
with:
project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
upload: true
max-allowed-issues: 50
- name: Upload coverage
run: |
npm test -- --coverage
bash <(curl -Ls https://coverage.codacy.com/get.sh) report \
-r coverage/lcov.info \
-t ${{ secrets.CODACY_PROJECT_TOKEN }}The Human Element
These tools augment human reviewers—they don't replace them. AI catches the mechanical stuff: unused variables, potential null references, security anti-patterns, style inconsistencies. This frees human reviewers to focus on architecture, business logic, and mentoring.
The PR process becomes more productive when humans aren't spending time pointing out that a variable should be const instead of let. They can focus on whether the approach makes sense, whether there's a simpler solution, whether the code will be maintainable six months from now.
Pick one tool that fits your stack and budget. Install it today on a repository, raise a test PR, and see what it catches. You might be surprised—both by what it finds and by how much time it saves your team.