title: "AI-Assisted Code Review" description: "Automated PR review, diff summarization, security scanning, and quality gates using AI coding tools" section: "Workflows" readTime: "10 min"

AI-Assisted Code Review

AI tools can act as a first-pass reviewer that catches bugs, security issues, and style problems before a human ever opens the PR. This doesn't replace human review — it raises the baseline quality so human reviewers can focus on architecture and intent rather than typos and null checks.

What AI Review Can Catch

Category	Examples
Security	Hardcoded secrets, SQL injection, missing input validation, IDOR vulnerabilities
Bugs	Null pointer dereferences, off-by-one errors, unhandled promise rejections
Performance	N+1 queries, missing indexes, sync operations in async context
Style	Inconsistent naming, dead code, overly complex functions
Test coverage	Missing edge cases, missing error path tests
Documentation	Public API functions without JSDoc

Claude Code: Pre-commit Review Hook

Setup

Create a shell script that runs Claude on staged changes:

# .git/hooks/pre-commit (or use via husky)
#!/bin/bash
 
DIFF=$(git diff --cached)
if [ -z "$DIFF" ]; then
  exit 0
fi
 
echo "$DIFF" | claude -p "Review this git diff for:
1. Security vulnerabilities (OWASP Top 10)
2. Obvious bugs or null reference risks
3. Missing error handling
 
Respond with: PASS if no critical issues, or BLOCK: <reason> if there is a critical issue.
Only flag genuine problems — do not nitpick style."
 
# Check exit code / parse output

Full PR Diff Review

# Review a PR's full diff against main
git diff main...HEAD | claude -p "You are a senior code reviewer.
Review this diff for bugs, security issues, and missing tests.
Format your response as:
## Critical (must fix)
## Important (should fix)  
## Suggestions (optional)
Be concise — one line per issue with the file and line reference."

Security-Focused Scan

claude "Perform a security audit of the files I've changed in this PR.
Run: git diff main...HEAD --name-only
Then read each changed file and look for:
- Hardcoded credentials or API keys
- SQL/NoSQL injection vectors
- Missing authentication checks on API routes
- Unvalidated user input passed to shell commands or eval
Report findings with file name, line number, and severity (Critical/High/Medium)."

GitHub Copilot Code Review

PR Review in VS Code

Open Source Control panel (Ctrl+Shift+G)
Click the Copilot sparkle ✨ icon on any file in the diff
Copilot generates inline suggestions per-file

Or from Chat:

@github Review the PR #142 for security issues and missing input validation

Review Comments

In Copilot Chat with the PR diff in context:

Review these changes. For each issue found, suggest a concrete fix 
rather than just describing the problem.

Summarize what this PR does in 3 sentences, then list any concerns 
about the implementation approach.

Auto-Review on PR Open

GitHub Copilot can be configured to auto-review PRs (requires Copilot Enterprise):

# .github/copilot-review.yml
review:
  enabled: true
  focus:
    - security
    - performance
  ignore_paths:
    - "**/*.test.ts"
    - "docs/**"

Cursor Code Review

In Cursor, use the diff view + Composer:

@diff Review these changes for security vulnerabilities and edge cases I might have missed.

Or reference specific files:

Compare @src/api/users.ts with the interface defined in @types/api.ts — 
are there any mismatches or missing validations?

Automated Review Pipeline (CI)

Add an AI review step to your CI/CD pipeline:

# .github/workflows/ai-review.yml
name: AI Code Review
 
on:
  pull_request:
    types: [opened, synchronize]
 
jobs:
  ai-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
 
      - name: Get PR diff
        run: git diff origin/${{ github.base_ref }}...HEAD > /tmp/pr.diff
 
      - name: AI Security Scan
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          cat /tmp/pr.diff | npx claude-code -p \
            "Scan for OWASP Top 10 vulnerabilities only. 
             Output JSON: [{file, line, severity, description}] or []" \
            > /tmp/security-findings.json
          
          # Fail if critical issues found
          if jq -e '[.[] | select(.severity == "Critical")] | length > 0' /tmp/security-findings.json; then
            echo "Critical security issues found:"
            cat /tmp/security-findings.json
            exit 1
          fi

Review Prompt Templates

Quick Review

Review this diff. Flag only: bugs that will cause runtime errors, 
security vulnerabilities, and unhandled edge cases. One line per finding.

Thorough Review

You are a senior engineer reviewing a PR. Evaluate:
1. Correctness — will this code work as intended?
2. Security — any attack vectors introduced?
3. Performance — any O(n²) or missing caching?
4. Maintainability — is this readable in 6 months?
5. Tests — are the right cases covered?

Be specific: include file names and line numbers.

Focused Review

This PR adds payment processing. Focus exclusively on:
- PCI-DSS compliance (no card data in logs)
- Idempotency of payment mutations
- Error handling for partial charges
- Webhook signature verification

Checklist

AI review runs before human review (not as replacement)Security scan covers OWASP Top 10 at minimumCI blocks merge on Critical severity findingsReview prompt is scoped to the PR's domain (payment, auth, etc.)AI findings are tracked — don't just dismiss without readingHuman reviewer still checks architecture and intent