How to Do AI-Assisted Code Review

Code review is a practice almost every engineering team endorses in principle and compromises on in practice. Reviews are rushed when deadlines approach. They're inconsistent when reviewers have different standards. They're frustrating when a senior engineer has a backlog of 12 PRs to review and reviews them all in an hour.

AI-assisted code review doesn't solve the process problems. But it does give every PR a consistent, immediate, comprehensive first pass — so that human reviewers can focus their limited time on what they do best.

Here's how to actually do it.

Setting Up AI Code Review in Your Workflow#

The first decision: when does AI review run?

Option A: Pre-commit (local) The developer runs AI review before opening a PR. Catches issues before they even reach the team.

Option B: CI-triggered (on PR open) AI review runs automatically when a PR is opened. Results appear as comments on the PR.

Option C: On-demand Developer or reviewer requests AI review of a specific PR or code block.

All three have value. For most teams starting with AI code review, CI-triggered is the easiest to adopt — it doesn't change developer workflow and ensures every PR gets reviewed.

In DenchClaw with gstack's Engineering Review, the review runs as part of the Ship phase before the PR is opened.

What AI Code Review Checks#

A good AI code review checks systematically across several categories:

Security#

• SQL injection and parameter binding
• XSS vulnerabilities (unescaped output, innerHTML)
• Authentication and authorization checks
• Secrets and API keys in code
• Insecure cryptography (MD5, SHA1 for passwords)
• Path traversal vulnerabilities
• SSRF and CSRF vectors

Logic and Correctness#

• Null/undefined access without guard
• Off-by-one errors in loops and indexes
• Integer overflow and underflow
• Floating point comparison errors
• Missing return values
• Incorrect boolean logic

Error Handling#

• Uncaught exceptions in async code
• Missing error handling in promise chains
• Swallowed exceptions (empty catch blocks)
• Incorrect error propagation

Performance#

• N+1 query patterns
• Unnecessary database calls in loops
• Missing indexes for common queries
• Redundant network requests
• Memory leaks (event listeners not cleaned up, circular references)

Code Quality#

• Overly complex functions (cyclomatic complexity)
• Duplicated code that should be abstracted
• Poorly named variables and functions
• Missing or misleading comments
• Dead code

Test Coverage#

• New code without test coverage
• Test gaps on edge cases
• Tests that only test the happy path

The Review Output Format#

AI code review output should be structured and specific, not a wall of text.

For each finding:

FILE: src/api/contacts.ts
LINE: 47-52
SEVERITY: HIGH
CATEGORY: Security

ISSUE: The SQL query uses string interpolation instead of parameterized queries.
Current code:
  const query = `SELECT * FROM contacts WHERE email = '${email}'`

This is vulnerable to SQL injection. An attacker could pass:
  email = "' OR '1'='1"
  
RECOMMENDATION: Use parameterized queries:
  const query = `SELECT * FROM contacts WHERE email = $1`
  const result = await db.query(query, [email])

Specific file, specific line, specific problem, specific fix. Not "there might be security issues in this file."

What Humans Still Need to Review#

AI code review is the first reviewer, not the only reviewer. Human review is still essential for:

Domain logic correctness: Does this business logic correctly implement the requirement? AI can verify that the code does what it looks like it's doing — but whether what it's doing is what the requirement specifies requires understanding the business.

Architecture decisions: Should this be a separate service or stay in the monolith? Should we use a queue here or a direct call? These are judgment calls that require understanding the system's direction.

Code that's "correct" but wrong: Sometimes the algorithm works but the approach is fundamentally the wrong way to solve the problem. AI may not catch this if the code executes correctly.

Context that AI doesn't have: "This is fine in isolation, but we're planning to deprecate this module in Q3 and rebuilding it — don't add more code to the old pattern."

Subtle race conditions in distributed systems: While AI catches common concurrency patterns, deeply complex distributed correctness issues often require expert human review.

Building a Review Checklist#

Combine AI and human review into a single workflow:

AI Review (automated)

• Security vulnerabilities
• Error handling gaps
• Performance patterns (N+1, etc.)
• Test coverage on new code
• Code quality standards

Human Review (manual, focused)

• Domain logic correctness
• Architecture alignment
• Tricky edge cases specific to this domain
• Contextual decisions the AI doesn't have context for
• Documentation appropriateness

When reviewers know the AI has already covered the structural issues, they can go directly to the higher-level concerns without feeling like they're skipping something.

Handling AI Review Findings#

Not every AI review finding requires immediate action. A triage approach works well:

Must fix before merge:

• Security vulnerabilities (any severity)
• Bugs that would cause incorrect behavior
• Data loss risks

Should fix before merge (but reviewer can override):

• Error handling gaps
• Missing test coverage for important paths
• Performance patterns likely to cause real-world issues

Address in follow-up:

• Code quality improvements
• Refactoring opportunities
• Documentation improvements

Consider (informational):

• Alternative approaches
• Future-proofing suggestions

Measuring Code Review Quality Over Time#

Track whether AI-assisted review is improving outcomes:

• Pre-review bug catch rate: What percentage of bugs are caught before production? Is this improving?
• Review cycle time: How long from PR open to merge? Is this getting faster?
• Post-release bug rate: How many bugs are found in production per sprint? Is this declining?
• Human review focus: What categories of issues are humans catching that AI doesn't? (These are the things to train the AI on or the things that distinguish valuable human review.)

In DenchClaw, these metrics are tracked in DuckDB as part of the engineering health dashboard.

Common Mistakes in AI Code Review Implementation#

Treating AI review as a blocker for everything: Not every finding needs to block the merge. Over-blocking creates reviewer fatigue and makes people work around the system.

Not reviewing the AI review output: AI review comments left unread provide no value. Build in the expectation that someone reads and responds to every finding.

Using AI review as a replacement for meaningful human review: The architecture questions, domain correctness, and strategic decisions still need human attention. AI review is additive, not substitutional.

Applying the same standard to all PRs: A two-line bug fix doesn't need the same review depth as a 500-line feature PR. Calibrate the review effort appropriately.

Frequently Asked Questions#

How do you prevent AI review from slowing down the PR process?#

Set clear triage criteria (must-fix vs. should-fix vs. informational) and enforce them consistently. When reviewers know that most findings are informational, they won't treat every comment as a blocker.

Can AI code review handle multiple programming languages?#

Yes. Modern AI code review tools support dozens of languages. The coverage varies — security patterns in Python, Go, and JavaScript are well-covered; more obscure patterns in less common languages may have lower coverage.

What's the best way to introduce AI code review to a skeptical team?#

Run it in observation mode first — generate reviews but don't block PRs. After a month, review what the AI found against what reached production. The data usually speaks for itself.

How do you handle false positives in AI review?#

Acknowledge them explicitly, don't silently dismiss. If AI flags something that's actually fine, add a comment explaining why it's intentional. This improves the shared understanding of the codebase and helps calibrate what findings to take seriously.

Should AI code review be visible to all team members or just the author?#

Visible to everyone. Transparency about code quality standards, applied consistently, helps the whole team understand what "good" looks like. Private feedback doesn't build shared norms.

Ready to try DenchClaw? Install in one command: npx denchclaw. Full setup guide →