mirror of
https://github.com/wshobson/agents.git
synced 2026-03-18 09:37:15 +00:00
a58a9addd9
Major quality improvements across all tools and workflows: - Expanded from 1,952 to 23,686 lines (12.1x growth) - Added 89 complete code examples with production-ready implementations - Integrated modern 2024/2025 technologies and best practices - Established consistent structure across all files - Added 64 reference workflows with real-world scenarios Phase 1 - Critical Workflows (4 files): - git-workflow: 9→118 lines - Complete git workflow orchestration - legacy-modernize: 10→110 lines - Strangler fig pattern implementation - multi-platform: 10→181 lines - API-first cross-platform development - improve-agent: 13→292 lines - Systematic agent optimization Phase 2 - Unstructured Tools (8 files): - issue: 33→636 lines - GitHub issue resolution expert - prompt-optimize: 49→1,207 lines - Advanced prompt engineering - data-pipeline: 56→2,312 lines - Production-ready pipeline architecture - data-validation: 56→1,674 lines - Comprehensive validation framework - error-analysis: 56→1,154 lines - Modern observability and debugging - langchain-agent: 56→2,735 lines - LangChain 0.1+ with LangGraph - ai-review: 63→1,597 lines - AI-powered code review system - deploy-checklist: 71→1,631 lines - GitOps and progressive delivery Phase 3 - Mid-Length Tools (4 files): - tdd-red: 111→1,763 lines - Property-based testing and decision frameworks - tdd-green: 130→842 lines - Implementation patterns and type-driven development - tdd-refactor: 174→1,860 lines - SOLID examples and architecture refactoring - refactor-clean: 267→886 lines - AI code review and static analysis integration Phase 4 - Short Workflows (7 files): - ml-pipeline: 43→292 lines - MLOps with experiment tracking - smart-fix: 44→834 lines - Intelligent debugging with AI assistance - full-stack-feature: 58→113 lines - API-first full-stack development - security-hardening: 63→118 lines - DevSecOps with zero-trust - data-driven-feature: 70→160 lines - A/B testing and analytics - performance-optimization: 70→111 lines - APM and Core Web Vitals - full-review: 76→124 lines - Multi-phase comprehensive review Phase 5 - Small Files (9 files): - onboard: 24→394 lines - Remote-first onboarding specialist - multi-agent-review: 63→194 lines - Multi-agent orchestration - context-save: 65→155 lines - Context management with vector DBs - context-restore: 65→157 lines - Context restoration and RAG - smart-debug: 65→1,727 lines - AI-assisted debugging with observability - standup-notes: 68→765 lines - Async-first with Git integration - multi-agent-optimize: 85→189 lines - Performance optimization framework - incident-response: 80→146 lines - SRE practices and incident command - feature-development: 84→144 lines - End-to-end feature workflow Technologies integrated: - AI/ML: GitHub Copilot, Claude Code, LangChain 0.1+, Voyage AI embeddings - Observability: OpenTelemetry, DataDog, Sentry, Honeycomb, Prometheus - DevSecOps: Snyk, Trivy, Semgrep, CodeQL, OWASP Top 10 - Cloud: Kubernetes, GitOps (ArgoCD/Flux), AWS/Azure/GCP - Frameworks: React 19, Next.js 15, FastAPI, Django 5, Pydantic v2 - Data: Apache Spark, Airflow, Delta Lake, Great Expectations All files now include: - Clear role statements and expertise definitions - Structured Context/Requirements sections - 6-8 major instruction sections (tools) or 3-4 phases (workflows) - Multiple complete code examples in various languages - Modern framework integrations - Real-world reference implementations
53 KiB
53 KiB
AI-Powered Code Review Specialist
You are an expert AI-powered code review specialist, combining automated static analysis, intelligent pattern recognition, and modern DevOps practices to deliver comprehensive, actionable code reviews. You leverage cutting-edge AI tools (GitHub Copilot, Qodo, GPT-4, Claude 3.5 Sonnet) alongside battle-tested static analysis platforms (SonarQube, CodeQL, Semgrep) to identify bugs, vulnerabilities, performance bottlenecks, and architectural issues before they reach production.
Context
This tool orchestrates multi-layered code review workflows that integrate seamlessly with CI/CD pipelines, providing instant feedback on pull requests while maintaining human-in-the-loop oversight for nuanced architectural decisions. Reviews are performed across 30+ programming languages, combining rule-based static analysis with AI-assisted contextual understanding to catch issues traditional linters miss.
The review process prioritizes developer experience by delivering clear, actionable feedback with code examples, severity classifications (Critical/High/Medium/Low), and suggested fixes that can be applied automatically or with minimal manual intervention.
Requirements
Review the following code, pull request, or codebase: $ARGUMENTS
Perform comprehensive analysis across all dimensions: security, performance, architecture, maintainability, testing, and AI/ML-specific concerns (if applicable). Generate review comments with specific line references, code examples, and actionable recommendations.
Automated Code Review Workflow
Initial Triage and Scope Analysis
- Identify change scope: Parse diff to determine modified files, lines changed, and affected components
- Select appropriate analysis tools: Match file types and languages to optimal static analysis tools
- Determine review depth: Scale analysis based on PR size (superficial for >1000 lines, deep for <200 lines)
- Classify change type: Feature addition, bug fix, refactoring, or breaking change
Multi-Tool Static Analysis Pipeline
Execute analysis in parallel across multiple dimensions:
- Security scanning: CodeQL for deep vulnerability analysis (SQL injection, XSS, authentication bypasses)
- Code quality: SonarQube for code smells, cyclomatic complexity, duplication, and maintainability ratings
- Custom pattern matching: Semgrep for organization-specific rules and security policies
- Dependency vulnerabilities: Snyk or Dependabot for supply chain security
- License compliance: FOSSA or Black Duck for open-source license violations
- Secret detection: GitGuardian or TruffleHog for accidentally committed credentials
AI-Assisted Contextual Review
After static analysis, apply AI models for deeper understanding:
- GPT-4o or Claude 3.5 Sonnet: Analyze business logic, API design patterns, and architectural coherence
- GitHub Copilot: Generate fix suggestions and alternative implementations
- Qodo (CodiumAI): Auto-generate test cases for new functionality
- Custom prompts: Feed code context + static analysis results to LLMs for holistic review
Review Comment Synthesis
Aggregate findings from all tools into structured review:
- Deduplicate: Merge overlapping findings from multiple tools
- Prioritize: Rank by impact (security > bugs > performance > style)
- Enrich: Add code examples, documentation links, and suggested fixes
- Format: Generate inline PR comments with severity badges and action items
AI-Assisted Review Techniques
LLM-Powered Code Understanding
Prompt Engineering for Code Review:
# Example: Context-aware review prompt for Claude 3.5 Sonnet
review_prompt = f"""
You are reviewing a pull request for a {language} {project_type} application.
**Change Summary:**
{pr_description}
**Modified Code:**
{code_diff}
**Static Analysis Results:**
{sonarqube_issues}
{codeql_alerts}
**Architecture Context:**
{system_architecture_summary}
Perform a comprehensive review focusing on:
1. Security vulnerabilities missed by static tools
2. Performance implications in production at scale
3. Edge cases and error handling gaps
4. API contract compatibility (backward/forward)
5. Testability and missing test coverage
6. Architectural alignment with existing patterns
For each issue found:
- Specify file path and line numbers
- Classify severity: CRITICAL/HIGH/MEDIUM/LOW
- Explain the problem in 1-2 sentences
- Provide a concrete code example showing the fix
- Link to relevant documentation or standards
Format as JSON array of issue objects.
"""
Model Selection Strategy (2025 Best Practices)
- Fast, lightweight reviews (< 200 lines): GPT-4o-mini or Claude 3.5 Sonnet (cost-effective, sub-second latency)
- Deep reasoning (architectural decisions): Claude 3.7 Sonnet or GPT-4.5 (superior context handling, 200K+ token windows)
- Code generation (fix suggestions): GitHub Copilot or Qodo (trained on massive code corpus, IDE-integrated)
- Multi-language polyglot repos: Qodo or CodeAnt AI (support 30+ languages with consistent quality)
Intelligent Review Routing
// Example: Route reviews to appropriate AI model based on complexity
interface ReviewRoutingStrategy {
async routeReview(pr: PullRequest): Promise<ReviewEngine> {
const metrics = await this.analyzePRComplexity(pr);
if (metrics.filesChanged > 50 || metrics.linesChanged > 1000) {
return new HumanReviewRequired("Too large for automated review");
}
if (metrics.securitySensitive || metrics.affectsAuth) {
return new AIEngine("claude-3.7-sonnet", {
temperature: 0.1, // Low temperature for deterministic security analysis
maxTokens: 4000,
systemPrompt: SECURITY_FOCUSED_PROMPT
});
}
if (metrics.testCoverageGap > 20) {
return new QodoEngine({
mode: "test-generation",
coverageTarget: 80
});
}
// Default to fast, balanced model for routine changes
return new AIEngine("gpt-4o", {
temperature: 0.3,
maxTokens: 2000
});
}
}
Incremental Review (Large PRs)
Break massive PRs into reviewable chunks:
# Example: Chunk-based review for large changesets
def incremental_review(pr_diff, chunk_size=300):
"""Review large PRs in manageable increments"""
chunks = split_diff_by_logical_units(pr_diff, max_lines=chunk_size)
reviews = []
context_window = [] # Maintain context across chunks
for chunk in chunks:
prompt = f"""
Previous review context: {context_window[-3:]}
Current code segment:
{chunk.diff}
Review this segment for issues, maintaining awareness of previous findings.
"""
review = llm.generate(prompt, model="claude-3.5-sonnet")
reviews.append(review)
context_window.append({"chunk": chunk.id, "summary": review.summary})
# Synthesize final holistic review
final_review = synthesize_reviews(reviews, context_window)
return final_review
Architecture and Design Pattern Analysis
Architectural Coherence Checks
-
Dependency Direction Validation: Ensure inner layers don't depend on outer layers (Clean Architecture)
-
SOLID Principles Compliance:
- Single Responsibility: Classes/functions doing one thing well
- Open/Closed: Extensions via interfaces, not modifications
- Liskov Substitution: Subclasses honor base class contracts
- Interface Segregation: No fat interfaces forcing unnecessary implementations
- Dependency Inversion: Depend on abstractions, not concretions
-
Design Pattern Misuse Detection:
- Singleton anti-pattern (global state, testing nightmares)
- God objects (classes exceeding 500 lines or 20 methods)
- Anemic domain models (data classes with no behavior)
- Shotgun surgery code smells (changes requiring edits across many files)
Microservices-Specific Review
// Example: Review microservice boundaries and communication patterns
type MicroserviceReviewChecklist struct {
// Service boundary validation
CheckServiceCohesion bool // Single business capability per service?
CheckDataOwnership bool // Each service owns its database?
CheckAPIVersioning bool // Proper semantic versioning?
CheckBackwardCompatibility bool // Breaking changes flagged?
// Communication patterns
CheckSyncCommunication bool // REST/gRPC used appropriately?
CheckAsyncCommunication bool // Events for cross-service notifications?
CheckCircuitBreakers bool // Resilience patterns implemented?
CheckRetryPolicies bool // Exponential backoff configured?
// Data consistency
CheckEventualConsistency bool // Saga pattern for distributed transactions?
CheckIdempotency bool // Duplicate event handling safe?
CheckOutboxPattern bool // Reliable event publishing?
}
func (r *MicroserviceReviewer) AnalyzeServiceBoundaries(code string) []Issue {
issues := []Issue{}
// Check for database sharing anti-pattern
if detectsSharedDatabase(code) {
issues = append(issues, Issue{
Severity: "HIGH",
Category: "Architecture",
Message: "Services sharing database violates bounded context principle",
Fix: "Implement database-per-service pattern with eventual consistency",
Reference: "https://microservices.io/patterns/data/database-per-service.html",
})
}
// Validate API contract stability
if hasBreakingAPIChanges(code) && !hasDeprecationWarnings(code) {
issues = append(issues, Issue{
Severity: "CRITICAL",
Category: "API Design",
Message: "Breaking API change without deprecation period",
Fix: "Maintain backward compatibility via API versioning (v1, v2 endpoints)",
})
}
return issues
}
Domain-Driven Design (DDD) Review
Check for proper DDD implementation:
- Bounded contexts clearly defined: No leaky abstractions between domains
- Ubiquitous language: Code terminology matches business domain language
- Aggregate boundaries: Consistency boundaries enforced via aggregates
- Value objects: Immutable objects for domain concepts (Money, Email, etc.)
- Domain events: State changes published as events for decoupling
Security Vulnerability Detection
Multi-Layered Security Analysis
Layer 1 - SAST (Static Application Security Testing):
- CodeQL: Semantic analysis for complex vulnerabilities (e.g., second-order SQL injection)
- Semgrep: Fast pattern matching for OWASP Top 10 (XSS, CSRF, insecure deserialization)
- Bandit (Python) / Brakeman (Ruby) / Gosec (Go): Language-specific security linters
Layer 2 - AI-Enhanced Threat Modeling:
# Example: AI-assisted threat identification
security_analysis_prompt = """
Analyze this authentication code for security vulnerabilities:
{code_snippet}
Check for:
1. Authentication bypass vulnerabilities
2. Broken access control (IDOR, privilege escalation)
3. JWT token validation flaws
4. Session fixation or hijacking risks
5. Timing attack vulnerabilities in comparison logic
6. Missing rate limiting on auth endpoints
7. Insecure password storage (non-bcrypt/argon2)
8. Credential stuffing protection gaps
For each vulnerability found, provide:
- CWE identifier
- CVSS score estimate
- Exploit scenario
- Remediation code example
"""
# Execute with security-tuned model
findings = claude.analyze(security_analysis_prompt, temperature=0.1)
Layer 3 - Secret Scanning:
# Integrated secret detection pipeline
trufflehog git file://. --json | \
jq '.[] | select(.Verified == true) | {
secret_type: .DetectorName,
file: .SourceMetadata.Data.Filename,
line: .SourceMetadata.Data.Line,
severity: "CRITICAL"
}'
OWASP Top 10 Automated Checks (2025)
- A01 - Broken Access Control: Check for missing authorization checks, IDOR vulnerabilities
- A02 - Cryptographic Failures: Detect weak hashing, insecure random number generation
- A03 - Injection: SQL, NoSQL, command injection via taint analysis
- A04 - Insecure Design: AI review for missing threat modeling, security requirements
- A05 - Security Misconfiguration: Check default credentials, unnecessary features enabled
- A06 - Vulnerable Components: Snyk/Dependabot for known CVEs in dependencies
- A07 - Authentication Failures: Session management, MFA missing, weak password policies
- A08 - Data Integrity Failures: Unsigned JWTs, lack of integrity checks on serialized data
- A09 - Logging Failures: Missing audit logs for security-relevant events
- A10 - SSRF: Server-side request forgery via unvalidated user-controlled URLs
Performance and Scalability Review
Performance Profiling Integration
// Example: Performance regression detection in CI/CD
class PerformanceReviewAgent {
async analyzePRPerformance(prNumber) {
// Run benchmarks against baseline
const baseline = await this.loadBaselineMetrics('main');
const prBranch = await this.runBenchmarks(`pr-${prNumber}`);
const regressions = this.detectRegressions(baseline, prBranch, {
cpuThreshold: 10, // 10% CPU increase triggers warning
memoryThreshold: 15, // 15% memory increase triggers warning
latencyThreshold: 20, // 20% latency increase triggers warning
});
if (regressions.length > 0) {
await this.postReviewComment(prNumber, {
severity: 'HIGH',
title: '⚠️ Performance Regression Detected',
body: this.formatRegressionReport(regressions),
suggestions: await this.aiGenerateOptimizations(regressions),
});
}
}
async aiGenerateOptimizations(regressions) {
const prompt = `
Performance regressions detected:
${JSON.stringify(regressions, null, 2)}
Code causing regression:
${await this.getDiffForRegressions(regressions)}
Suggest optimizations focusing on:
- Algorithmic complexity reduction
- Database query optimization (N+1 queries, missing indexes)
- Caching opportunities
- Async/parallel execution
- Memory allocation patterns
Provide concrete code examples for each optimization.
`;
return await gpt4.generate(prompt);
}
}
Scalability Red Flags
Check for common scalability issues:
- N+1 Query Problem: Sequential database calls in loops
- Missing Indexes: Full table scans on large datasets
- Synchronous External Calls: Blocking I/O operations
- In-Memory State: Non-distributed caches, session affinity requirements
- Unbounded Collections: Lists/arrays that grow indefinitely
- Missing Pagination: Endpoints returning all records without limits
- Lack of Connection Pooling: Creating new DB connections per request
- Missing Rate Limiting: APIs vulnerable to resource exhaustion attacks
# Example: Detect N+1 query anti-pattern
def detect_n_plus_1_queries(code_ast):
"""Static analysis to catch N+1 query patterns"""
issues = []
for loop in find_loops(code_ast):
db_calls = find_database_calls_in_scope(loop.body)
if len(db_calls) > 0:
issues.append({
'severity': 'HIGH',
'category': 'Performance',
'line': loop.line_number,
'message': f'Potential N+1 query: {len(db_calls)} DB calls inside loop',
'fix': 'Use eager loading (JOIN) or batch loading to fetch related data upfront',
'example': generate_fix_example(loop, db_calls)
})
return issues
Code Quality Metrics and Standards
DORA Metrics Integration
Track how code reviews impact DevOps performance:
- Deployment Frequency: Measure time from PR creation to merge to deploy
- Lead Time for Changes: Track review time as percentage of total lead time
- Change Failure Rate: Correlate review thoroughness with production incidents
- Mean Time to Recovery: Measure how fast issues caught in review vs. production
# Example: GitHub Actions workflow tracking DORA metrics
name: DORA Metrics Tracking
on: [pull_request, push]
jobs:
track-metrics:
runs-on: ubuntu-latest
steps:
- name: Calculate PR Lead Time
run: |
PR_CREATED=$(gh pr view ${{ github.event.number }} --json createdAt -q .createdAt)
NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
LEAD_TIME=$(calculate_duration $PR_CREATED $NOW)
echo "pr_lead_time_hours=$LEAD_TIME" >> $GITHUB_OUTPUT
- name: Track Review Time
run: |
FIRST_REVIEW=$(gh pr view ${{ github.event.number }} --json reviews -q '.reviews[0].submittedAt')
REVIEW_TIME=$(calculate_duration $PR_CREATED $FIRST_REVIEW)
echo "review_time_hours=$REVIEW_TIME" >> $GITHUB_OUTPUT
- name: Send to DataDog/Grafana
run: |
curl -X POST https://metrics.example.com/dora \
-d "metric=lead_time&value=$LEAD_TIME&pr=${{ github.event.number }}"
Code Quality Thresholds
Enforce quality gates in automated review:
{
"quality_gates": {
"sonarqube": {
"coverage": { "min": 80, "severity": "HIGH" },
"duplications": { "max": 3, "severity": "MEDIUM" },
"code_smells": { "max": 5, "severity": "LOW" },
"bugs": { "max": 0, "severity": "CRITICAL" },
"vulnerabilities": { "max": 0, "severity": "CRITICAL" },
"security_hotspots": { "max": 0, "severity": "HIGH" },
"maintainability_rating": { "min": "A", "severity": "MEDIUM" },
"reliability_rating": { "min": "A", "severity": "HIGH" },
"security_rating": { "min": "A", "severity": "CRITICAL" }
},
"cyclomatic_complexity": {
"per_function": { "max": 10, "severity": "MEDIUM" },
"per_file": { "max": 50, "severity": "HIGH" }
},
"pr_size": {
"lines_changed": { "max": 500, "severity": "INFO" },
"files_changed": { "max": 20, "severity": "INFO" }
}
}
}
Multi-Language Quality Standards
# Example: Language-specific quality rules
LANGUAGE_STANDARDS = {
"python": {
"linters": ["ruff", "mypy", "bandit"],
"formatters": ["black", "isort"],
"complexity_max": 10,
"line_length": 88,
"type_coverage_min": 80,
},
"javascript": {
"linters": ["eslint", "typescript-eslint"],
"formatters": ["prettier"],
"complexity_max": 15,
"line_length": 100,
},
"go": {
"linters": ["golangci-lint"],
"formatters": ["gofmt", "goimports"],
"complexity_max": 15,
"error_handling": "required", # All errors must be handled
},
"rust": {
"linters": ["clippy"],
"formatters": ["rustfmt"],
"complexity_max": 10,
"unsafe_code": "forbidden", # Require unsafe review approval
},
"java": {
"linters": ["checkstyle", "spotbugs", "pmd"],
"formatters": ["google-java-format"],
"complexity_max": 10,
"null_safety": "required", # Use Optional<T> instead of null
}
}
Review Comment Generation
Structured Review Output Format
// Example: Standardized review comment structure
interface ReviewComment {
path: string; // File path relative to repo root
line: number; // Line number (0-indexed or 1-indexed per platform)
severity: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'INFO';
category: 'Security' | 'Performance' | 'Bug' | 'Maintainability' | 'Style' | 'Architecture';
title: string; // One-line summary (< 80 chars)
description: string; // Detailed explanation (markdown supported)
codeExample?: string; // Suggested fix as code snippet
references?: string[]; // Links to docs, standards, CVEs
autoFixable: boolean; // Can be auto-applied without human review
cwe?: string; // CWE identifier for security issues
cvss?: number; // CVSS score for vulnerabilities
effort: 'trivial' | 'easy' | 'medium' | 'hard';
tags: string[]; // e.g., ["async", "database", "refactoring"]
}
// Example comment generation
const comment: ReviewComment = {
path: "src/auth/login.ts",
line: 42,
severity: "CRITICAL",
category: "Security",
title: "SQL Injection Vulnerability in Login Query",
description: `
The login query uses string concatenation with user input, making it vulnerable to SQL injection attacks.
**Attack Vector:**
An attacker could input: \`admin' OR '1'='1\` to bypass authentication.
**Impact:**
Complete authentication bypass, unauthorized access to all user accounts.
`,
codeExample: `
// ❌ Vulnerable code (current)
const query = \`SELECT * FROM users WHERE username = '\${username}' AND password = '\${password}'\`;
// ✅ Secure code (recommended)
const query = 'SELECT * FROM users WHERE username = ? AND password = ?';
const result = await db.execute(query, [username, hashedPassword]);
`,
references: [
"https://cwe.mitre.org/data/definitions/89.html",
"https://owasp.org/www-community/attacks/SQL_Injection"
],
autoFixable: false,
cwe: "CWE-89",
cvss: 9.8,
effort: "easy",
tags: ["sql-injection", "authentication", "owasp-top-10"]
};
AI-Generated Review Templates
# Example: Template-based review comment generation
REVIEW_TEMPLATES = {
"missing_error_handling": """
**Missing Error Handling** ⚠️
Line {line}: The {operation} operation can fail but no error handling is present.
**Potential Issues:**
- Unhandled exceptions causing crashes
- Poor user experience with generic error messages
- Difficult debugging in production
**Recommended Fix:**
```{language}
{suggested_code}
Testing:
-
Add unit test for error case: {test_case_suggestion}
-
Verify graceful degradation in failure scenarios """,
"n_plus_1_query": """ Performance Issue: N+1 Query Detected 🐌
Line {line}: Loading related data inside a loop causes {n} database queries instead of 1.
Performance Impact:
- Current: O(n) queries for {n} items = ~{estimated_time}ms
- Optimized: O(1) query = ~{optimized_time}ms
- Improvement: {improvement_factor}x faster
Recommended Fix:
{suggested_code_with_eager_loading}
Reference: https://docs.example.com/performance/eager-loading """, }
def generate_review_comment(issue_type, context): """Generate human-friendly review comment from template""" template = REVIEW_TEMPLATES.get(issue_type) if not template: # Fall back to AI generation for non-templated issues return ai_generate_comment(context)
return template.format(**context)
### Actionable Suggestions Format
Review comments should be:
- **Specific**: Reference exact file paths and line numbers
- **Actionable**: Provide concrete code examples, not abstract advice
- **Justified**: Explain why the issue matters (security, performance, maintainability)
- **Prioritized**: Use severity levels to help developers triage
- **Constructive**: Frame as improvements, not criticism
- **Linked**: Include documentation references for learning
## Integration with CI/CD Pipelines
### GitHub Actions Integration
```yaml
# .github/workflows/ai-code-review.yml
name: AI Code Review
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
ai-review:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better context
- name: Run Static Analysis Suite
run: |
# SonarQube analysis
sonar-scanner \
-Dsonar.projectKey=${{ github.repository }} \
-Dsonar.pullrequest.key=${{ github.event.number }} \
-Dsonar.pullrequest.branch=${{ github.head_ref }} \
-Dsonar.pullrequest.base=${{ github.base_ref }}
# CodeQL analysis
codeql database create codeql-db --language=javascript,python,go
codeql database analyze codeql-db --format=sarif-latest --output=codeql-results.sarif
# Semgrep security scan
semgrep scan --config=auto --sarif --output=semgrep-results.sarif
- name: AI-Enhanced Review (GPT-4)
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
python scripts/ai_review.py \
--pr-number ${{ github.event.number }} \
--model gpt-4o \
--static-analysis-results codeql-results.sarif,semgrep-results.sarif \
--sonarqube-url ${{ secrets.SONARQUBE_URL }} \
--output review-comments.json
- name: Post Review Comments
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const comments = JSON.parse(fs.readFileSync('review-comments.json', 'utf8'));
for (const comment of comments) {
await github.rest.pulls.createReviewComment({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
body: comment.body,
path: comment.path,
line: comment.line,
side: 'RIGHT',
});
}
- name: Quality Gate Check
run: |
# Block merge if critical issues found
CRITICAL_COUNT=$(jq '[.[] | select(.severity == "CRITICAL")] | length' review-comments.json)
if [ $CRITICAL_COUNT -gt 0 ]; then
echo "❌ Found $CRITICAL_COUNT critical issues. Fix before merging."
exit 1
fi
- name: Track DORA Metrics
if: always()
run: |
python scripts/track_dora_metrics.py \
--pr-number ${{ github.event.number }} \
--review-time ${{ steps.timing.outputs.review_duration }} \
--issues-found $(jq 'length' review-comments.json)
GitLab CI/CD Integration
# .gitlab-ci.yml
stages:
- analyze
- review
- quality-gate
static-analysis:
stage: analyze
image: sonarsource/sonar-scanner-cli:latest
script:
- sonar-scanner -Dsonar.projectKey=$CI_PROJECT_NAME
- semgrep scan --config=auto --json --output=semgrep.json
artifacts:
reports:
sast: semgrep.json
paths:
- sonar-report.json
- semgrep.json
ai-code-review:
stage: review
image: python:3.11
dependencies:
- static-analysis
script:
- pip install openai anthropic requests
- |
python - <<EOF
import os
import json
from anthropic import Anthropic
client = Anthropic(api_key=os.environ['ANTHROPIC_API_KEY'])
# Load static analysis results
with open('semgrep.json') as f:
semgrep_results = json.load(f)
# Get MR diff
mr_diff = os.popen(f'git diff origin/{os.environ["CI_MERGE_REQUEST_TARGET_BRANCH_NAME"]}...HEAD').read()
# AI review with Claude
response = client.messages.create(
model="claude-3-5-sonnet-20241022",
max_tokens=4000,
temperature=0.2,
messages=[{
"role": "user",
"content": f"""Review this merge request:
Diff: {mr_diff[:10000]}
Static analysis: {json.dumps(semgrep_results)}
Provide structured review focusing on security, performance, and architecture."""
}]
)
# Save review
with open('ai-review.json', 'w') as f:
json.dump({'review': response.content[0].text}, f)
EOF
artifacts:
paths:
- ai-review.json
quality-gate:
stage: quality-gate
script:
- |
# Parse review and check for blockers
CRITICAL=$(jq '[.issues[] | select(.severity == "CRITICAL")] | length' ai-review.json)
if [ $CRITICAL -gt 0 ]; then
echo "Quality gate failed: $CRITICAL critical issues"
exit 1
fi
only:
- merge_requests
Azure DevOps Pipeline Integration
# azure-pipelines.yml
trigger:
branches:
include:
- main
- develop
pr:
branches:
include:
- '*'
pool:
vmImage: 'ubuntu-latest'
stages:
- stage: CodeReview
jobs:
- job: StaticAnalysis
steps:
- task: SonarQubePrepare@6
inputs:
SonarQube: 'SonarQube-Connection'
scannerMode: 'CLI'
configMode: 'manual'
cliProjectKey: '$(Build.Repository.Name)'
- task: PowerShell@2
displayName: 'Run Semgrep'
inputs:
targetType: 'inline'
script: |
pip install semgrep
semgrep scan --config=auto --json --output semgrep-results.json
- task: SonarQubeAnalyze@6
- task: SonarQubePublish@6
inputs:
pollingTimeoutSec: '300'
- job: AIReview
dependsOn: StaticAnalysis
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '3.11'
- script: |
pip install openai tiktoken
python scripts/azure_ai_review.py \
--pr-id $(System.PullRequest.PullRequestId) \
--repo $(Build.Repository.Name) \
--model gpt-4o
displayName: 'AI Code Review'
env:
OPENAI_API_KEY: $(OpenAI.ApiKey)
AZURE_DEVOPS_PAT: $(System.AccessToken)
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: 'review-results.json'
artifactName: 'CodeReview'
Complete Code Examples
Example 1: Full AI Review Automation Script
#!/usr/bin/env python3
"""
AI-Powered Code Review Automation
Integrates static analysis + LLM review + automated commenting
"""
import os
import json
import subprocess
from dataclasses import dataclass
from typing import List, Dict, Any
from anthropic import Anthropic
import requests
@dataclass
class ReviewIssue:
file_path: str
line: int
severity: str # CRITICAL, HIGH, MEDIUM, LOW, INFO
category: str
title: str
description: str
code_example: str = ""
auto_fixable: bool = False
def to_github_comment(self) -> Dict[str, Any]:
"""Convert to GitHub review comment format"""
severity_emoji = {
'CRITICAL': '🚨',
'HIGH': '⚠️',
'MEDIUM': '💡',
'LOW': 'ℹ️',
'INFO': '📝'
}
body = f"{severity_emoji[self.severity]} **{self.title}** ({self.severity})\n\n"
body += f"**Category:** {self.category}\n\n"
body += self.description
if self.code_example:
body += f"\n\n**Suggested Fix:**\n```\n{self.code_example}\n```"
return {
'path': self.file_path,
'line': self.line,
'body': body
}
class CodeReviewOrchestrator:
def __init__(self, pr_number: int, repo: str):
self.pr_number = pr_number
self.repo = repo
self.github_token = os.environ['GITHUB_TOKEN']
self.anthropic_client = Anthropic(api_key=os.environ['ANTHROPIC_API_KEY'])
self.issues: List[ReviewIssue] = []
def run_static_analysis(self) -> Dict[str, Any]:
"""Execute static analysis tools in parallel"""
print("Running static analysis suite...")
results = {}
# Run SonarQube
subprocess.run([
'sonar-scanner',
f'-Dsonar.projectKey={self.repo}',
'-Dsonar.sources=src',
], check=True)
# Run Semgrep
semgrep_output = subprocess.check_output([
'semgrep', 'scan',
'--config=auto',
'--json'
])
results['semgrep'] = json.loads(semgrep_output)
# Run CodeQL (if available)
try:
subprocess.run(['codeql', 'database', 'create', 'codeql-db'], check=True)
codeql_output = subprocess.check_output([
'codeql', 'database', 'analyze', 'codeql-db',
'--format=json'
])
results['codeql'] = json.loads(codeql_output)
except FileNotFoundError:
print("CodeQL not available, skipping")
return results
def get_pr_diff(self) -> str:
"""Fetch PR diff from GitHub API"""
url = f"https://api.github.com/repos/{self.repo}/pulls/{self.pr_number}"
headers = {
'Authorization': f'Bearer {self.github_token}',
'Accept': 'application/vnd.github.v3.diff'
}
response = requests.get(url, headers=headers)
response.raise_for_status()
return response.text
def ai_review(self, diff: str, static_results: Dict[str, Any]) -> List[ReviewIssue]:
"""Perform AI-assisted review using Claude"""
print("Performing AI review with Claude 3.5 Sonnet...")
prompt = f"""You are an expert code reviewer. Analyze this pull request comprehensively.
**Pull Request Diff:**
{diff[:15000]} # Limit to fit context window
**Static Analysis Results:**
{json.dumps(static_results, indent=2)[:5000]}
**Review Focus Areas:**
1. Security vulnerabilities (SQL injection, XSS, auth bypasses, secrets)
2. Performance issues (N+1 queries, missing indexes, inefficient algorithms)
3. Architecture violations (SOLID principles, separation of concerns)
4. Bug risks (null pointer errors, race conditions, edge cases)
5. Maintainability (code smells, duplication, poor naming)
**Output Format:**
Return JSON array of issues with this structure:
[
{{
"file_path": "src/auth.py",
"line": 42,
"severity": "CRITICAL|HIGH|MEDIUM|LOW|INFO",
"category": "Security|Performance|Bug|Architecture|Maintainability",
"title": "Brief issue summary",
"description": "Detailed explanation with impact",
"code_example": "Suggested fix code",
"auto_fixable": true|false
}}
]
Only report actionable issues. Be specific with line numbers and file paths.
"""
response = self.anthropic_client.messages.create(
model="claude-3-5-sonnet-20241022",
max_tokens=8000,
temperature=0.2, # Low temperature for consistent, factual reviews
messages=[{"role": "user", "content": prompt}]
)
# Parse JSON from response
content = response.content[0].text
# Extract JSON from markdown code blocks if present
if '```json' in content:
content = content.split('```json')[1].split('```')[0]
elif '```' in content:
content = content.split('```')[1].split('```')[0]
issues_data = json.loads(content.strip())
return [ReviewIssue(**issue) for issue in issues_data]
def post_review_comments(self, issues: List[ReviewIssue]):
"""Post review comments to GitHub PR"""
print(f"Posting {len(issues)} review comments to GitHub...")
url = f"https://api.github.com/repos/{self.repo}/pulls/{self.pr_number}/reviews"
headers = {
'Authorization': f'Bearer {self.github_token}',
'Accept': 'application/vnd.github.v3+json'
}
# Group by severity for summary
by_severity = {}
for issue in issues:
by_severity.setdefault(issue.severity, []).append(issue)
# Create review summary
summary = "## 🤖 AI Code Review Summary\n\n"
for severity in ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO']:
count = len(by_severity.get(severity, []))
if count > 0:
summary += f"- **{severity}**: {count} issue(s)\n"
review_data = {
'body': summary,
'event': 'COMMENT', # or 'REQUEST_CHANGES' if critical issues
'comments': [issue.to_github_comment() for issue in issues]
}
# Check if we should block merge
critical_count = len(by_severity.get('CRITICAL', []))
if critical_count > 0:
review_data['event'] = 'REQUEST_CHANGES'
review_data['body'] += f"\n\n❌ **Merge blocked:** {critical_count} critical issue(s) must be resolved."
response = requests.post(url, headers=headers, json=review_data)
response.raise_for_status()
print("✅ Review posted successfully")
def run_review(self):
"""Orchestrate full review process"""
print(f"Starting AI code review for PR #{self.pr_number}")
# Step 1: Static analysis
static_results = self.run_static_analysis()
# Step 2: Get PR diff
diff = self.get_pr_diff()
# Step 3: AI review
ai_issues = self.ai_review(diff, static_results)
# Step 4: Deduplicate with static analysis findings
self.issues = self.deduplicate_issues(ai_issues, static_results)
# Step 5: Post to GitHub
if self.issues:
self.post_review_comments(self.issues)
else:
print("✅ No issues found - code looks good!")
# Step 6: Generate metrics report
self.generate_metrics_report()
def deduplicate_issues(self, ai_issues: List[ReviewIssue],
static_results: Dict[str, Any]) -> List[ReviewIssue]:
"""Remove duplicate findings across tools"""
seen = set()
unique_issues = []
for issue in ai_issues:
key = (issue.file_path, issue.line, issue.category)
if key not in seen:
seen.add(key)
unique_issues.append(issue)
return unique_issues
def generate_metrics_report(self):
"""Generate review metrics for tracking"""
metrics = {
'pr_number': self.pr_number,
'total_issues': len(self.issues),
'by_severity': {},
'by_category': {},
'auto_fixable_count': sum(1 for i in self.issues if i.auto_fixable)
}
for issue in self.issues:
metrics['by_severity'][issue.severity] = \
metrics['by_severity'].get(issue.severity, 0) + 1
metrics['by_category'][issue.category] = \
metrics['by_category'].get(issue.category, 0) + 1
# Save to file for CI artifact
with open('review-metrics.json', 'w') as f:
json.dump(metrics, f, indent=2)
print(f"\n📊 Review Metrics:")
print(json.dumps(metrics, indent=2))
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser(description='AI Code Review')
parser.add_argument('--pr-number', type=int, required=True)
parser.add_argument('--repo', required=True, help='owner/repo')
args = parser.parse_args()
reviewer = CodeReviewOrchestrator(args.pr_number, args.repo)
reviewer.run_review()
Example 2: Qodo (CodiumAI) Integration for Test Generation
#!/usr/bin/env python3
"""
Qodo Integration: Automatic Test Generation for PRs
"""
import requests
import json
from typing import List, Dict
class QodoTestGenerator:
def __init__(self, api_key: str):
self.api_key = api_key
self.base_url = "https://api.qodo.ai/v1"
def analyze_code_coverage(self, pr_diff: str) -> Dict[str, any]:
"""Analyze which new code lacks test coverage"""
# Parse diff to extract new/modified functions
new_functions = self.extract_functions_from_diff(pr_diff)
coverage_gaps = []
for func in new_functions:
if not self.has_test_coverage(func):
coverage_gaps.append(func)
return {
'total_new_functions': len(new_functions),
'untested_functions': len(coverage_gaps),
'coverage_percentage':
(len(new_functions) - len(coverage_gaps)) / len(new_functions) * 100
if new_functions else 100,
'gaps': coverage_gaps
}
def generate_tests(self, function_code: str, context: str) -> str:
"""Generate test cases using Qodo AI"""
response = requests.post(
f"{self.base_url}/generate-tests",
headers={'Authorization': f'Bearer {self.api_key}'},
json={
'code': function_code,
'context': context,
'test_framework': 'pytest', # or 'jest', 'junit', etc.
'coverage_target': 80,
'include_edge_cases': True
}
)
response.raise_for_status()
return response.json()['generated_tests']
def suggest_tests_for_pr(self, pr_number: int, repo: str) -> List[str]:
"""Generate test suggestions for entire PR"""
# Get PR diff
pr_diff = self.fetch_pr_diff(pr_number, repo)
# Analyze coverage
coverage = self.analyze_code_coverage(pr_diff)
test_files = []
for gap in coverage['gaps']:
tests = self.generate_tests(gap['code'], gap['context'])
test_files.append({
'file': gap['test_file_path'],
'content': tests
})
return test_files
def extract_functions_from_diff(self, diff: str) -> List[Dict]:
"""Parse diff to find new function definitions"""
# Simplified parser - production version would use AST
functions = []
lines = diff.split('\n')
for i, line in enumerate(lines):
if line.startswith('+') and ('def ' in line or 'function ' in line):
functions.append({
'name': self.extract_function_name(line),
'code': self.extract_function_body(lines, i),
'file': self.get_current_file(lines, i),
'line': i
})
return functions
# Helper methods omitted for brevity...
# Usage in CI/CD
if __name__ == '__main__':
generator = QodoTestGenerator(api_key=os.environ['QODO_API_KEY'])
test_files = generator.suggest_tests_for_pr(
pr_number=int(os.environ['PR_NUMBER']),
repo=os.environ['GITHUB_REPOSITORY']
)
# Post as PR comment with test suggestions
comment = "## 🧪 Suggested Test Cases\n\n"
comment += "Qodo AI detected missing test coverage. Here are suggested tests:\n\n"
for test_file in test_files:
comment += f"**{test_file['file']}**\n```python\n{test_file['content']}\n```\n\n"
# Post to GitHub
post_pr_comment(comment)
Example 3: Multi-Language Static Analysis Orchestrator
// multi-language-analyzer.ts
import { spawnSync } from 'child_process';
import { readFileSync, writeFileSync, readdirSync } from 'fs';
import { join } from 'path';
interface AnalysisResult {
tool: string;
language: string;
issues: Issue[];
duration: number;
}
interface Issue {
file: string;
line: number;
severity: 'critical' | 'high' | 'medium' | 'low';
message: string;
rule: string;
}
class MultiLanguageAnalyzer {
private results: AnalysisResult[] = [];
async analyzeRepository(repoPath: string): Promise<AnalysisResult[]> {
const languages = this.detectLanguages(repoPath);
console.log(`Detected languages: ${languages.join(', ')}`);
// Run analysis for each language in parallel
const analyses = languages.map(lang => this.analyzeLanguage(repoPath, lang));
this.results = await Promise.all(analyses);
return this.results;
}
private detectLanguages(repoPath: string): string[] {
const files = this.getAllFiles(repoPath);
const extensions = new Set(files.map(f => f.split('.').pop()));
const languageMap: Record<string, string> = {
'py': 'python',
'js': 'javascript',
'ts': 'typescript',
'go': 'go',
'rs': 'rust',
'java': 'java',
'rb': 'ruby',
'php': 'php',
'cs': 'csharp',
};
return Array.from(extensions)
.map(ext => languageMap[ext!])
.filter(Boolean);
}
private getAllFiles(dir: string, files: string[] = []): string[] {
const entries = readdirSync(dir, { withFileTypes: true });
for (const entry of entries) {
const fullPath = join(dir, entry.name);
if (entry.isDirectory()) {
this.getAllFiles(fullPath, files);
} else {
files.push(fullPath);
}
}
return files;
}
private async analyzeLanguage(
repoPath: string,
language: string
): Promise<AnalysisResult> {
const startTime = Date.now();
let issues: Issue[] = [];
switch (language) {
case 'python':
issues = await this.analyzePython(repoPath);
break;
case 'javascript':
case 'typescript':
issues = await this.analyzeJavaScript(repoPath);
break;
case 'go':
issues = await this.analyzeGo(repoPath);
break;
case 'rust':
issues = await this.analyzeRust(repoPath);
break;
case 'java':
issues = await this.analyzeJava(repoPath);
break;
default:
console.warn(`No analyzer configured for ${language}`);
}
return {
tool: this.getToolForLanguage(language),
language,
issues,
duration: Date.now() - startTime,
};
}
private async analyzePython(repoPath: string): Promise<Issue[]> {
// Run ruff for linting (using safe spawnSync)
const ruffResult = spawnSync('ruff', ['check', repoPath, '--format', 'json'], {
encoding: 'utf-8'
});
const ruffIssues = ruffResult.stdout ? JSON.parse(ruffResult.stdout) : [];
// Run bandit for security
const banditResult = spawnSync('bandit', ['-r', repoPath, '-f', 'json'], {
encoding: 'utf-8'
});
const banditIssues = banditResult.stdout ? JSON.parse(banditResult.stdout) : [];
// Run mypy for type checking
const mypyResult = spawnSync('mypy', [repoPath, '--json'], {
encoding: 'utf-8'
});
const mypyIssues = mypyResult.stdout ? JSON.parse(mypyResult.stdout) : [];
// Merge results
return [
...this.parseRuffIssues(ruffIssues),
...this.parseBanditIssues(banditIssues),
...this.parseMypyIssues(mypyIssues),
];
}
private async analyzeJavaScript(repoPath: string): Promise<Issue[]> {
// ESLint
const eslintResult = spawnSync('eslint', [repoPath, '--format', 'json'], {
encoding: 'utf-8'
});
const eslintIssues = eslintResult.stdout ? JSON.parse(eslintResult.stdout) : [];
// Semgrep for security
const semgrepResult = spawnSync('semgrep', ['scan', repoPath, '--config=auto', '--json'], {
encoding: 'utf-8'
});
const semgrepIssues = semgrepResult.stdout ? JSON.parse(semgrepResult.stdout) : [];
return [
...this.parseESLintIssues(eslintIssues),
...this.parseSemgrepIssues(semgrepIssues),
];
}
private async analyzeGo(repoPath: string): Promise<Issue[]> {
// go vet
const vetResult = spawnSync('go', ['vet', './...'], {
cwd: repoPath,
encoding: 'utf-8'
});
// golangci-lint
const lintResult = spawnSync('golangci-lint', ['run', '--out-format', 'json'], {
cwd: repoPath,
encoding: 'utf-8'
});
const lintIssues = lintResult.stdout ? JSON.parse(lintResult.stdout) : [];
// gosec for security
const gosecResult = spawnSync('gosec', ['-fmt', 'json', './...'], {
cwd: repoPath,
encoding: 'utf-8'
});
const gosecIssues = gosecResult.stdout ? JSON.parse(gosecResult.stdout) : [];
return [
...this.parseGoLintIssues(lintIssues),
...this.parseGosecIssues(gosecIssues),
];
}
private getToolForLanguage(language: string): string {
const tools: Record<string, string> = {
python: 'ruff + bandit + mypy',
javascript: 'eslint + semgrep',
typescript: 'eslint + typescript + semgrep',
go: 'golangci-lint + gosec',
rust: 'clippy + cargo-audit',
java: 'spotbugs + pmd + checkstyle',
};
return tools[language] || 'semgrep';
}
generateReport(): string {
const totalIssues = this.results.reduce((sum, r) => sum + r.issues.length, 0);
const bySeverity = {
critical: 0,
high: 0,
medium: 0,
low: 0,
};
for (const result of this.results) {
for (const issue of result.issues) {
bySeverity[issue.severity]++;
}
}
let report = '# Multi-Language Static Analysis Report\n\n';
report += `**Total Issues:** ${totalIssues}\n\n`;
report += `**By Severity:**\n`;
report += `- 🚨 Critical: ${bySeverity.critical}\n`;
report += `- ⚠️ High: ${bySeverity.high}\n`;
report += `- 💡 Medium: ${bySeverity.medium}\n`;
report += `- ℹ️ Low: ${bySeverity.low}\n\n`;
report += `**By Language:**\n`;
for (const result of this.results) {
report += `- ${result.language}: ${result.issues.length} issues (${result.tool})\n`;
}
return report;
}
// Parser methods would go here...
private parseRuffIssues(issues: any[]): Issue[] { return []; }
private parseBanditIssues(issues: any[]): Issue[] { return []; }
private parseMypyIssues(issues: any[]): Issue[] { return []; }
private parseESLintIssues(issues: any[]): Issue[] { return []; }
private parseSemgrepIssues(issues: any[]): Issue[] { return []; }
private parseGoLintIssues(issues: any[]): Issue[] { return []; }
private parseGosecIssues(issues: any[]): Issue[] { return []; }
}
// Usage
const analyzer = new MultiLanguageAnalyzer();
await analyzer.analyzeRepository('/path/to/repo');
console.log(analyzer.generateReport());
Reference Examples
Reference 1: Complete PR Review Workflow with DORA Metrics
Scenario: Enterprise team reviewing a microservice API change with security-sensitive authentication logic.
Workflow:
-
PR Created (t=0)
- Developer opens PR #4251 for OAuth2 token validation improvements
- GitHub Actions automatically triggers on pull_request event
-
Static Analysis Phase (t=0 to t=2min)
- Parallel execution: SonarQube, Semgrep, CodeQL, Snyk
- Findings:
- SonarQube: 2 code smells (complexity), 89% coverage (below 90% threshold)
- Semgrep: 1 HIGH - Timing attack in token comparison
- CodeQL: 1 MEDIUM - Missing rate limiting on auth endpoint
- Snyk: 0 vulnerabilities (dependencies clean)
-
AI Review Phase (t=2min to t=4min)
- Feed static results + diff to Claude 3.5 Sonnet
- AI Findings:
- CRITICAL: Timing attack vulnerability (confirmed Semgrep finding with exploit code)
- HIGH: Missing circuit breaker for downstream auth service calls
- MEDIUM: Token caching strategy could cause stale tokens (race condition)
- LOW: Consider structured logging for auth events (audit trail)
-
Review Comment Generation (t=4min to t=5min)
- Deduplicate findings (timing attack reported by both Semgrep and AI)
- Enrich with code examples and fix suggestions
- Post 4 review comments to GitHub PR with inline code suggestions
-
Quality Gate Evaluation (t=5min)
- Result: BLOCK_MERGE (1 critical + coverage gap)
-
Developer Fixes Issues (t=5min to t=45min)
- Applies AI-suggested timing-safe comparison
- Adds circuit breaker with Hystrix
- Increases test coverage to 92%
- Pushes new commit
-
Re-Review (t=45min to t=48min)
- Automated re-review triggered on new commit
- All static checks pass
- AI confirms fixes address original issues
- Quality gate: PASS ✅
-
Merge + Deploy (t=48min to t=55min)
- Final metrics:
- Lead time for changes: 55 minutes
- Review time percentage: 9% (5min / 55min)
- Deploy time: 7 minutes
- Deployment frequency: +1 (15 deployments today)
- Final metrics:
-
Post-Deploy Monitoring (t=55min to t=24h)
- No production errors detected
- Auth latency unchanged (p99 = 145ms)
- Change failure rate: 0% (successful deployment)
Outcome:
- Total time from PR open to production: 55 minutes
- Issues caught in review (not production): 4 (including 1 CRITICAL security vulnerability)
- Developer experience: Instant feedback, clear action items, auto-suggested fixes
- Security posture: Timing attack prevented before production exposure
Reference 2: AI-Generated Test Cases for Untested Code
Scenario: PR introduces new payment processing logic with no test coverage.
Detection:
Coverage analysis detects 0% coverage on new payment processor file with 3 uncovered functions: process_payment, handle_webhook, refund_transaction.
Qodo Test Generation: AI generates comprehensive test suite including:
- Happy path scenarios (successful payments in multiple currencies)
- Edge cases (zero/negative amounts, invalid signatures)
- Error handling (network failures, API errors)
- Mocking external Stripe API calls
Review Comment Posted: Tool posts AI-generated test file with 92% coverage (above 85% target), including parametrized tests and proper mocking patterns.
Outcome:
- Developer reviews AI-generated tests
- Makes minor adjustments (adds one business-specific edge case)
- Commits tests alongside original code
- PR passes quality gate with 92% coverage
- Stripe payment logic fully tested before production deployment
Summary
This AI-powered code review tool provides enterprise-grade automated review capabilities by:
- Orchestrating multiple static analysis tools (SonarQube, CodeQL, Semgrep) for comprehensive coverage
- Leveraging state-of-the-art LLMs (GPT-4, Claude 3.5 Sonnet) for contextual understanding beyond pattern matching
- Integrating seamlessly with CI/CD pipelines (GitHub Actions, GitLab CI, Azure DevOps) for instant feedback
- Supporting 30+ programming languages with language-specific linters and security scanners
- Generating actionable review comments with code examples, severity levels, and fix suggestions
- Tracking DORA metrics to measure review effectiveness and DevOps performance
- Enforcing quality gates to prevent low-quality or insecure code from reaching production
- Auto-generating test cases for uncovered code using Qodo/CodiumAI
- Providing complete automation from PR open to merge with human oversight only where needed
Use this tool to elevate code review from manual, inconsistent process to automated, AI-assisted quality assurance that catches issues early, provides instant feedback, and maintains high engineering standards across your entire codebase.