AI Code Review
AI code review accelerates first-pass feedback on diffs — security patterns, missing tests, convention drift — but it does not replace an accountable human reviewer.
Last reviewed: June 2026
Review features in Cursor, Codex, Copilot, and GitHub change often. Verify /review commands and Action versions before rolling out team-wide.
The problem
Teams want faster PR turnaround. Models can scan diffs for obvious issues in seconds. The failure mode is rubber-stamping: merging because "the AI said LGTM" without reading the diff.
AI review is good for: first-pass checklist, catching patterns humans tire of, consistency across large teams.
AI review is bad for: business logic correctness, subtle race conditions, product intent, "does this feature actually work."
Workflow overview
flowchart LR
author[Author opens PR] --> ai[AI first-pass review]
ai --> human[Human reviewer]
human --> ci[CI tests + lint]
ci --> merge[Merge]
ai -->|critical findings| fix[Author fixes]
fix --> ai
Human review stays mandatory for production paths. AI output is input to the reviewer, not a substitute.
In-IDE review (Cursor / Claude Code / Codex)
Cursor
Paste diff or use @Git context:
Review this diff for:
1. Security: SQL injection, XSS, missing auth, secrets in code
2. Tests: new logic has coverage
3. Scope: no unrelated refactors
List findings as Critical / Suggestion / Nit. Do not approve — I will decide.
Use Plan mode first on large PRs to list files before deep review.
Claude Code
claude
> Review the diff against main. Focus on auth and error handling.
> Output a checklist with pass/fail per category.
Pair with a security-review skill for consistent checklists.
OpenAI Codex
Codex supports /review in supported environments (verify current docs). GitHub Action available for automated PR comments — pin action version and scope to non-blocking comments.
Skill-based review (recommended for teams)
Store the checklist in .cursor/skills/security-review/SKILL.md — see Agent Skills.
| Category | Checks |
|---|---|
| Auth | Mutations call session/auth middleware |
| Input | External input validated (Zod, etc.) |
| Secrets | No keys in source; env vars server-side |
| SQL | Parameterized queries only |
| XSS | No unsanitized HTML injection |
| Scope | Diff matches PR description |
| Tests | New branches have tests |
Invoke with /security-review or rely on auto-discovery when PR touches src/api/**.
CI integration patterns
| Pattern | Blocking? | Notes |
|---|---|---|
| GitHub Action posts AI comments | No | Human reads comments; never auto-merge on AI alone |
| Required human approval | Yes | CODEOWNERS unchanged |
| AI + lint + test gate | Yes | AI does not replace CI |
| Pre-commit hook (local) | Optional | Fast feedback; can be skipped — do not rely solely |
Example: Codex or third-party review Action comments on PR — team policy says comments are hints, not approval.
Never expose API keys in workflow YAML — use GitHub Secrets.
Prompt template for diff review
Review ONLY the changed lines in this PR.
Stack: Next.js 15, TypeScript strict, Zod validation.
Output format:
## Critical (must fix before merge)
- ...
## Suggestions
- ...
## Nits
- ...
Do not write "LGTM" or approve. Flag uncertainty as "needs human judgment."
Attach the diff, not the whole repo — see Context Engineering.
What AI review misses
| Gap | Why humans still matter |
|---|---|
| Business rules | Model does not know product requirements |
| Cross-service contracts | API changes in another repo |
| Performance at scale | No load test data in diff |
| UX / accessibility | Visual and a11y need manual check |
| Malicious intent | Insider threat patterns |
| Novel algorithms | Correctness proofs |
Use Testing AI-Generated Code and Pre-Merge Verification after AI review.
Team policy
Document in Team AI Policy:
- AI review is advisory unless explicitly upgraded with human sign-off
ai-assistedlabel on PRs where author used agents heavily- Critical findings from AI must be resolved or explicitly waived by CODEOWNER
- No merging on AI "approval" text alone
Production concerns
| Concern | What to do |
|---|---|
| Cost | Review full diffs only on open PR; avoid re-reviewing unchanged commits |
| Latency | Run AI review async; do not block CI on model latency |
| Data leakage | Enterprise plans / zero-retention for proprietary code |
| False positives | Tune skill checklists; reviewers learn to ignore noise |
| False negatives | Never reduce human review because AI ran |