Adding AI code review to your CI/CD pipeline means every PR gets automated analysis before a human looks at it. The AI catches the mechanical issues — missing error handling, obvious security patterns, style violations — so human reviewers can focus on architecture and business logic.
This guide covers three approaches: a hosted tool (CodeRabbit), Claude API scripts, and GitHub Copilot.
Option 1: CodeRabbit (Easiest)
CodeRabbit is a hosted AI code review service that integrates with GitHub in 10 minutes.
Setup:
- Go to coderabbit.ai
- Install the GitHub App on your repository
- Done — CodeRabbit automatically reviews every PR
No workflow file needed. CodeRabbit listens for PR events via GitHub App and posts reviews automatically.
Configuration (optional, .coderabbit.yaml in repo root):
reviews:
request_changes_workflow: true # Block PRs with high-severity issues
high_level_summary: true
poem: false
review_status: true
language_settings:
python:
enforce_type_hints: true
typescript:
max_function_length: 50
ignore_patterns:
- "*.test.ts"
- "migrations/**"Best for: Teams that want zero-setup AI review with good defaults.
Option 2: Claude API in GitHub Actions
Build your own AI review workflow with Claude:
# .github/workflows/ai-review.yml
name: AI Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
ai-review:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get PR diff
id: diff
run: |
git diff origin/${{ github.base_ref }}..HEAD > pr_diff.txt
echo "diff_size=$(wc -l < pr_diff.txt)" >> $GITHUB_OUTPUT
- name: Run AI Review
if: steps.diff.outputs.diff_size > 0
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ github.event.pull_request.number }}
REPO: ${{ github.repository }}
run: |
python3 - << 'EOF'
import os
import anthropic
import requests
# Read the diff
with open("pr_diff.txt") as f:
diff = f.read()
# Limit diff size to avoid large API calls
if len(diff) > 50000:
diff = diff[:50000] + "\n\n[... diff truncated for length ...]"
client = anthropic.Anthropic(api_key=os.environ["ANTHROPIC_API_KEY"])
response = client.messages.create(
model="claude-3-7-sonnet-20250219",
max_tokens=2048,
system="""You are an expert code reviewer. Review the provided git diff and:
1. CRITICAL issues (bugs, security vulnerabilities, data loss risks) — must fix
2. HIGH issues (performance problems, missing error handling, logic errors)
3. MEDIUM issues (code style, missing tests, unclear names)
4. SUGGESTIONS (improvements that would be nice but aren't required)
Format each issue as:
[SEVERITY] `file.py:42` — Description — Suggested fix
End with a summary: APPROVE / REQUEST_CHANGES / COMMENT
Be concise. Only flag real issues, not opinions.""",
messages=[{
"role": "user",
"content": f"Review this pull request diff:\n\n```diff\n{diff}\n```"
}]
)
review_body = response.content[0].text
# Determine review action
if "REQUEST_CHANGES" in review_body:
event = "REQUEST_CHANGES"
elif "APPROVE" in review_body:
event = "APPROVE"
else:
event = "COMMENT"
# Post review to GitHub
headers = {
"Authorization": f"Bearer {os.environ['GITHUB_TOKEN']}",
"Accept": "application/vnd.github+json"
}
repo = os.environ["REPO"]
pr_number = os.environ["PR_NUMBER"]
requests.post(
f"https://api.github.com/repos/{repo}/pulls/{pr_number}/reviews",
headers=headers,
json={
"body": f"## AI Code Review\n\n{review_body}",
"event": event
}
)
print(f"Posted review with event: {event}")
EOFAdd the secret in your repository:
- Go to Settings → Secrets → Actions
- Add
ANTHROPIC_API_KEYwith your Anthropic API key
Option 3: Language-Specific Review Scripts
For more targeted review, create scripts that analyze specific types of code:
# scripts/security_review.py
"""Security-focused review for Python files changed in this PR."""
import sys
import anthropic
import subprocess
def get_changed_python_files() -> list[str]:
result = subprocess.run(
["git", "diff", "--name-only", "origin/main..HEAD"],
capture_output=True, text=True
)
return [f for f in result.stdout.splitlines() if f.endswith('.py')]
def review_file_security(filepath: str) -> str:
with open(filepath) as f:
code = f.read()
if len(code) > 20000: # Skip very large files
return f"{filepath}: Skipped (too large)"
client = anthropic.Anthropic()
response = client.messages.create(
model="claude-haiku-4-5-20251001", # Haiku is fast/cheap for this
max_tokens=1024,
messages=[{
"role": "user",
"content": f"""Security review for {filepath}.
Identify ONLY security issues:
- SQL injection risks
- Command injection
- Hardcoded secrets or API keys
- Insecure random number generation for security purposes
- Missing input validation on user-supplied data
- Unsafe deserialization
- Path traversal vulnerabilities
Code:
```python
{code}If no security issues found, say ”✅ No security issues found.” Otherwise list issues with line numbers.""" }] )
return f"**{filepath}**\n{response.content[0].text}"if name == “main”: files = get_changed_python_files()
if not files:
print("No Python files changed.")
sys.exit(0)
print(f"Reviewing {len(files)} changed Python files...\n")
issues_found = False
for filepath in files:
try:
result = review_file_security(filepath)
print(result)
print()
if "No security issues" not in result:
issues_found = True
except FileNotFoundError:
print(f"{filepath}: File not found (may have been deleted)")
sys.exit(1 if issues_found else 0)
Add to your workflow:
```yaml
- name: Security Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
pip install anthropic
python scripts/security_review.pyBest Practices for CI AI Review
Control costs: Set max_tokens limits. Use Haiku for fast, cheap checks; Sonnet for comprehensive review.
Don’t block merges on AI review alone: AI reviewers make false positives. Use them to add comments/suggestions, not to block PRs without human override.
Limit diff size: Large diffs produce worse AI reviews. Cap at 500-1000 lines or review changed files individually.
Skip generated files: Add exclusion patterns for node_modules/, dist/, migrations, and other generated code.
Cache results: For the same commit, don’t re-run review on subsequent CI triggers. Store results and check for commit SHA match.
Make it actionable: The best AI reviews tell developers exactly what to change. Vague “this could be improved” comments add noise. Tune your prompts to produce specific, actionable feedback.
Expected Outcomes
Teams that add AI code review to CI typically report:
- 20-40% reduction in human review time (AI catches the mechanical issues)
- Fewer minor bugs in production (security patterns, null checks, error handling)
- More consistent style enforcement (no more style debates in reviews)
- Faster PR cycles (AI review is instant; no waiting for a human reviewer for first pass)
The ROI is clearest on teams where code review is a bottleneck — either because reviewers are scarce or because the review cycle is slow. AI review runs in seconds, any time of day.