Skip to main content

Code Review With AI

5 min read
Tech LeadQa

Tech Lead

AI catches style and common bugs. It doesn't catch 'this will break in 6 months when we add feature X.' You own the roadmap context.

Appsec

AI finds known vulnerability patterns. It misses business-logic flaws and 'would an attacker think of this?' — that's human work.

Backend

AI flags SQL injection. It doesn't flag 'this query will timeout at scale.' Performance and scale are your domain.

Code Review With AI

TL;DR

  • AI catches: style issues, common bugs (null checks, off-by-one), known security patterns (SQL injection, XSS).
  • AI misses: architectural fit, "will this scale?", business logic correctness, and team conventions.
  • Use AI for the first pass. You do the second pass — the one that asks "should we build this at all?"

Code review is one of the highest-leverage uses of AI in dev workflows. It's also one where over-trust gets you in trouble.

What AI Catches

Style and Consistency

  • Formatting. Unused imports. Naming conventions.
  • AI is good at "this doesn't match the rest of the codebase" when it has context.

Common Bug Patterns

  • Null/undefined access. Missing error handling. Resource leaks (unclosed connections, file handles).
  • Off-by-one errors. Wrong loop bounds. Race conditions in simple async code.
  • AI has seen these thousands of times. It spots them fast.

Known Security Issues

  • SQL injection. XSS. Hardcoded secrets. Insecure deserialization.
  • AI knows OWASP. It'll flag the textbook stuff.
  • What it won't flag: custom auth logic, business-logic bypasses, "would a motivated attacker exploit this?"

Simple Logic Errors

  • "This condition is always true." "This variable is never used." "You're comparing string to number."
  • AI is reliable for the mechanical checks.

What AI Misses

Architectural Fit

  • "This adds a circular dependency."
  • "This pattern will make it hard to add multi-tenancy later."
  • "We're trying to get off this legacy system — why are we adding more coupling to it?"
  • AI doesn't know your roadmap or your tech debt strategy.

Performance and Scale

  • "This query is O(n²) — it'll be fine for 100 rows, death at 100K."
  • "This endpoint will get called 10K times/sec. No caching?"
  • AI doesn't profile. It doesn't know your load.

Business Logic

  • "Refunds should require manager approval over $500. This code doesn't."
  • "We can't charge before the trial ends. This does."
  • AI doesn't know your business rules. It can't verify correctness.

Team and Org Context

  • "We're deprecating this API in Q3. Don't add new usages."
  • "This violates our incident response playbook."
  • AI doesn't sit in your meetings.

How to Use AI for Code Review

  1. Run AI first. Get the style, security, and obvious-bug pass. Triage its suggestions.
  2. You do the "so what?" pass. Does this fit our architecture? Our roadmap? Our conventions?
  3. Don't delegate "approve" to AI. AI says "looks fine" on code that's correct but wrong for your context. You own the final call.
  4. Use AI for your own PRs before submitting. Catch the low-hanging fruit before your teammates spend time on it.

Quick Check

AI flags SQL injection and suggests a fix. What can AI NOT catch in the same review?

You manually read every line. Check style, security, logic. Cross-reference the ticket and architecture docs. 30–60 minutes per PR.

Click "With AI" to see the difference →

Do This Next

  1. Run AI review on one open PR (yours or a teammate's). See what it catches. See what you'd add. Compare.
  2. Add one "AI wouldn't catch this" comment to your next review. Make the human value explicit.