AI-Powered Code Review: Catch Security Issues and Architecture Violations Automatically

Human code review catches logic errors well but misses systematic security issues, inconsistent error handling, and architecture violations. AI code review is the opposite — it is excellent at systematic pattern matching across the diff but poor at understanding business logic. Together they catch what either misses alone. This is how to build an AI code review system that actually ships useful feedback.

⚡ TL;DR: Build a GitHub Action that runs AI review on every PR diff. Use separate specialized prompts for security, architecture, and quality — not one generic “review this” prompt. Post inline comments on specific lines. Track which categories of issues get fixed vs ignored to improve the prompt over time.

GitHub Action setup

# .github/workflows/ai-code-review.yml
name: AI Code Review

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  ai-review:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write  # To post comments
      contents: read

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for diff

      - name: Get PR diff
        id: diff
        run: |
          git diff origin/${{ github.base_ref }}...HEAD -- '*.ts' '*.js' '*.py' > pr.diff
          echo "diff_size=$(wc -c < pr.diff)" >> $GITHUB_OUTPUT

      - name: Run AI review
        if: steps.diff.outputs.diff_size < 50000  # Skip massive diffs
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: node .github/scripts/ai-review.js

Specialized review prompts — not one generic prompt

// ai-review.js — separate prompts for each concern
import Anthropic from '@anthropic-ai/sdk';
const client = new Anthropic();

const REVIEW_PROMPTS = {
  security: `You are a security code reviewer. Review this diff for:
    - SQL injection (template literals in queries)
    - Missing authentication on new routes
    - Secrets or credentials in code
    - Unsafe deserialization
    - Missing input validation
    - CORS misconfiguration
    Return JSON: [{file, line, severity: "critical"|"high"|"medium", issue, fix}]
    Only include ACTUAL issues. Be precise about line numbers.`,

  architecture: `You are an architecture reviewer. Check for:
    - Direct database access in route handlers (should use service layer)
    - Business logic in repositories (should be in services)
    - Missing error handling on async operations
    - N+1 query patterns in loops
    - Circular dependencies
    Return JSON: [{file, line, severity, issue, fix}]`,

  quality: `You are a code quality reviewer. Check for:
    - Functions over 40 lines (extract helpers)
    - Duplicated code that should be extracted
    - Missing TypeScript types (any usage)
    - console.log left in production code
    - Missing tests for new public functions
    Return JSON: [{file, line, severity: "low"|"medium", issue, fix}]`
};

async function reviewDiff(diff) {
  const reviews = await Promise.all(
    Object.entries(REVIEW_PROMPTS).map(([type, prompt]) =>
      client.messages.create({
        model: 'claude-opus-4-5',
        max_tokens: 2000,
        system: prompt + '\nReturn ONLY valid JSON. No prose.',
        messages: [{ role: 'user', content: 'Review this diff:\n' + diff }]
      }).then(r => ({ type, issues: JSON.parse(r.content[0].text) }))
    )
  );
  return reviews.flatMap(r => r.issues.map(i => ({ ...i, category: r.type })));
}

Posting inline PR comments

// Post review findings as GitHub PR review comments
async function postReviewComments(issues, prNumber, commitSha) {
  const octokit = new Octokit({ auth: process.env.GITHUB_TOKEN });
  const [owner, repo] = process.env.GITHUB_REPOSITORY.split('/');

  // Create a PR review with inline comments
  const comments = issues
    .filter(i => i.severity === 'critical' || i.severity === 'high')
    .map(i => ({
      path: i.file,
      line: i.line,
      body: [
        `**${i.category.toUpperCase()} — ${i.severity.toUpperCase()}**`,
        '',
        `**Issue:** ${i.issue}`,
        '',
        `**Suggested fix:** ${i.fix}`,
        '',
        `*Generated by AI code review — verify before acting*`
      ].join('\n')
    }));

  if (comments.length === 0) {
    await octokit.pulls.createReview({ owner, repo, pull_number: prNumber,
      body: '✅ AI code review found no critical or high severity issues.',
      event: 'APPROVE' });
    return;
  }

  await octokit.pulls.createReview({
    owner, repo, pull_number: prNumber, commit_id: commitSha,
    body: `AI code review found ${comments.length} issues requiring attention.`,
    event: 'REQUEST_CHANGES',
    comments
  });
}

Making AI review actually useful — avoiding noise

# Most AI code review tools fail because they're too noisy
# Every comment = noise unless it's actionable

# Rules for useful AI code review:
# 1. Only post critical + high severity — ignore low/medium
#    Low severity findings: developers learn to ignore ALL AI comments

# 2. Skip review for:
#    - Generated files (*.generated.ts, migrations)
#    - Config files (.json, .yaml)
#    - Tests (too many false positives on mocking patterns)
#    - Diffs over 500 lines (review quality degrades with size)

# 3. Track signal quality over time:
#    - Which issues get "resolved" (code changed after comment)?
#    - Which issues get "dismissed" (PR merged without fix)?
#    - Adjust prompts to reduce dismissed categories

# .github/ai-review-ignore.json:
# {
#   "skip_files": ["*.generated.ts", "migrations/**", "*.test.ts"],
#   "skip_categories": [],  # Start empty
#   "min_severity": "high"  # Only critical + high
# }

• ✅ Separate prompts for security, architecture, and quality — not one generic review
• ✅ Only post critical and high severity — medium/low creates review fatigue
• ✅ Skip generated files, migrations, and test files
• ✅ Track fix rate to improve prompts over time
• ✅ AI review supplements human review — never replaces it
• ❌ Never auto-block PRs on AI review alone — too many false positives
• ❌ Never review diffs over 500 lines — quality degrades and signal is lost

AI code review works best on top of the TypeScript strict typing patterns — well-typed code has fewer false positives in AI review because type errors are caught at compile time. For the GitHub Actions infrastructure, the Lambda cold start patterns apply when deploying the review pipeline as a serverless function. External reference: GitHub Pull Request Reviews API.