Sign in Subscribe
agentic-coding

Agentic Coding: Code Reviews

Anatoliy Kolodkin

3 min read

Agentic Coding: Code Reviews - THE LGTM

Agentic Coding: Code Reviews

AI-powered code review is moving from novelty to necessity. The best teams are blending automated review with human judgment — here's how to build that workflow.

Last Updated: April 5, 2026

The Shift: AI-Native Review

Traditional code review: human writes code → human reviews → human approves.

AI-native review:

  • Human reviews specifications and architecture
  • AI reviews implementation details
  • Human validates outcomes and business logic

The long-term workflow shifts toward AI-native review where humans focus on what they do best: intent, constraints, and judgment.

What AI Code Review Catches

✅ Strengths

  • Security vulnerabilities (OWASP patterns)
  • Performance anti-patterns (N+1 queries, memory leaks)
  • Style inconsistencies
  • Dead code and unused imports
  • Logic errors in obvious cases
  • Missing error handling
  • Test coverage gaps

❌ Limitations

  • Business logic correctness
  • Architectural alignment
  • User experience implications
  • Contextual tradeoff decisions
  • Novel edge cases

Human-AI Workflow Patterns

Pattern 1: AI First Pass

Developer: opens PR
AI Agent: reviews automatically, posts comments
Human: addresses AI feedback, requests human review
Human: final approval

Benefit: Catches obvious issues before human spends time.

Pattern 2: Parallel Review

Developer: opens PR
AI Agent: reviews simultaneously with human
Human: sees AI comments alongside their own review
Both: discuss, iterate

Benefit: Human can validate or challenge AI findings.

Pattern 3: Validation Chain

Agent 1: writes code
Agent 2: reviews code, posts critique
Agent 3: addresses review comments
Human: reviews final result

Benefit: Multi-agent quality gates before human sees anything.

Tools for AI Code Review

Integrated (Built into IDEs/Agents)

  • GitHub Copilot: PR review comments, issue-to-PR automation
  • Augment Code: Purpose-built AI code review agent
  • Cursor: Background agents review PRs
  • Claude Code: Can review diffs with /review command

Standalone Review Tools

  • CodeRabbit: AI-powered PR review bot
  • PR-Agent: Open source AI review automation
  • Amazon CodeGuru: Security and performance review
  • DeepCode (Snyk): Static analysis + AI

HubSpot Sidekick Case Study

HubSpot built "Sidekick" — an AI code review agent deployed to production:

  • 90% faster initial review (AI vs human)
  • 80% approval rate on AI suggestions
  • False positive rate: 15% (acceptable tradeoff)
  • Catch rate: 70% of issues human reviewers found

Key insight: Not replacing humans, but handling the "trivial many" so humans focus on the "vital few."

Review Validation Chains

Advanced teams implement multi-stage validation:

Stage 1: Automated checks
  ├── Type checker passes
  ├── Linter clean
  ├── Tests pass
  └── Security scan clean

Stage 2: AI review
  ├── Logic review
  ├── Performance check
  ├── Security patterns
  └── Style consistency

Stage 3: Human review
  ├── Business logic
  ├── Architecture alignment
  └── UX implications

Stage 4: Integration
  ├── CI/CD pipeline
  └── Staging validation

Each stage gates the next. No human time wasted on code failing basic checks.

Review Prompts That Work

General Review

Review this PR for:
- Security vulnerabilities (OWASP Top 10)
- Performance anti-patterns
- Error handling gaps
- Logic errors
- Test coverage

Be specific: quote problematic code and suggest fixes.

Security-Focused

Security review: check for:
- SQL injection vectors
- XSS vulnerabilities
- Authentication/authorization gaps
- Secrets in code
- Input validation issues

Rate each finding: CRITICAL, HIGH, MEDIUM, LOW.

Architecture Review

Architecture review against our principles:
- Does this follow hexagonal layering?
- Are dependencies pointing in correct direction?
- Is domain logic separated from infrastructure?
- Any circular dependencies introduced?

Quality Metrics

Track AI review effectiveness:

Metric Target Why
Issue catch rate >60% Catches majority before human review
False positive rate <20% Doesn't waste time on noise
Suggestion acceptance >70% Developers find value
Time to first review <2 min Faster than human scheduling

Common Pitfalls

🚩 Alert Fatigue

Too many AI comments → developers ignore them all.
Fix: Threshold tuning, severity filtering, only blocking issues.

🚩 False Confidence

"AI approved it" → human skips review.
Fix: Clear scope, require human approval for merges.

🚩 Style Wars

AI enforces style inconsistently.
Fix: Deterministic formatters (prettier, black), not AI style opinions.

🚩 Security Theater

AI finds low-severity issues, misses critical ones.
Fix: Dedicated security scanning tools, not general AI review.

Building Trust

Adoption requires trust. Build it gradually:

  1. Week 1-2: AI comments only, no blocking
  2. Week 3-4: Block on critical security issues
  3. Month 2: Block on test failures + security
  4. Month 3+: Full integration, humans focus on design

Key: Let teams see value before adding friction.

The Future

Where AI code review is heading:

  • Pre-PR review: AI reviews code as it's written (inline)
  • Historical context: AI knows your codebase patterns
  • Cross-PR analysis: Detects patterns across multiple changes
  • Learning: AI adapts to your team's preferences
  • Natural language: "Why did we do it this way?" → AI explains

Getting Started

Low-friction first steps:

  1. Enable GitHub Copilot PR review (if available)
  2. Add PR-Agent to one repository
  3. Configure to comment only, not block
  4. Review AI suggestions for 2 weeks
  5. Tune thresholds based on feedback
  6. Gradually increase automation

Don't aim for full automation on day one. Aim for helpful augmentation.

Further Reading

Sign up for more like this.

Enter your email
Subscribe