Local AI for Code Generation

09. Code Review Automation

Chapter 9 of 18 · 25 min

KEY INSIGHT

Local AI can automate code review tasks like bug detection, style checking, and security scanning by applying consistent criteria across every diff without cloud dependencies. Automated code review with local AI processes pull requests and diffs through configurable prompts that detect specific issue categories. The workflow integrates with git hosting through webhooks or runs manually through Continue's chat interface. Create a review command in `config.json`: ```json { "commands": [ { "name": "Code Review", "description": "Automated security and quality review", "prompt": "You are performing a code review. Analyze the following code changes for:\n\n1. **Security**: SQL injection, XSS, authentication bypass, sensitive data exposure\n2. **Correctness**: Logic errors, null handling, race conditions, edge cases\n3. **Performance**: N+1 queries, unnecessary iterations, missing indexes\n4. **Style**: Consistency with project conventions, naming, documentation\n\nFor each issue found, provide:\n- File and line number\n- Severity (critical, major, minor)\n- Description\n- Suggested fix\n\nCode changes:\n```\n{{{ clipboard }}}\n```\n\nOutput a summary table first, then detailed findings.", "run": "clipboard" } ] } ``` Running this command on a diff: 1. Copy the diff output with `git diff` 2. Execute the Code Review command 3. Receive formatted findings in clipboard 4. Paste into PR comments or review tools More sophisticated review involves checking against project-specific rules. Create a `.review-rules.md` file in your repository: ```markdown # Code Review Rules ## Required Checks - All public functions have type hints - No `print` statements in production code - Error handling uses specific exception types - Database queries use parameterized queries - Sensitive config values come from environment variables ## Naming Conventions - Functions: snake_case - Classes: PascalCase - Constants: UPPER_SNAKE_CASE - Tables: plural snake_case ## Security Requirements - Input validation on all API endpoints - Authentication required for mutation operations - Rate limiting on public endpoints ``` Reference these rules in your review prompt: ```json { "commands": [ { "name": "Review Against Rules", "prompt": "Review the following changes against our project rules:\n\nRules from .review-rules.md:\n{{{{ file:.review-rules.md }}}}\n\nChanges to review:\n{{{ clipboard }}}\n\nReport any violations with file, line, and suggested fix." } ] } ``` The `{{{{ file:path }}}` syntax embeds file contents into the prompt. Automated review scaling strategies: 1. **Split large diffs**: Review files in batches to avoid context overflow 2. **Prioritize by risk**: Review security-sensitive modules first 3. **Track recurring issues**: Build a database of patterns to catch in future reviews 4. **CI integration**: Run review on every PR automatically CI integration example using a shell script: ```bash #!/bin/bash # .github/scripts/ai-review.sh git diff --cached > /tmp/changes.diff CONTENT=$(cat /tmp/changes.diff) curl -X POST http://localhost:1234/v1/chat/completions \ -H "Content-Type: application/json" \ -d '{ "model": "deepseek-coder:33b", "messages": [ {"role": "system", "content": "You review code for security issues."}, {"role": "user", "content": "Review these changes:\n'"$CONTENT"'"} ] }' > /tmp/review.md cat /tmp/review.md | jq -r '.choices[0].message.content' > "$GITHUB_STEP_SUMMARY" ``` This script runs as a GitHub Actions step, posting review results to the PR summary.

Required Checks

All public functions have type hints
No print statements in production code
Error handling uses specific exception types
Database queries use parameterized queries
Sensitive config values come from environment variables

Naming Conventions

Functions: snake_case
Classes: PascalCase
Constants: UPPER_SNAKE_CASE
Tables: plural snake_case

Security Requirements

Input validation on all API endpoints
Authentication required for mutation operations
Rate limiting on public endpoints


Reference these rules in your review prompt:

```json
{
  "commands": [
    {
      "name": "Review Against Rules",
      "prompt": "Review the following changes against our project rules:\n\nRules from .review-rules.md:\n{{{{ file:.review-rules.md }}}}\n\nChanges to review:\n{{{ clipboard }}}\n\nReport any violations with file, line, and suggested fix."
    }
  ]
}

The {{{{ file:path }}} syntax embeds file contents into the prompt.

Automated review scaling strategies:

Split large diffs: Review files in batches to avoid context overflow
Prioritize by risk: Review security-sensitive modules first
Track recurring issues: Build a database of patterns to catch in future reviews
CI integration: Run review on every PR automatically

CI integration example using a shell script:

#!/bin/bash
# .github/scripts/ai-review.sh

git diff --cached > /tmp/changes.diff
CONTENT=$(cat /tmp/changes.diff)

curl -X POST http://localhost:1234/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{
    "model": "deepseek-coder:33b",
    "messages": [
      {"role": "system", "content": "You review code for security issues."},
      {"role": "user", "content": "Review these changes:\n'"$CONTENT"'"}
    ]
  }' > /tmp/review.md

cat /tmp/review.md | jq -r '.choices[0].message.content' > "$GITHUB_STEP_SUMMARY"

This script runs as a GitHub Actions step, posting review results to the PR summary.

EXERCISE

Create a code review command tailored to your project's stack. Run it against a recent pull request and compare findings to your actual review notes. Note false positives and gaps in the review criteria.