--- id: wiki-2026-0508-ai-코드-리뷰 title: AI Code Review category: 10_Wiki/Topics status: verified canonical_id: self aliases: [AI 코드 리뷰, automated code review, CodeRabbit, Greptile, AI PR review, SAST AI] duplicate_of: none source_trust_level: B confidence_score: 0.85 verification_status: conceptual tags: [ai-code-review, sast, devsecops, pr-review, code-quality, llm-engineering, hybrid-review] raw_sources: [] last_reinforced: 2026-05-09 github_commit: pending inferred_by: Claude Opus 4.7 (manual cleanup 2026-05-09 — extracted from messy auto-merged content) tech_stack: language: TS / Python framework: GitHub Actions / GitLab CI / CodeRabbit / Greptile / Sonar --- # AI Code Review ## 📌 한 줄 통찰 (The Karpathy Summary) > **LLM + AST + 매 PR 의 first-pass review**. CodeRabbit / Greptile / Sourcery / Cursor 가 매 bug / style / security 의 detect. **Human 의 final, AI 의 noise filter**. SAST 와 의 hybrid. ## 📖 구조화된 지식 (Synthesized Content) ### 정의 **AI Code Review** = 매 source code 의 LLM / ML-based static analysis: - 매 defect / vulnerability / style violation 의 detect. - 매 fix suggestion (auto-fix). - 매 IDE / CI / PR workflow 의 integrate. - Real-time feedback. ### 매 분야 #### 1. Style / formatting - 매 lint rule (ESLint, Pylint). - 매 formatter (Prettier, Black). - 매 naming convention. → Static rule-based + AI 의 enhancement. #### 2. Bug detection - 매 logic error. - 매 null pointer / type mismatch. - 매 race condition. - 매 leak (memory, file handle). → Static analysis + LLM context. #### 3. Security (SAST) - 매 OWASP Top 10. - 매 CWE (Common Weakness Enumeration). - 매 dependency vulnerability. - 매 hardcoded secret. → Pattern + ML + LLM 의 layered. #### 4. Best practice - 매 architecture violation. - 매 anti-pattern. - 매 performance issue. - 매 test coverage gap. #### 5. Documentation - 매 docstring 의 generate. - 매 README 의 update. - 매 comment 의 quality. ### 매 tool family #### LLM-based PR review - **CodeRabbit**: PR 별 comment + summary. - **Greptile**: codebase-wide context. - **Cursor / Claude Code**: IDE inline. - **GitHub Copilot Chat**: integrated. #### Static analysis (rule-based + AI) - **SonarQube**: 매 metric + custom rule. - **Snyk Code**: security + AI suggest. - **Semgrep**: pattern-based + AI fix. - **Veracode**: enterprise SAST. #### IDE assist - **Cursor**: AI-native VS Code fork. - **Copilot**: GitHub IDE. - **Continue.dev**: open source. - **Windsurf**: Codeium 의 IDE. #### Specialized - **Corgea**: AI auto-fix focus. - **Sourcery**: refactoring suggestion. - **DeepCode (now Snyk)**: ML-based. - **CodeGuru**: AWS native. ### 매 작동 원리 #### Stage 1: Parse - AST (tree-sitter, language-server). - Symbol table. - Type info. #### Stage 2: Analyze - 매 node 의 rule check. - 매 data flow analysis. - 매 LLM 의 context understand. - 매 RAG (codebase 의 similar pattern). #### Stage 3: Report - 매 issue 의 severity / category. - 매 fix suggestion. - 매 code snippet 의 location. #### Stage 4: Apply (optional) - 매 auto-fix. - 매 commit / PR. - 매 user 의 review + accept. ### 매 ROI #### 매 review 의 speed-up - 매 PR 의 first-pass = AI. - 매 human 의 high-level focus. - 매 cycle time 의 30-50% 감소. #### Coverage ↑ - 매 line 의 review. - 매 PR 의 missed by busy human. - 매 consistent quality. #### 매 onboarding ↑ - 매 new dev 의 매 PR 의 explanation. - 매 best practice 의 enforcement. ### 매 limitation #### Context blindness - 매 architecture intent X. - 매 business logic 의 deep understand 어려움. - 매 cross-service impact 의 miss. #### False positives - 매 false alarm 의 alert fatigue. - 매 dev 의 alarm dismiss. - 매 important 의 miss. #### Hallucination - 매 wrong fix suggestion. - 매 non-existent function reference. - 매 outdated API. #### "Green Check Mark Syndrome" - 매 dev 의 AI approval 의 over-trust. - 매 critical thinking ↓. - 매 false sense of security. ### 매 hybrid model (modern best practice) #### 매 layer 1. **AI 의 first-pass**: 매 PR 의 매 file. 2. **Author 의 self-review**: 매 AI suggestion 의 accept / reject. 3. **Human reviewer 의 logic / architecture**: 매 critical decision. 4. **Senior reviewer 의 final**: 매 critical PR. → AI 의 noise filter, human 의 signal focus. #### 매 governance - 매 sensitive code 의 mandatory human review. - 매 AI suggestion 의 audit log. - 매 IP / data sovereignty (cloud AI vs self-host). ### 매 measurement #### DORA metric (impact) - Lead time (commit → deploy). - Deployment frequency. - Change failure rate. - MTTR. → 매 AI tool adoption 후 의 measure. #### 매 specific - PR review time. - AI suggestion accept rate. - False positive rate. - 매 bug 의 production escape. #### 매 caution (Goodhart) - 매 tool adoption 의 metric goal X. - 매 dev 의 AI 사용 강요 의 unintended. ### 매 modern trend (2024-2026) - **Codebase-wide context**: Greptile, Cursor 의 매 codebase 의 graph. - **Auto-fix → auto-PR**: Devin / Cognition 식. - **Multi-language**: tree-sitter universal. - **Self-host**: ConnectAI / on-prem 의 privacy. - **Custom rule**: 매 team 의 own pattern. - **Continuous review**: 매 commit (PR open 전). ## 💻 코드 패턴 (Code Patterns) ### CodeRabbit 통합 (GitHub) ```yaml # .github/coderabbit.yaml language: en reviews: profile: chill # or 'assertive' request_changes_workflow: false high_level_summary: true poem: false path_filters: - '!**/dist/**' - '!**/node_modules/**' chat: auto_reply: true ``` ### Custom ESLint rule ```js // rules/no-magic-number.js module.exports = { meta: { type: 'suggestion', docs: { description: 'Disallow magic numbers' }, fixable: 'code', }, create(context) { return { Literal(node) { if (typeof node.value === 'number' && ![0, 1].includes(node.value)) { context.report({ node, message: 'Magic number {{value}}. Extract to named constant.', data: { value: node.value }, }); } }, }; }, }; ``` ### Semgrep custom rule (security) ```yaml # .semgrep/rules.yaml rules: - id: hardcoded-secret pattern-either: - pattern: | $KEY = "$VALUE" - pattern: | $KEY: "$VALUE" metavariable-regex: metavariable: $KEY regex: '(?i)(api[_-]?key|secret|password|token)' metavariable-regex: metavariable: $VALUE regex: '\w{20,}' message: 'Hardcoded secret detected. Use env var or secret manager.' severity: ERROR languages: [javascript, python, go] ``` ### LLM-based PR review (custom) ```python import openai async def review_pr(diff: str, file_paths: list[str]) -> str: system = """ You are a senior code reviewer. For each file in the diff: 1. Identify bugs (null check, off-by-one, race condition). 2. Suggest improvements. 3. Note style violations. 4. Skip nits unless critical. Output: structured JSON list. """ user = f"Diff:\n{diff}\n\nFiles: {file_paths}" response = await openai.chat.completions.create( model="gpt-4o", messages=[ {"role": "system", "content": system}, {"role": "user", "content": user} ], temperature=0, ) return response.choices[0].message.content ``` ### GitHub Action (auto-review) ```yaml # .github/workflows/ai-review.yml on: pull_request: types: [opened, synchronize] jobs: ai-review: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Get diff run: | git diff origin/main...HEAD > diff.txt - name: AI review run: | python review.py --diff diff.txt --pr ${{ github.event.pull_request.number }} env: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} GITHUB_TOKEN: ${{ github.token }} - name: Post comments run: gh pr comment ${{ github.event.pull_request.number }} --body-file review.md ``` ### Codebase RAG (Greptile-style) ```python import lancedb # Index codebase async def index_codebase(repo_path: str): db = lancedb.connect("./codebase.db") chunks = [] for file in walk_repo(repo_path): for chunk in chunk_file(file, max_lines=50): chunks.append({ "file": file, "code": chunk.code, "embedding": await embed(chunk.code), "lines": (chunk.start, chunk.end), }) table = db.create_table("code", data=chunks) # Query async def find_similar(query: str, k: int = 5): db = lancedb.connect("./codebase.db") table = db.open_table("code") query_emb = await embed(query) results = table.search(query_emb).limit(k).to_list() return results ``` ### Auto-fix workflow ```python def auto_fix(pr_diff: str, ai_suggestions: list): for s in ai_suggestions: if s.confidence > 0.95 and s.is_safe: apply_fix(s.file, s.line, s.replacement) commit(f"AI auto-fix: {s.summary}") else: post_comment(s.file, s.line, s.suggestion) # human review ``` ### Quality gate (CI) ```yaml # .github/workflows/quality.yml - name: SonarQube scan uses: SonarSource/sonarcloud-github-action@master env: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - name: Quality gate run: | QUALITY_SCORE=$(curl ... | jq .qualityGate.status) if [[ $QUALITY_SCORE != "OK" ]]; then echo "Quality gate failed" exit 1 fi ``` ### Snyk integration ```yaml - uses: snyk/actions/setup@master - run: snyk code test --sarif-file-output=snyk.sarif - uses: github/codeql-action/upload-sarif@v3 with: sarif_file: snyk.sarif ``` → 매 SARIF 의 GitHub Security tab. ### Custom prompt for review ```ts const REVIEW_PROMPT = ` Review this code change. Focus on: 1. **Critical bugs**: null check, race condition, leak. 2. **Security**: injection, auth, secrets. 3. **Performance**: N+1, big-O issues. Skip: - Minor style (let formatter handle). - Subjective preferences. - Out-of-scope refactoring. For each issue: - Severity: critical / major / minor. - File:line. - 1-2 sentence reason. - Suggested fix (code). If NO critical issues, just say "LGTM 🎉". `; ``` ### Self-review checklist (author) ```markdown ## Pre-PR self-review - [ ] Code compiles + tests pass locally. - [ ] No console.log / debug code. - [ ] No hardcoded secrets. - [ ] AI review (CodeRabbit) addressed. - [ ] Edge cases considered. - [ ] Documentation updated. - [ ] Migration / breaking change called out. ``` ### Hybrid review SLA ``` - AI first-pass: < 5 min after PR open. - Author self-review: 30 min. - Human reviewer: < 4 hour first response. - Approve / changes: < 1 day. - Merge: < 2 day. ``` ## 🤔 의사결정 기준 (Decision Criteria) | 상황 | 추천 tool | |---|---| | GitHub PR | CodeRabbit / Greptile | | Cursor IDE | Built-in chat | | Enterprise | Sonar + Snyk | | Self-host / privacy | ConnectAI / Continue.dev | | Security-critical | Veracode / Snyk Code | | 매 specific custom rule | Semgrep + custom | | Auto-fix | Corgea / Sourcery | | Codebase context | Greptile / Cursor | **기본값**: AI 의 first-pass + human 의 logic / architecture review. ## ⚠️ 모순 및 업데이트 (Contradictions & Updates) - **AI tool 의 efficacy 의 mixed evidence**: 매 study 의 productivity ↑ + 매 quality 의 unclear. - **Context blindness**: 매 system 의 architecture 의 deep understand X. - **False positive 의 trade-off**: 매 strict = noise. 매 lenient = miss. - **Cloud AI 의 IP risk**: 매 code 의 vendor server. - **Auto-fix 의 over-confidence**: 매 wrong fix 의 production. - **DORA metric 의 game-able**: 매 tool adoption ≠ outcome. ## 🔗 지식 연결 (Graph) - 부모: [[CI/CD Pipeline & IDE Security Integration|DevSecOps]] · [[Static-Analysis]] - 변형: [[CodeRabbit]] · [[Greptile]] - 응용: [[Snyk-Code]] · [[SonarQube]] - AI: [[Codebase-RAG]] · [[Auto-Fix]] - 응용: [[PR-Workflow]] · [[DORA-Metrics]] - Adjacent: [[Green-Check-Mark-Syndrome]] - Related: [[Code Agent — Devin / Cursor / Claude Code]] ## 🤖 LLM 활용 힌트 (How to Use This Knowledge) **언제 이 지식을 쓰는가:** - 매 team 의 AI code review tool 의 evaluation. - 매 PR workflow 의 design. - 매 custom rule 의 작성. - 매 review SLA 의 setup. - 매 auto-fix 의 governance. **언제 쓰면 안 되는가:** - Manual code review 의 ban / replace (hybrid required). - 매 sensitive proprietary code 의 cloud AI (privacy review). - 매 specific tool 의 selection (vendor evaluation). - Quality 의 silver bullet 의 expectation (no such thing). ## ❌ 안티패턴 (Anti-Patterns) - **AI review 만 (no human)**: context blindness. - **AI suggestion 의 blind trust**: hallucination 의 production. - **Cloud AI + sensitive code**: IP leak. - **No SLA**: review backlog. - **DORA metric 의 game**: 매 PR 의 small artificial. - **No false positive feedback loop**: alert fatigue. - **매 tool 의 adoption + no measurement**: ROI 의 unclear. - **Auto-fix 의 silent**: 매 dev 의 surprise. ## 🧪 검증 상태 (Validation) - **정보 상태:** verified (concept-level). - **출처 신뢰도:** B (CodeRabbit / Greptile / Sourcery documentation, GitHub Octoverse, DORA report, "Accelerate" Forsgren). - **검토 이유:** Manual cleanup (extracted from messy auto-merged document). 매 tool 의 evolution. ## 🧬 중복 검사 (Duplicate Check) - **기존 유사 문서:** [[Code-Review-Modern]] (parent), [[AI-Powered Code Analysis (Autofix + Triage)]] (related), [[CI/CD Pipeline & IDE Security Integration|DevSecOps]] (related). - **처리 방식:** KEEP (focused on AI-augmented review). - **처리 이유:** 매 AI integration 의 specific. ## 🕓 변경 이력 (Changelog) | 날짜 | 변경 내용 | 처리 방식 | 신뢰도 | |------|-----------|-----------|--------| | 2026-05-08 | P-Reinforce Phase 1 정규화 | UPDATE | A | | 2026-05-09 | Manual cleanup — 매 messy auto-merged content (이미지 생성 / 보상 scaling) 제거. AI Code Review 의 focus. Tool comparison + code pattern + hybrid model + 안티패턴 추가. | REWRITE | B |