2nd/10_Wiki/Topics/AI_and_ML/AI_코드_리뷰.md

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, inferred_by, tech_stack

id	title	category	status	canonical_id	aliases	duplicate_of	source_trust_level	confidence_score	verification_status	tags	raw_sources	last_reinforced	github_commit	inferred_by	tech_stack
wiki-2026-0508-ai-코드-리뷰	AI Code Review	10_Wiki/Topics	verified	self	AI 코드 리뷰 automated code review CodeRabbit Greptile AI PR review SAST AI	none	B	0.85	conceptual	ai-code-review sast devsecops pr-review code-quality llm-engineering hybrid-review		2026-05-09	pending	Claude Opus 4.7 (manual cleanup 2026-05-09 — extracted from messy auto-merged content)	language framework TS / Python GitHub Actions / GitLab CI / CodeRabbit / Greptile / Sonar

AI Code Review

📌 한 줄 통찰 (The Karpathy Summary)

LLM + AST + 매 PR 의 first-pass review. CodeRabbit / Greptile / Sourcery / Cursor 가 매 bug / style / security 의 detect. Human 의 final, AI 의 noise filter. SAST 와 의 hybrid.

📖 구조화된 지식 (Synthesized Content)

정의

AI Code Review = 매 source code 의 LLM / ML-based static analysis:

• 매 defect / vulnerability / style violation 의 detect.
• 매 fix suggestion (auto-fix).
• 매 IDE / CI / PR workflow 의 integrate.
• Real-time feedback.

매 분야

1. Style / formatting

• 매 lint rule (ESLint, Pylint).
• 매 formatter (Prettier, Black).
• 매 naming convention.

→ Static rule-based + AI 의 enhancement.

2. Bug detection

• 매 logic error.
• 매 null pointer / type mismatch.
• 매 race condition.
• 매 leak (memory, file handle).

→ Static analysis + LLM context.

3. Security (SAST)

• 매 OWASP Top 10.
• 매 CWE (Common Weakness Enumeration).
• 매 dependency vulnerability.
• 매 hardcoded secret.

→ Pattern + ML + LLM 의 layered.

4. Best practice

• 매 architecture violation.
• 매 anti-pattern.
• 매 performance issue.
• 매 test coverage gap.

5. Documentation

• 매 docstring 의 generate.
• 매 README 의 update.
• 매 comment 의 quality.

매 tool family

LLM-based PR review

• CodeRabbit: PR 별 comment + summary.
• Greptile: codebase-wide context.
• Cursor / Claude Code: IDE inline.
• GitHub Copilot Chat: integrated.

Static analysis (rule-based + AI)

• SonarQube: 매 metric + custom rule.
• Snyk Code: security + AI suggest.
• Semgrep: pattern-based + AI fix.
• Veracode: enterprise SAST.

IDE assist

• Cursor: AI-native VS Code fork.
• Copilot: GitHub IDE.
• Continue.dev: open source.
• Windsurf: Codeium 의 IDE.

Specialized

• Corgea: AI auto-fix focus.
• Sourcery: refactoring suggestion.
• DeepCode (now Snyk): ML-based.
• CodeGuru: AWS native.

매 작동 원리

Stage 1: Parse

• AST (tree-sitter, language-server).
• Symbol table.
• Type info.

Stage 2: Analyze

• 매 node 의 rule check.
• 매 data flow analysis.
• 매 LLM 의 context understand.
• 매 RAG (codebase 의 similar pattern).

Stage 3: Report

• 매 issue 의 severity / category.
• 매 fix suggestion.
• 매 code snippet 의 location.

Stage 4: Apply (optional)

• 매 auto-fix.
• 매 commit / PR.
• 매 user 의 review + accept.

매 ROI

매 review 의 speed-up

• 매 PR 의 first-pass = AI.
• 매 human 의 high-level focus.
• 매 cycle time 의 30-50% 감소.

Coverage ↑

• 매 line 의 review.
• 매 PR 의 missed by busy human.
• 매 consistent quality.

매 onboarding ↑

• 매 new dev 의 매 PR 의 explanation.
• 매 best practice 의 enforcement.

매 limitation

Context blindness

• 매 architecture intent X.
• 매 business logic 의 deep understand 어려움.
• 매 cross-service impact 의 miss.

False positives

• 매 false alarm 의 alert fatigue.
• 매 dev 의 alarm dismiss.
• 매 important 의 miss.

Hallucination

• 매 wrong fix suggestion.
• 매 non-existent function reference.
• 매 outdated API.

"Green Check Mark Syndrome"

• 매 dev 의 AI approval 의 over-trust.
• 매 critical thinking ↓.
• 매 false sense of security.

매 hybrid model (modern best practice)

매 layer

1. AI 의 first-pass: 매 PR 의 매 file.
2. Author 의 self-review: 매 AI suggestion 의 accept / reject.
3. Human reviewer 의 logic / architecture: 매 critical decision.
4. Senior reviewer 의 final: 매 critical PR.

→ AI 의 noise filter, human 의 signal focus.

매 governance

• 매 sensitive code 의 mandatory human review.
• 매 AI suggestion 의 audit log.
• 매 IP / data sovereignty (cloud AI vs self-host).

매 measurement

DORA metric (impact)

• Lead time (commit → deploy).
• Deployment frequency.
• Change failure rate.
• MTTR.

→ 매 AI tool adoption 후 의 measure.

매 specific

• PR review time.
• AI suggestion accept rate.
• False positive rate.
• 매 bug 의 production escape.

매 caution (Goodhart)

• 매 tool adoption 의 metric goal X.
• 매 dev 의 AI 사용 강요 의 unintended.

매 modern trend (2024-2026)

• Codebase-wide context: Greptile, Cursor 의 매 codebase 의 graph.
• Auto-fix → auto-PR: Devin / Cognition 식.
• Multi-language: tree-sitter universal.
• Self-host: ConnectAI / on-prem 의 privacy.
• Custom rule: 매 team 의 own pattern.
• Continuous review: 매 commit (PR open 전).

💻 코드 패턴 (Code Patterns)

CodeRabbit 통합 (GitHub)

# .github/coderabbit.yaml
language: en
reviews:
  profile: chill   # or 'assertive'
  request_changes_workflow: false
  high_level_summary: true
  poem: false
  
  path_filters:
    - '!**/dist/**'
    - '!**/node_modules/**'

chat:
  auto_reply: true

Custom ESLint rule

// rules/no-magic-number.js
module.exports = {
  meta: {
    type: 'suggestion',
    docs: { description: 'Disallow magic numbers' },
    fixable: 'code',
  },
  create(context) {
    return {
      Literal(node) {
        if (typeof node.value === 'number' && ![0, 1].includes(node.value)) {
          context.report({
            node,
            message: 'Magic number {{value}}. Extract to named constant.',
            data: { value: node.value },
          });
        }
      },
    };
  },
};

Semgrep custom rule (security)

# .semgrep/rules.yaml
rules:
  - id: hardcoded-secret
    pattern-either:
      - pattern: |
          $KEY = "$VALUE"
      - pattern: |
          $KEY: "$VALUE"
    metavariable-regex:
      metavariable: $KEY
      regex: '(?i)(api[_-]?key|secret|password|token)'
    metavariable-regex:
      metavariable: $VALUE
      regex: '\w{20,}'
    message: 'Hardcoded secret detected. Use env var or secret manager.'
    severity: ERROR
    languages: [javascript, python, go]

LLM-based PR review (custom)

import openai

async def review_pr(diff: str, file_paths: list[str]) -> str:
    system = """
You are a senior code reviewer. For each file in the diff:
1. Identify bugs (null check, off-by-one, race condition).
2. Suggest improvements.
3. Note style violations.
4. Skip nits unless critical.

Output: structured JSON list.
"""
    
    user = f"Diff:\n{diff}\n\nFiles: {file_paths}"
    
    response = await openai.chat.completions.create(
        model="gpt-4o",
        messages=[
            {"role": "system", "content": system},
            {"role": "user", "content": user}
        ],
        temperature=0,
    )
    return response.choices[0].message.content

GitHub Action (auto-review)

# .github/workflows/ai-review.yml
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  ai-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      
      - name: Get diff
        run: |
          git diff origin/main...HEAD > diff.txt
      
      - name: AI review
        run: |
          python review.py --diff diff.txt --pr ${{ github.event.pull_request.number }}
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          GITHUB_TOKEN: ${{ github.token }}
      
      - name: Post comments
        run: gh pr comment ${{ github.event.pull_request.number }} --body-file review.md

Codebase RAG (Greptile-style)

import lancedb

# Index codebase
async def index_codebase(repo_path: str):
    db = lancedb.connect("./codebase.db")
    chunks = []
    for file in walk_repo(repo_path):
        for chunk in chunk_file(file, max_lines=50):
            chunks.append({
                "file": file,
                "code": chunk.code,
                "embedding": await embed(chunk.code),
                "lines": (chunk.start, chunk.end),
            })
    
    table = db.create_table("code", data=chunks)

# Query
async def find_similar(query: str, k: int = 5):
    db = lancedb.connect("./codebase.db")
    table = db.open_table("code")
    
    query_emb = await embed(query)
    results = table.search(query_emb).limit(k).to_list()
    return results

Auto-fix workflow

def auto_fix(pr_diff: str, ai_suggestions: list):
    for s in ai_suggestions:
        if s.confidence > 0.95 and s.is_safe:
            apply_fix(s.file, s.line, s.replacement)
            commit(f"AI auto-fix: {s.summary}")
        else:
            post_comment(s.file, s.line, s.suggestion)   # human review

Quality gate (CI)

# .github/workflows/quality.yml
- name: SonarQube scan
  uses: SonarSource/sonarcloud-github-action@master
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

- name: Quality gate
  run: |
    QUALITY_SCORE=$(curl ... | jq .qualityGate.status)
    if [[ $QUALITY_SCORE != "OK" ]]; then
      echo "Quality gate failed"
      exit 1
    fi

Snyk integration

- uses: snyk/actions/setup@master
- run: snyk code test --sarif-file-output=snyk.sarif
- uses: github/codeql-action/upload-sarif@v3
  with:
    sarif_file: snyk.sarif

→ 매 SARIF 의 GitHub Security tab.

Custom prompt for review

const REVIEW_PROMPT = `
Review this code change. Focus on:
1. **Critical bugs**: null check, race condition, leak.
2. **Security**: injection, auth, secrets.
3. **Performance**: N+1, big-O issues.

Skip:
- Minor style (let formatter handle).
- Subjective preferences.
- Out-of-scope refactoring.

For each issue:
- Severity: critical / major / minor.
- File:line.
- 1-2 sentence reason.
- Suggested fix (code).

If NO critical issues, just say "LGTM 🎉".
`;

Self-review checklist (author)

## Pre-PR self-review

- [ ] Code compiles + tests pass locally.
- [ ] No console.log / debug code.
- [ ] No hardcoded secrets.
- [ ] AI review (CodeRabbit) addressed.
- [ ] Edge cases considered.
- [ ] Documentation updated.
- [ ] Migration / breaking change called out.

Hybrid review SLA

- AI first-pass: < 5 min after PR open.
- Author self-review: 30 min.
- Human reviewer: < 4 hour first response.
- Approve / changes: < 1 day.
- Merge: < 2 day.

🤔 의사결정 기준 (Decision Criteria)

상황	추천 tool
GitHub PR	CodeRabbit / Greptile
Cursor IDE	Built-in chat
Enterprise	Sonar + Snyk
Self-host / privacy	ConnectAI / Continue.dev
Security-critical	Veracode / Snyk Code
매 specific custom rule	Semgrep + custom
Auto-fix	Corgea / Sourcery
Codebase context	Greptile / Cursor

기본값: AI 의 first-pass + human 의 logic / architecture review.

⚠️ 모순 및 업데이트 (Contradictions & Updates)

• AI tool 의 efficacy 의 mixed evidence: 매 study 의 productivity ↑ + 매 quality 의 unclear.
• Context blindness: 매 system 의 architecture 의 deep understand X.
• False positive 의 trade-off: 매 strict = noise. 매 lenient = miss.
• Cloud AI 의 IP risk: 매 code 의 vendor server.
• Auto-fix 의 over-confidence: 매 wrong fix 의 production.
• DORA metric 의 game-able: 매 tool adoption ≠ outcome.

🔗 지식 연결 (Graph)

• 부모: CI/CD Pipeline & IDE Security Integration · Static-Analysis
• 변형: CodeRabbit · Greptile
• 응용: Snyk-Code · SonarQube
• AI: Codebase-RAG · Auto-Fix
• 응용: PR-Workflow · DORA-Metrics
• Adjacent: Green-Check-Mark-Syndrome
• Related: Code Agent — Devin / Cursor / Claude Code

🤖 LLM 활용 힌트 (How to Use This Knowledge)

언제 이 지식을 쓰는가:

• 매 team 의 AI code review tool 의 evaluation.
• 매 PR workflow 의 design.
• 매 custom rule 의 작성.
• 매 review SLA 의 setup.
• 매 auto-fix 의 governance.

언제 쓰면 안 되는가:

• Manual code review 의 ban / replace (hybrid required).
• 매 sensitive proprietary code 의 cloud AI (privacy review).
• 매 specific tool 의 selection (vendor evaluation).
• Quality 의 silver bullet 의 expectation (no such thing).

❌ 안티패턴 (Anti-Patterns)

• AI review 만 (no human): context blindness.
• AI suggestion 의 blind trust: hallucination 의 production.
• Cloud AI + sensitive code: IP leak.
• No SLA: review backlog.
• DORA metric 의 game: 매 PR 의 small artificial.
• No false positive feedback loop: alert fatigue.
• 매 tool 의 adoption + no measurement: ROI 의 unclear.
• Auto-fix 의 silent: 매 dev 의 surprise.

🧪 검증 상태 (Validation)

• 정보 상태: verified (concept-level).
• 출처 신뢰도: B (CodeRabbit / Greptile / Sourcery documentation, GitHub Octoverse, DORA report, "Accelerate" Forsgren).
• 검토 이유: Manual cleanup (extracted from messy auto-merged document). 매 tool 의 evolution.

🧬 중복 검사 (Duplicate Check)

• 기존 유사 문서: Code-Review-Modern (parent), AI-Powered Code Analysis (Autofix + Triage) (related), CI/CD Pipeline & IDE Security Integration (related).
• 처리 방식: KEEP (focused on AI-augmented review).
• 처리 이유: 매 AI integration 의 specific.

🕓 변경 이력 (Changelog)

날짜	변경 내용	처리 방식	신뢰도
2026-05-08	P-Reinforce Phase 1 정규화	UPDATE	A
2026-05-09	Manual cleanup — 매 messy auto-merged content (이미지 생성 / 보상 scaling) 제거. AI Code Review 의 focus. Tool comparison + code pattern + hybrid model + 안티패턴 추가.	REWRITE	B