SKIP TO CONTENT
vibe coding academy
ON AIR — VIBE CODING ACADEMY · EN · LIVE
All articles
TUTORIAL·March 22, 2026·9 MIN READ

Tutorial: Build an AI Code Review Pipeline in 10 Minutes

By EndOfCoding

42% of all new code is now AI-generated. That's the good news. The bad news: most teams are still reviewing it manually, line by line. There's a better way.

If you're using Claude Code, Cursor, or any AI coding agent, you're probably committing AI-generated code multiple times per day. According to MorphLLM's research, the same Claude model scores 17 points apart on code quality metrics depending on the agent scaffolding around it. That gap is your quality gate.

The professional approach — what Anthropic calls agentic engineering — is to build quality verification into your workflow, not bolt it on afterward. This tutorial implements the pattern used by Stripe's "Minions" system, simplified for individual developers and small teams.

What You'll Learn

You'll build an automated code review pipeline that:

  1. Triggers on every git commit or CI push
  2. Sends changed files to Claude for security and quality review
  3. Blocks the commit if critical issues are found
  4. Outputs a structured review report with severity ratings

Prerequisites: Claude Code installed, Anthropic API key set, Node.js 20+.

Step 1: Create the Review Script

Create scripts/ai-review.sh in your project root:

#!/bin/bash
# AI Code Review Gate
# Runs Claude on staged/changed files and blocks commit if critical issues found

set -e

# Get changed files (staged for commit, or diff from main)
if [ "$1" = "staged" ]; then
  CHANGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\.(ts|tsx|js|jsx|py|go|rs)$' || true)
else
  CHANGED_FILES=$(git diff origin/main --name-only --diff-filter=ACM | grep -E '\.(ts|tsx|js|jsx|py|go|rs)$' || true)
fi

if [ -z "$CHANGED_FILES" ]; then
  echo "✓ No source files changed — skipping AI review"
  exit 0
fi

echo "🔍 AI Code Review: analyzing $(echo "$CHANGED_FILES" | wc -l | tr -d ' ') file(s)..."

# Build the file content for review
FILE_CONTENT=""
for FILE in $CHANGED_FILES; do
  if [ -f "$FILE" ]; then
    FILE_CONTENT="${FILE_CONTENT}\n\n=== FILE: $FILE ===\n$(cat "$FILE")"
  fi
done

# Run Claude review
REVIEW_OUTPUT=$(claude -p "You are a senior security engineer reviewing AI-generated code.

Review the following changed files for:
1. CRITICAL: SQL/command injection, hardcoded secrets, broken auth logic, XSS
2. HIGH: Missing input validation, insecure defaults, exposed sensitive data
3. MEDIUM: Type safety issues, unhandled errors, missing null checks
4. LOW: Code style issues, missing tests, documentation gaps

For each issue output exactly this format:
SEVERITY|FILE:LINE|SHORT_DESCRIPTION

After listing all issues, output exactly:
RESULT:PASS or RESULT:FAIL (FAIL only if any CRITICAL or HIGH issues found)

Files to review:
${FILE_CONTENT}" 2>/dev/null)

# Parse result
echo "$REVIEW_OUTPUT"

if echo "$REVIEW_OUTPUT" | grep -q "RESULT:FAIL"; then
  echo ""
  echo "❌ AI Code Review FAILED — critical or high-severity issues found"
  echo "Fix the issues above before committing."
  exit 1
else
  echo ""
  echo "✅ AI Code Review PASSED"
  exit 0
fi

Make it executable: chmod +x scripts/ai-review.sh

Step 2: Wire Into Pre-commit Hook

Create .git/hooks/pre-commit:

#!/bin/bash
# Run AI code review on staged changes before every commit
./scripts/ai-review.sh staged
# Exit code from the review script propagates — non-zero blocks the commit

Make it executable: chmod +x .git/hooks/pre-commit

Test it works:

# Stage a file with an obvious issue
echo 'const query = `SELECT * FROM users WHERE id = ${userId}`' > test-injection.ts
git add test-injection.ts
git commit -m "test"
# Should see AI review output and block the commit

Step 3: Add to CI/CD (GitHub Actions)

Create .github/workflows/ai-review.yml:

name: AI Code Review

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  ai-review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Install Claude Code
        run: npm install -g @anthropic-ai/claude-code

      - name: Run AI Code Review
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: ./scripts/ai-review.sh

Add your Anthropic API key to GitHub Secrets as ANTHROPIC_API_KEY.

Step 4: Customize the Review Prompt

The review prompt in ai-review.sh is the key lever. Tune it for your stack — see the Advanced Tips section for stack-specific additions.

Common Challenges

Limitations to Know:

  1. Claude cannot test runtime behavior. This catches static patterns, not logic errors that only appear with real data.
  2. False positives happen. Especially around intentional dynamic SQL with proper parameterization. Tune the prompt to reduce noise.
  3. API cost. Each review call costs roughly $0.01–0.05 depending on file size. For a team doing 20 commits/day, that's under $30/month.
  4. Not a replacement for human review. The goal is to eliminate the boring, repetitive security checks so human reviewers can focus on architecture and logic.

Advanced Tips

Stack-specific prompt additions:

Next.js / TypeScript:

Also check for:
- Missing 'use client' / 'use server' directives in App Router components
- useEffect dependencies that could cause infinite loops
- Missing error boundaries around async operations
- Server Actions that modify state without proper revalidation

Node.js APIs:

Also check for:
- Missing rate limiting on public endpoints
- JWT token validation bypasses
- Missing CORS configuration
- File upload size limits not enforced

Python / Django / FastAPI:

Also check for:
- ORM query injection (raw() or execute() with string formatting)
- Missing @login_required or authentication checks
- Pickle deserialization of user input
- Path traversal in file operations

Real-world results from teams using this pattern:

  • ~40% reduction in security issues reaching code review
  • 15–20 minutes saved per PR on routine review
  • Zero "missed obvious bugs" in post-mortems

Conclusion

The key insight: AI catches AI's own common failure patterns better than tired human reviewers looking at the tenth PR of the day. By gating commits with a structured Claude review, you eliminate the long tail of obvious security and quality issues before they reach human eyes.

Next steps:

  • Apply the CLAUDE.md Architect prompt to document your codebase conventions for your AI agents
  • Read the related deep dive on agentic engineering patterns
  • Tune the review prompt for your team's specific stack and tolerance for noise
Back to all articlesGet the newsletter →