AI Code Review

Statly Code includes AI-powered code review that automatically reviews pull requests using your own AI API keys. Support for Claude (Anthropic), GPT-4 (OpenAI), and Gemini (Google).

AI Code Review uses your own API keys (BYOK - Bring Your Own Key). Statly never pays for your AI usage.

Overview

AI Code Review provides:

Automatic PR review on creation and updates
Security vulnerability detection
Performance issue identification
Best practice recommendations
One-click fix suggestions
Auto-merge when AI approves + CI passes

Setting Up

Configure API Key

Go to Repository Settings → AI Review
Select your AI provider
Enter your API key
Click Test Connection

Choose Model

Provider	Recommended Model	Speed	Quality
Anthropic	Claude Sonnet 4	Medium	High
Anthropic	Claude 3.5 Haiku	Fast	Good
OpenAI	GPT-4o	Medium	High
OpenAI	GPT-4o Mini	Fast	Good
Google	Gemini 1.5 Pro	Medium	High
Google	Gemini 1.5 Flash	Fast	Good

Enable Auto-Review

Toggle Auto-review PRs to automatically review new PRs.

Configuration Options

Setting	Description	Default
`enabled`	Enable AI review	`false`
`autoReviewPRs`	Automatically review new PRs	`true`
`reviewDrafts`	Review draft PRs	`false`
`autonomyLevel`	`suggest`, `apply`, or `merge`	`suggest`
`requireHumanApproval`	Require human approval before auto-merge	`true`
`focusAreas`	Areas to focus on	`["security", "performance", "best_practices"]`

Focus Areas

Configure which issues the AI prioritizes:

Focus Area	Description
`security`	SQL injection, XSS, auth issues, secrets
`performance`	N+1 queries, memory leaks, slow algorithms
`best_practices`	Code style, naming, patterns
`error_handling`	Missing try/catch, unhandled promises
`testing`	Missing tests, test quality
`documentation`	Missing docs, outdated comments

Review Results

Overall Sentiment

Sentiment	Description	Action
`positive`	Code looks good	Can merge
`neutral`	Minor suggestions	Can merge
`needs_work`	Significant issues	Should fix

Suggestion Categories

Category	Icon	Description
Security	🔴	Critical security vulnerabilities
Performance	🟡	Performance issues
Best Practice	🔵	Style and pattern suggestions
Bug	🔴	Potential bugs
Refactor	🟢	Code quality improvements

Suggestion Severity

Severity	Description	Blocks Merge
`critical`	Must fix before merging	Yes (if required)
`warning`	Should consider fixing	No
`info`	Nice to have	No

Applying Suggestions

One-Click Apply

For suggestions with code fixes:

Review the suggested change
Click Apply to create a commit
The fix is committed to the PR branch

Dismissing Suggestions

If a suggestion isn't relevant:

Click Dismiss
Optionally add a reason
The suggestion is marked as dismissed

Autonomy Levels

Suggest (Default)

AI posts review comments but takes no action:

[AI reviews PR]
     ↓
[Posts comments with suggestions]
     ↓
[Human reviews and applies/dismisses]
     ↓
[Human merges]

Apply

AI can automatically apply its own suggestions:

[AI reviews PR]
     ↓
[Posts comments with suggestions]
     ↓
[AI applies safe suggestions automatically]
     ↓
[Human reviews and merges]

Merge

AI can merge PRs when all checks pass:

[AI reviews PR]
     ↓
[Posts comments / applies suggestions]
     ↓
[CI passes] + [AI approves] + [Human approval (if required)]
     ↓
[AI auto-merges]

⚠️

Auto-merge with autonomyLevel: merge requires careful configuration. Ensure human approval is required for production deployments.

Auto-Merge Flow

When auto-merge is enabled (autonomyLevel: merge):

┌─────────────────┐
│  PR Created     │
└────────┬────────┘
         ↓
┌─────────────────┐
│  AI Review      │──→ needs_work? ──→ Stop
└────────┬────────┘
         ↓ (positive/neutral)
┌─────────────────┐
│  CI Runs        │──→ failed? ──→ Stop
└────────┬────────┘
         ↓ (success)
┌─────────────────┐
│  Human Approval │──→ not approved? ──→ Stop
│  (if required)  │
└────────┬────────┘
         ↓ (approved)
┌─────────────────┐
│  AUTO-MERGE     │
└─────────────────┘

API Key Security

API keys are encrypted using:

AES-256 encryption at rest
Organization-specific key derivation
Master secret from environment

Keys are never:

Logged
Exposed in responses
Shared with other orgs

Observe Integration

AI Review integrates with Statly Observe for automatic bug fixes:

Error captured in production
Stack trace linked to code via git blame
AI generates fix PR
CI runs tests
Auto-merge if tests pass (configurable)

Enable in Repository Settings → AI Review → Auto-fix from Observe.

API Reference

Get AI Settings

GET /api/v1/code/repos/{org}/{repo}/ai/settings
 
# Response
{
  "enabled": true,
  "modelProvider": "anthropic",
  "modelName": "claude-sonnet-4-20250514",
  "hasApiKey": true,
  "autoReviewPRs": true,
  "autonomyLevel": "suggest",
  "focusAreas": ["security", "performance"]
}

Update AI Settings

PATCH /api/v1/code/repos/{org}/{repo}/ai/settings
Content-Type: application/json
 
{
  "enabled": true,
  "modelProvider": "anthropic",
  "modelName": "claude-sonnet-4-20250514",
  "apiKey": "sk-ant-xxx",
  "autonomyLevel": "suggest"
}

Trigger AI Review

POST /api/v1/code/repos/{org}/{repo}/pulls/{number}/ai-review

Get Review Status

GET /api/v1/code/repos/{org}/{repo}/pulls/{number}/ai-review
 
# Response
{
  "status": "completed",
  "summary": "This PR looks good overall...",
  "overallSentiment": "positive",
  "suggestionsCount": 3,
  "securityIssues": 0,
  "performanceIssues": 1
}

Apply Suggestion

POST /api/v1/code/repos/{org}/{repo}/ai/suggestions/{id}/apply

Dismiss Suggestion

POST /api/v1/code/repos/{org}/{repo}/ai/suggestions/{id}/dismiss
Content-Type: application/json
 
{
  "reason": "Not applicable to this use case"
}

Costs

AI review costs depend on your provider and model:

Provider	Model	~Cost per PR Review
Anthropic	Claude Sonnet 4	$0.03 - $0.10
Anthropic	Claude 3.5 Haiku	$0.01 - $0.03
OpenAI	GPT-4o	$0.05 - $0.15
OpenAI	GPT-4o Mini	$0.01 - $0.05
Google	Gemini 1.5 Pro	$0.02 - $0.08
Google	Gemini 1.5 Flash	$0.01 - $0.03

Costs vary based on PR size. Large PRs with many files may cost more.

CI/CD Branch Protection