Code Review

Reviewing AI-Generated Code

Code review takes on a new dimension with vibe coding. This chapter gives you strategies for effectively reviewing AI-generated code.

Why Review Remains Essential

“If an LLM wrote the code for you, and you then reviewed it, tested it thoroughly and made sure you could explain how it works to someone else—that’s not vibe coding, it’s software development.”

— Simon Willison

Review transforms vibe coding into professional development.

Specific Challenges

Code Volume

An agent can generate hundreds of lines in seconds. You can’t read every line like before.

Stylistic Consistency

AI code can be functional but inconsistent with the rest of the project.

Subtle Patterns

LLMs can introduce anti-patterns that “work” but are problematic: - Duplicated code instead of reusable functions - Incomplete error handling - Unnecessary dependencies

Overconfidence

After several successes, you might become less vigilant. That’s precisely when bugs slip through.

Review Strategies

1. The Funnel Review

Start broad, then zoom in:

Overview → Structure → Logic → Details

Level 1: Overview (30 seconds)

git diff --stat
# 15 files changed, 847 insertions(+), 234 deletions(-)

Questions: - How many files touched? - Is the volume consistent with the request? - Are there unexpected files?

Level 2: Structure (2 minutes)

git diff --name-only

Questions: - Is file organization logical? - Are there new folders? Are they appropriate? - Did config files change?

Level 3: Logic (5-10 minutes)

Read critical parts: - Entry points (main, index, app) - New public functions - Interface changes - Tests

Level 4: Details (as needed)

Zoom into sensitive areas: - Security - Performance - Edge cases

2. Question-Based Review

Ask yourself systematic questions:

## Functionality
- [ ] Does the code do what was asked?
- [ ] Are edge cases handled?
- [ ] Is behavior predictable?

## Architecture
- [ ] Is the code in the right place?
- [ ] Are responsibilities clear?
- [ ] Are dependencies appropriate?

## Quality
- [ ] Is the code readable?
- [ ] Are names explicit?
- [ ] Is there duplication?

## Robustness
- [ ] Are errors handled?
- [ ] Are inputs validated?
- [ ] Are resources cleaned up?

## Security
- [ ] No hardcoded secrets?
- [ ] No injection possible?
- [ ] Auth/authorization OK?

3. Differential Review

Compare with similar existing code:

# Find similar code in the project
grep -r "function login" src/

# Compare style
diff src/existing-auth.js src/new-auth.js

4. AI-Assisted Review

Use an agent to review another agent’s code:

"Review this code. Focus areas:
1. Security: are there vulnerabilities?
2. Performance: are there performance issues?
3. Maintainability: is the code easy to understand?
4. Tests: are important cases covered?"
NoteMeta-review

AI can miss the same things as the AI that wrote the code. Use this as a complement, not a substitute for your judgment.

Effective Pull Requests

PR Template for AI Code

## Description
[Feature description]

## Type of change
- [ ] Feature
- [ ] Bugfix
- [ ] Refactoring
- [ ] Documentation

## Development method
- [ ] Manually written code
- [ ] AI-assisted code (with review)
- [ ] Vibe coding (minimal review)

## Review checklist
- [ ] I read the diff
- [ ] Tests pass
- [ ] No secrets in code
- [ ] Code follows project conventions
- [ ] I understand what the code does

## Tests performed
[Manual test description]

## Notes for reviewers
[Areas of particular attention]

Useful Labels

Create labels for visibility:

  • ai-generated: Code primarily generated by AI
  • needs-careful-review: Thorough review required
  • large-diff: Many changes
  • security-sensitive: Touches security

Review Guidelines

For your team:

# Code Review Guidelines (AI Era)

## For the author
1. Indicate if code is AI-generated
2. Explain what you verified
3. Mention areas of uncertainty

## For the reviewer
1. Don't blindly trust "it works"
2. Check edge cases
3. Question new dependencies
4. Test significant changes locally

## AI-code red flags
- Unusual dependencies
- Code too complex for the task
- Patterns inconsistent with project
- Missing or too simple error handling

Review Tools

Advanced Git Diff

# Diff with context
git diff -U10  # 10 lines of context

# Word-by-word diff
git diff --word-diff

# Diff ignoring whitespace
git diff -w

# Colored diff in less
git diff --color=always | less -R

# Stats only
git diff --stat

GitHub PR Review

# View a PR locally
gh pr checkout 123

# PR diff
gh pr diff 123

# Add a comment
gh pr review 123 --comment --body "Question about line X"

VS Code / Cursor

  • GitLens for inline history
  • GitHub Pull Requests extension
  • Integrated diff view

Review Patterns by Type

New File

Questions:
1. Should this file exist?
2. Is it in the right place?
3. Is the name appropriate?
4. Are exports correct?

Refactoring

Questions:
1. Is behavior preserved?
2. Do tests still pass?
3. Are dependents updated?
4. Is migration documented?

Bugfix

Questions:
1. Is the bug really fixed?
2. Is there a test proving it?
3. Does the fix introduce regressions?
4. Are similar cases checked?

New Dependency

Questions:
1. Is this dependency necessary?
2. Is it actively maintained?
3. Does it have known vulnerabilities?
4. What's its size/bundle impact?

Automating Review

Automatic Checks

# .github/workflows/pr-checks.yml
name: PR Checks

on: pull_request

jobs:
  checks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Lint
        run: npm run lint

      - name: Type check
        run: npm run typecheck

      - name: Tests
        run: npm test

      - name: Check bundle size
        uses: siddharthkp/bundlesize-action@v1

      - name: Check for console.log
        run: |
          if grep -r "console.log" src/; then
            echo "::warning::console.log found in code"
          fi

Review Bot

# Danger.js or similar
- name: Danger
  uses: danger/danger-js@v11
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
// dangerfile.js
import { danger, warn, fail } from "danger"

// Warn on big PRs
if (danger.github.pr.additions > 500) {
  warn("This PR is quite large. Consider breaking it up.")
}

// Require description
if (danger.github.pr.body.length < 10) {
  fail("Please add a description to your PR")
}

// Check for AI mention
if (!danger.github.pr.body.includes("AI") &&
    danger.github.pr.body.includes("generated")) {
  warn("If this code was AI-generated, please indicate it explicitly")
}

Review as Learning

For Beginners

Reading AI-generated code is an excellent way to learn:

  1. Ask the agent to explain each part
  2. Compare with other approaches
  3. Look for reusable patterns

For the Experienced

It’s an opportunity to: 1. See new approaches 2. Challenge your habits 3. Learn patterns from different communities (the LLM has seen a lot of code!)

Final chapter: Troubleshooting.