Code Review Bot

Automated Code Review That Catches Real Problems Before They Ship

Code review is the most effective quality gate in software development — and also the most time-consuming. The Code Review Bot adds an automated first-pass review to every pull request, posting inline comments on real issues (bugs, security vulnerabilities, missing error handling, performance problems) so your human reviewers can focus on the things that require actual judgment.

What It Does

This workflow triggers on every pull_request.opened and pull_request.synchronize event via GitHub webhook. Here's what happens within minutes of a PR being opened:

1. PR Parsing: The workflow extracts PR metadata — number, title, description, author, target branch, and the full diff. It handles diffs up to 2,000 lines.

2. Deep Diff Analysis: The entire diff is analyzed for:

• Security vulnerabilities: SQL injection, XSS, exposed secrets, auth bypasses, unsafe deserialization
• Logic bugs: off-by-one errors, null dereferences, race conditions, incorrect conditionals
• Missing error handling: uncaught exceptions on async calls, unhandled promise rejections, missing input validation
• Performance issues: N+1 queries, unbounded loops with external data, blocking I/O
• Test coverage gaps: new functions without tests, changed logic without updated tests
• Code quality: functions over 50 lines, missing JSDoc comments (per your configured conventions)

3. Inline GitHub Comments: For each issue found, a comment is posted directly on the relevant line in the PR diff with: the specific problem, why it matters, and a suggested fix. Comments are grouped by severity (critical → major → minor).

4. Summary Review Comment: A summary comment is posted with an overall assessment, issue count by severity, and the final verdict: approve, request-changes, or comment.

5. Verdict Thresholds: Configurable — 0 critical issues to auto-approve, 1+ critical issues to request changes by default.

Who This Is For

Engineering teams that want consistent, thorough first-pass code review without the time cost. Particularly valuable for teams where senior engineers are the bottleneck in the review process, or for open-source projects where every PR needs a consistent baseline review.

What's Included

• code-review-bot.yml — complete workflow with webhook trigger, diff analysis, inline commenting, and verdict logic
• Configurable review focus areas (security, bugs, performance, test coverage, code quality)
• Configurable team conventions (language, test requirements, style rules)
• Auto-approve and request-changes thresholds

Setup Steps

1. Install the workflow — copy code-review-bot.yml into your OpenClaw workspace
2. Set environment variables — add GITHUB_TOKEN (needs PR write permissions) and GITHUB_WEBHOOK_SECRET
3. Configure your repo — update the repo field in the workflow config
4. Set your team conventions — edit team_conventions to reflect your language, style, and test requirements
5. Adjust thresholds — set auto_approve_threshold and request_changes_threshold per your preferences
6. Register the GitHub webhook — point to /webhooks/github with pull_request events

What It Won't Flag

The bot is configured to ignore style nitpicks by default — naming conventions, whitespace, minor formatting. It focuses on things that actually break software or create security risks. This is intentional: blocking a good PR over a variable name is worse than the style issue itself.

Why This Beats Waiting for Human Review

The average senior engineer takes 20–60 minutes to review a substantial PR. With this bot, every PR gets a first-pass review within minutes, 24/7. When your senior engineer does review, they can focus on architecture, business logic, and the specific issues the bot flagged — not on scanning line-by-line for obvious mistakes.

Result: more issues caught before merge, faster PR cycles, and senior engineers spending their review time on the things that require their expertise.