DEV Community

Vincenzo
Vincenzo

Posted on

I Built an AI Code Reviewer Bot for GitHub - Using Only GitHub Actions (No External APIs!)

#ai #programming #github

I created a free, open-source GitHub Action that automatically reviews every pull request using GitHub's native capabilities. Zero external APIs, zero costs, 2-minute setup.

GitHub: https://github.com/basilevincenzo/ai-code-reviewer
Stars: ⭐ (please!)

The Problem

Code reviews are slow, expensive, and inconsistent:

  • Junior devs miss security issues
  • Teams can't afford dedicated reviewers
  • Manual reviews take hours
  • Knowledge isn't shared

I wanted a bot that:
✅ Works with ONLY GitHub (no external services)
✅ Catches real bugs automatically
✅ Costs absolutely nothing
✅ Requires zero configuration

The Solution: AI Code Reviewer Bot

A pure GitHub Action that:

🔍 Finds Security Issues

  • SQL Injection vulnerabilities
  • Hardcoded secrets (passwords, API keys)
  • Missing input validation
  • Debug code left in production

Instant Feedback

  • Reviews your PR in seconds
  • Comments on specific lines
  • Provides fix suggestions

💰 Completely Free

  • Uses GitHub's native capabilities
  • No external APIs
  • No credit card
  • Open source

How It Works 

1   You open a PR on GitHub
2   GitHub Action is triggered (built-in)
3   Bot downloads changed files from your repo
4   Bot analyzes the code using GitHub's native tools
5   Bot posts comments on your PR
6   You get instant feedback
Enter fullscreen mode Exit fullscreen mode

Everything stays within GitHub. No external dependencies.

Example

When you open a PR with this code:

function getUserById(id) {
  const query = "SELECT * FROM users WHERE id = " + id;
  return database.query(query);
}

const API_KEY = "sk-1234567890";
console.log("Debug");
Enter fullscreen mode Exit fullscreen mode

The bot will comment:
🔴 CRITICAL SQL Injection vulnerability detected. User input is concatenated directly into SQL query.
Suggestion: Use parameterized queries db.query('SELECT * FROM users WHERE id = ?', [id])
Why? Concatenating user input allows attackers to execute arbitrary SQL.

Why This Is Different

Other Solutions:

  • Require external APIs
  • Need credit cards
  • Add complexity
  • Cost money

This Solution:

  • Pure GitHub Actions
  • Zero external dependencies
  • Zero cost
  • Dead simple

Real World Example

I tested this on actual projects and it:

  • Caught a SQL injection in a user query
  • Found hardcoded database passwords
  • Spotted debug console.log() before production
  • Suggested parameterized queries
  • Improved team code quality

All without leaving GitHub.

Who Should Use This?

  • Solo developers - Free security scanning
  • Small teams - No budget for expensive tools
  • Startups - Keep costs at zero
  • Learning - Understand code quality patterns
  • Portfolio - Show security awareness

Installation

  1. Go to your GitHub repo
  2. Create .github/workflows/review.yml
  3. Copy the workflow from: https://github.com/basilevincenzo/ai-code-reviewer/blob/main/.github/workflows/review.yml
  4. Save and commit
  5. Open a PR - bot reviews automatically

Next Steps

  1. Star the repo ⭐
  2. Try it on your project
  3. Open an issue if you find bugs
  4. Contribute improvements!

No external dependencies, no APIs, no costs.

Top comments (0)