The latest articles on DEV Community by Vincenzo (@basilevincenzo). https://dev.to/basilevincenzo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3901016%2Ff965c118-2713-4bba-b2ec-c7142041b4a0.jpeg https://dev.to/basilevincenzo en Vincenzo Mon, 27 Apr 2026 18:10:25 +0000 https://dev.to/basilevincenzo/i-built-an-ai-code-reviewer-bot-for-github-using-only-github-actions-no-external-apis-4c5d https://dev.to/basilevincenzo/i-built-an-ai-code-reviewer-bot-for-github-using-only-github-actions-no-external-apis-4c5d <p>I created a free, open-source GitHub Action that automatically reviews every pull request using GitHub's native capabilities. Zero external APIs, zero costs, 2-minute setup.</p> <p><strong>GitHub:</strong> <a href="https://github.com/basilevincenzo/ai-code-reviewer" rel="noopener noreferrer">https://github.com/basilevincenzo/ai-code-reviewer</a><br> <strong>Stars:</strong> ⭐ (please!)</p> <h2> The Problem </h2> <p>Code reviews are slow, expensive, and inconsistent:</p> <ul> <li>Junior devs miss security issues</li> <li>Teams can't afford dedicated reviewers</li> <li>Manual reviews take hours</li> <li>Knowledge isn't shared</li> </ul> <p>I wanted a bot that:<br> ✅ Works with ONLY GitHub (no external services)<br> ✅ Catches real bugs automatically<br> ✅ Costs absolutely nothing<br> ✅ Requires zero configuration</p> <h2> The Solution: AI Code Reviewer Bot </h2> <p>A pure GitHub Action that:</p> <p>🔍 <strong>Finds Security Issues</strong></p> <ul> <li>SQL Injection vulnerabilities</li> <li>Hardcoded secrets (passwords, API keys)</li> <li>Missing input validation</li> <li>Debug code left in production</li> </ul> <p>⚡ <strong>Instant Feedback</strong></p> <ul> <li>Reviews your PR in seconds</li> <li>Comments on specific lines</li> <li>Provides fix suggestions</li> </ul> <p>💰 <strong>Completely Free</strong></p> <ul> <li>Uses GitHub's native capabilities</li> <li>No external APIs</li> <li>No credit card</li> <li>Open source</li> </ul> <h2> How It Works </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1 You open a PR on GitHub 2 GitHub Action is triggered (built-in) 3 Bot downloads changed files from your repo 4 Bot analyzes the code using GitHub's native tools 5 Bot posts comments on your PR 6 You get instant feedback </code></pre> </div> <p><strong>Everything stays within GitHub. No external dependencies.</strong></p> <h2> Example </h2> <p>When you open a PR with this code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">function</span> <span class="nf">getUserById</span><span class="p">(</span><span class="nx">id</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">SELECT * FROM users WHERE id = </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">id</span><span class="p">;</span> <span class="k">return</span> <span class="nx">database</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">API_KEY</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">sk-1234567890</span><span class="dl">"</span><span class="p">;</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Debug</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>The bot will comment:<br> 🔴 CRITICAL SQL Injection vulnerability detected. User input is concatenated directly into SQL query.<br> Suggestion: Use parameterized queries db.query('SELECT * FROM users WHERE id = ?', [id])<br> Why? Concatenating user input allows attackers to execute arbitrary SQL.</p> <h2> Why This Is Different </h2> <p>❌ <strong>Other Solutions:</strong></p> <ul> <li>Require external APIs</li> <li>Need credit cards</li> <li>Add complexity</li> <li>Cost money</li> </ul> <p>✅ <strong>This Solution:</strong></p> <ul> <li>Pure GitHub Actions</li> <li>Zero external dependencies</li> <li>Zero cost</li> <li>Dead simple</li> </ul> <h2> Real World Example </h2> <p>I tested this on actual projects and it:</p> <ul> <li>Caught a SQL injection in a user query</li> <li>Found hardcoded database passwords</li> <li>Spotted debug console.log() before production</li> <li>Suggested parameterized queries</li> <li>Improved team code quality</li> </ul> <p>All without leaving GitHub.</p> <h2> Who Should Use This? </h2> <ul> <li> <strong>Solo developers</strong> - Free security scanning</li> <li> <strong>Small teams</strong> - No budget for expensive tools</li> <li> <strong>Startups</strong> - Keep costs at zero</li> <li> <strong>Learning</strong> - Understand code quality patterns</li> <li> <strong>Portfolio</strong> - Show security awareness</li> </ul> <h2> Installation </h2> <ol> <li>Go to your GitHub repo</li> <li>Create <code>.github/workflows/review.yml</code> </li> <li>Copy the workflow from: <a href="https://github.com/basilevincenzo/ai-code-reviewer/blob/main/.github/workflows/review.yml" rel="noopener noreferrer">https://github.com/basilevincenzo/ai-code-reviewer/blob/main/.github/workflows/review.yml</a> </li> <li>Save and commit</li> <li>Open a PR - bot reviews automatically</li> </ol> <h2> Next Steps </h2> <ol> <li>Star the repo ⭐</li> <li>Try it on your project</li> <li>Open an issue if you find bugs</li> <li>Contribute improvements!</li> </ol> <p>No external dependencies, no APIs, no costs.</p> ai programming github