Code Review

Overview

Gitar automatically reviews your pull requests and merge requests on GitHub and GitLab, providing AI-powered feedback on security, bugs, performance, edge cases, and code quality. Reviews appear directly in your PR/MR as part of the Gitar dashboard comment.

Enabling Code Review

Code review can be enabled or disabled through the Gitar UI in your organization settings:

1. Navigate to your organization settings in the Gitar dashboard
2. Locate the Code Review section under Features
3. Enable the toggle to activate automatic code reviews

Once enabled, Gitar will automatically review all new pull requests and merge requests in your organization's repositories.

Controlling Code Review with Commands

You can override the organization-level setting on individual PRs using commands. Comment on your PR/MR with:

• gitar code-review:on - Enable code review for this PR
• gitar code-review:off - Disable code review for this PR

The dashboard comment displays the current code review status for the PR.

How It Works

Automatic Triggers

Code reviews run automatically when:

• A new pull request or merge request is created
• New commits are pushed to an open PR/MR

Review Process

Gitar analyzes your code changes through multiple specialized checks:

• Security analysis: Vulnerabilities, unsafe patterns, input validation
• Bug detection: Logic errors, null pointer risks, edge cases
• Performance analysis: Algorithm complexity, database queries, memory usage
• Code quality: Readability, maintainability, best practices

Custom Code Review Instructions

Allows the agent to leverage custom rules, checks or gotchas to tailor the review process to specific project requirements. It can be configured by adding a markdown file containing instructions under the .gitar/review directory. Note that multiple files can be used to organize instructions based on different aspects.

For example, we created a file named gitar-gotchas.md that documents some gotchas very specific to Gitar's codebase, like using info! for logging that requires operational visibility or leaving debug! for debugging locally, since our telemetry only renders logs with severity info or higher.

Review Output

Reviews are published in the Code Review section of the Gitar dashboard comment on your PR/MR:

The review includes:

• Summary: Brief overview of findings at the top
• Severity badges: Quick counts of critical/important/suggestion findings
• Critical issues (if any): Expanded by default showing security vulnerabilities and blocking bugs
• What Works Well: Positive feedback on good practices in your code

Each finding includes:

• Category: Security, Bug, Performance, Edge Case, or Code Quality
• Short description: One-line summary of the issue
• Details: Expanded explanation with links to specific files and line numbers

Design Principles

Gitar's code review is built around a few core principles that shape how feedback is delivered:

Single Dashboard Comment

All review findings are consolidated into one comment that evolves as your code changes. When you push new commits, Gitar updates the existing comment rather than creating new ones. This gives you a single source of truth for all feedback: CI analysis, code review findings, and rule evaluations, all in one place.

No Inline Comments

We deliberately avoid inline comments by default. Traditional code review tools scatter comments across your diff, which creates notification fatigue and visual clutter. By consolidating feedback into the dashboard comment, you get one notification instead of dozens, and your interface stays clean and readable.

Resolved Findings Tracking

As you address issues and push fixes, Gitar tracks what's been resolved. The dashboard shows a collapsible section with resolved findings, so you can see your progress at a glance. This helps you stay confident that you're making headway and prevents Gitar from repeatedly flagging issues you've already fixed.