ReviewPilot: The AI-Native Code Reviewer for Your Terminal

Source: Dev.to

Overview

ReviewPilot is a pre‑commit analyzer that acts like a senior engineer reviewing your git diff in real‑time. It detects:

• Hard‑coded secrets (API keys, tokens)
• Dangerous functions (eval(), innerHTML assignments)
• Console statements, debuggers, and other style issues
• Breaking API signature changes
• Performance regressions (file size, complexity)

Typical PRs take 4‑6 hours for the first review, with ≈60 % of comments about style or trivial issues. ReviewPilot automates the bulk of this work.

Benchmark Repository

A small repo containing 7 intentional bugs (hard‑coded AWS keys, eval(), stray console.log, etc.) is used to demonstrate the tool.

# Clone the benchmark repo
git clone https://github.com/Gokul287/Review-Pilot.git
cd Review-Pilot/examples/benchmark-repo

# Prepare the repo (adds the intentional bugs)
chmod +x setup.sh && ./setup.sh

Running ReviewPilot against this repo catches all 7 issues in 4.2 seconds.

9‑Step AI Pipeline

Copilot powers 4 of the 9 steps (≈44 % AI‑driven).

Performance & Accuracy

• Speed: 7 issues detected in 4.2 s (benchmark repo)
• Tests: 142 / 142 passing (100 % coverage)
• Accuracy: 100 % on the benchmark (7 / 7 issues caught)
• Code size: ~1,200 LOC core + 800 LOC tests

Real‑World Examples

1. Detect Hard‑Coded AWS Keys

Prompt

Implement Shannon entropy calculation in JavaScript.
Flag strings with >4.5 bits/char entropy that match AWS patterns (AKIA…) or JWT tokens.

Result – Generated src/utils/entropy.js that flags all three real API keys with 0 false positives.

View code →

2. Circuit‑Breaker for Copilot CLI Calls

Prompt

Implement a circuit breaker pattern with exponential backoff for async GitHub Copilot CLI calls.
Track failures and trip after 5 consecutive errors.

Result – Added a state‑tracking wrapper with retry logic; the tool now runs 100 % reliably offline (heuristic mode).

View code →

3. Unsafe DOM Manipulation Detection

Prompt

Using @babel/parser, detect patterns like
'innerHTML = userInput' or 'eval()' calls in JavaScript AST.

Result – Traversal logic with visitor pattern catches 12 AST‑level patterns (XSS, empty catches, etc.).

View code →

How It Works (Input → Output Flow)

git diff
  ↓
1️⃣ Heuristic Rules          → console.log, debugger, eval
2️⃣ Entropy Detection        → API keys, tokens (Shannon)
3️⃣ AST Analysis             → XSS, empty catches, complexity
4️⃣ .env Scanning            → Hard‑coded secrets
5️⃣ Performance Budgets      → File size, function length
6️⃣ Plugin Rules             → Custom team standards
7️⃣ ML Filtering             → Naïve Bayes false‑positive reduction
8️⃣ Copilot Semantic         → Logic errors, race conditions
9️⃣ Auto‑Fix (optional)      → Interactive approval
  ↓
Findings + Auto‑fixes (or report)

Feature Comparison

Setup Instructions

# Install globally (or use npm link from repo root)
npm install -g reviewpilot

# Run the analysis on the benchmark repo
reviewpilot check --save --verbose
# Expected: 7 findings in <15 seconds

Auto‑Fix Issues

reviewpilot fix --interactive
# Interactive mode lets you approve/skip each suggested fix

Additional Resources

• GitHub Repository: https://github.com/Gokul287/Review-Pilot
• Full Documentation: https://github.com/Gokul287/Review-Pilot#readme
• Report Issues: https://github.com/Gokul287/Review-Pilot/issues

Built with Node.js, 142 tests, and the GitHub Copilot CLI. Catches issues so your teammates don’t have to. ❤️