Skip to Content
GuidesSet Up PR Reviews

Set Up PR Reviews

CodeStax can dispatch reviews from supported GitHub, GitLab, and Bitbucket webhook events and can also start them manually from the PR Reviews dashboard.

How a review runs

Pull-request event or manual trigger → Resolve and clone the PR head → Analyze the diff and scan the checked-out head → Store findings, coverage, score, and gate result → Publish provider-supported comments, annotations, and status

PR reviews are not strictly diff-only. Deterministic and AI-assisted checks focus on changed code, while repository scanners evaluate the checked-out PR head. A scanner finding can therefore refer to code outside the changed lines.

Setup

What reviews analyze

Understand the result

Analyzer coverage

  • Complete: required analyzer coverage reported clean.
  • Degraded: analysis completed with one or more recoverable analyzer problems.
  • Incomplete: required analyzer coverage did not complete, so evidence can be missing.
  • Unverified: coverage metadata is unavailable, usually on an older review.

Gate decision

  • Passed: policy passed with complete coverage.
  • Failed: a configured condition failed.
  • Pending: analysis or gate evaluation is still running.
  • Inconclusive: CodeStax cannot assert a safe pass because evidence is degraded, incomplete, unverified, or missing.

A low risk score is not proof that a pull request is safe. The normalized score includes deterministic diff findings, accepted AI-assisted findings, and repository-scanner findings; scanner severity influences the final score and category totals. Review every finding and the analyzer coverage state together. Incomplete required analysis remains Inconclusive.

Provider-specific delivery

GitHub

  • Results can be delivered as a summary, inline review comments, and a check/status.
  • Require the CodeStax check in branch protection to block merges.

GitLab

  • Results can be delivered as a summary, inline discussions, and a commit status.
  • Require the CodeStax status through the project’s merge-check configuration.

Bitbucket

  • Results can be delivered as a summary plus Code Insights reports and annotations.
  • Bitbucket does not currently have the same durable inline review-thread delivery as GitHub and GitLab.
  • Configure branch restrictions or merge checks to enforce the report.

Operational recommendations

  1. Test one repository and one protected branch before wider rollout.
  2. Treat degraded, incomplete, and unverified reviews as inconclusive.
  3. Start gates in reporting mode, measure false positives, then enable provider-side enforcement.
  4. Treat remediation text as guidance; validate it against repository context and run tests before changing code.
  5. Monitor provider-delivery status separately from analysis status; a review can complete even when publishing needs attention.