Set Up PR Reviews
CodeStax can dispatch reviews from supported GitHub, GitLab, and Bitbucket webhook events and can also start them manually from the PR Reviews dashboard.
How a review runs
Pull-request event or manual trigger
→ Resolve and clone the PR head
→ Analyze the diff and scan the checked-out head
→ Store findings, coverage, score, and gate result
→ Publish provider-supported comments, annotations, and statusPR reviews are not strictly diff-only. Deterministic and AI-assisted checks focus on changed code, while repository scanners evaluate the checked-out PR head. A scanner finding can therefore refer to code outside the changed lines.
Setup
What reviews analyze
Understand the result
Analyzer coverage
- Complete: required analyzer coverage reported clean.
- Degraded: analysis completed with one or more recoverable analyzer problems.
- Incomplete: required analyzer coverage did not complete, so evidence can be missing.
- Unverified: coverage metadata is unavailable, usually on an older review.
Gate decision
- Passed: policy passed with complete coverage.
- Failed: a configured condition failed.
- Pending: analysis or gate evaluation is still running.
- Inconclusive: CodeStax cannot assert a safe pass because evidence is degraded, incomplete, unverified, or missing.
A low risk score is not proof that a pull request is safe. The normalized score includes deterministic diff findings, accepted AI-assisted findings, and repository-scanner findings; scanner severity influences the final score and category totals. Review every finding and the analyzer coverage state together. Incomplete required analysis remains Inconclusive.
Provider-specific delivery
GitHub
- Results can be delivered as a summary, inline review comments, and a check/status.
- Require the CodeStax check in branch protection to block merges.
GitLab
- Results can be delivered as a summary, inline discussions, and a commit status.
- Require the CodeStax status through the project’s merge-check configuration.
Bitbucket
- Results can be delivered as a summary plus Code Insights reports and annotations.
- Bitbucket does not currently have the same durable inline review-thread delivery as GitHub and GitLab.
- Configure branch restrictions or merge checks to enforce the report.
Operational recommendations
- Test one repository and one protected branch before wider rollout.
- Treat degraded, incomplete, and unverified reviews as inconclusive.
- Start gates in reporting mode, measure false positives, then enable provider-side enforcement.
- Treat remediation text as guidance; validate it against repository context and run tests before changing code.
- Monitor provider-delivery status separately from analysis status; a review can complete even when publishing needs attention.
Related guides
- Set Up Quality Gates — Configure the canonical pass/fail criteria.
- Triage Vulnerabilities — Handle review findings.
- Configure Code Quality Tools — Adjust analyzer thresholds.