Set Up PR Reviews
CodeStax can automatically review every pull request in your connected repositories. When a PR is opened or updated, CodeStax analyzes the changed files, identifies security issues, and posts inline comments directly in your PR — with AI-generated fix suggestions.
How PR Reviews Work
Developer opens PR
→ Webhook triggers CodeStax
→ Changed files are analyzed
→ Findings posted as inline comments
→ Quality gate status set on the commitPR reviews check the diff only — they focus on new or modified code, not the entire repository. This keeps reviews fast and relevant.
Setting Up Automated PR Reviews
What PR Reviews Analyze
PR Review Configuration
Navigate to Settings → Policies → Scanning Policies to configure:
| Setting | Default | Description |
|---|---|---|
| Auto-review on PR Open | On | Trigger review when a new PR is created |
| Auto-review on PR Update | Off | Re-run review when commits are pushed to an existing PR |
| Target Branches | main, develop | Comma-separated list of branches to protect |
| Default Scan Type | Smart | Scan depth: Smart (fast) or Full (thorough) |
Understanding PR Review Results
When a review completes, you’ll see:
Inline Comments
CodeStax posts comments directly on the affected lines in your PR. Each comment includes:
- What the issue is — vulnerability type, severity, and CWE reference
- Why it matters — risk explanation in plain language
- How to fix it — AI-generated code fix with before/after comparison
Commit Status
A status check appears on your PR:
- Passed — Risk score is below your threshold, no critical issues
- Failed — Quality gate conditions not met
If Block Merge on Gate Failure is enabled in your policies, failed PRs cannot be merged until issues are resolved.
Risk Score
Each PR review generates a risk score (0-100) based on:
- Number and severity of findings
- Type of vulnerabilities detected
- Whether secrets were found
- EPSS scores of any CVEs in dependency changes
Provider-Specific Setup
GitHub
- Install the CodeStax GitHub App from Settings → Integrations
- Grant access to the repositories you want reviewed
- PR comments appear as the CodeStax bot
GitLab
- Configure the GitLab integration with your access token
- PR reviews appear as Merge Request comments with inline notes
Bitbucket
- Connect via Bitbucket Cloud OAuth or Bitbucket Connect
- Reviews appear as PR comments with Code Insights annotations
Best Practices
- Start with Auto-review on PR Open only — avoid excessive reviews on every push
- Set target branches to main and develop — don’t review feature-to-feature branch PRs
- Use Smart scan type for PR reviews — Full scans take longer and may slow down PR velocity
- Enable Block Merge after your team is comfortable with the review process
- Review AI suggestions before applying — they’re highly accurate but may need context-specific adjustments
Related Guides
- Set Up Quality Gates — Configure the pass/fail criteria for PR reviews
- Triage Vulnerabilities — How to handle findings from PR reviews
- Configure Code Quality Tools — Adjust quality tool thresholds