AI-Powered Code Review at Scale: Building a Multi-Provider VS Code Extension
Code review is one of the highest-leverage activities in software development — and one of the most inconsistently applied. At scale, human reviewers miss things. Not because they're careless, but because code review is cognitively demanding work and humans are not consistent pattern-matchers across thousands of lines of code.
I built AI CodeReviewer as a VS Code extension after getting frustrated with the available options: expensive SaaS tools that required uploading your code to external services, or generic linters that didn't understand semantic issues. I wanted something I could run locally, configure with my own AI provider, and extend for specific review concerns.
The result found 12 critical security issues in my own codebase. Some of them had been there for months.
The Architecture: Multi-Provider AI Integration
The core design decision was provider-agnostic: the extension uses a pluggable backend that supports DeepSeek, Claude, OpenAI, or a local Ollama instance. The user brings their own API key and chooses their provider.
interface ReviewProvider {
name: string;
endpoint: string;
model: string;
reviewFile(content: string, filePath: string): Promise<ReviewResult>;
}
class DeepSeekProvider implements ReviewProvider {
async reviewFile(content: string, filePath: string): Promise<ReviewResult> {
const response = await fetch('https://api.deepseek.com/chat/completions', {
method: 'POST',
headers: { 'Authorization': `Bearer ${this.apiKey}` },
body: JSON.stringify({
model: 'deepseek-coder',
messages: [
{ role: 'system', content: REVIEW_SYSTEM_PROMPT },
{ role: 'user', content: `Review this ${this.getLanguage(filePath)} file:\n\n${content}` }
]
})
});
return this.parseReviewResponse(await response.json());
}
}Each provider implements the same interface. Switching from DeepSeek to Claude is a configuration change, not a code change.
Cost Comparison by Provider
| Provider | Cost per file | Best for |
|---|---|---|
| DeepSeek | ~$0.0001 | Daily review, CI/CD |
| Ollama (local) | $0 | Air-gapped, sensitive code |
| OpenAI GPT-4o | ~$0.002 | High-stakes reviews |
| Claude Sonnet | ~$0.001 | Complex architectural review |
For routine code review on a codebase of 200 files, running DeepSeek costs under $0.02. The economics make daily automated review financially trivial.
How .reviewignore Works
Not all files deserve AI review. Generated code, vendored dependencies, minified assets — reviewing these wastes tokens and produces noise. The .reviewignore file follows .gitignore syntax:
# .reviewignore
node_modules/
dist/
*.min.js
migrations/
*.generated.ts
vendor/
The extension reads .reviewignore before scanning and excludes matching paths. For a typical Node.js project, this reduces the reviewable file count by 60-80% and ensures the AI focuses on code that humans actually wrote.
The Security Findings That Surprised Me
When I ran the first full review on my own PHP/JavaScript codebase, I expected style issues and maybe a few edge cases. I found 12 critical issues. The two that stood out:
SQL Injection via String Interpolation
// What I had (and somehow didn't catch in review)
$query = "SELECT * FROM users WHERE email = '" . $_POST['email'] . "'";
$result = mysqli_query($conn, $query);
// What it should be
$stmt = $conn->prepare("SELECT * FROM users WHERE email = ?");
$stmt->bind_param("s", $_POST['email']);
$stmt->execute();This pattern is SQL injection 101 — but it had survived multiple human reviews because it was buried in a legacy endpoint that rarely got touched. The AI flagged it immediately because it pattern-matches across the entire file simultaneously, not sequentially.
N+1 Query Problem
// Original: one DB call per user in the loop
const users = await User.findAll({ where: { active: true } });
for (const user of users) {
user.orders = await Order.findAll({ where: { userId: user.id } });
}
// Correct: eager loading
const users = await User.findAll({
where: { active: true },
include: [{ model: Order }]
});This wasn't a security issue, but it was a performance problem that would have caused real pain at scale. For a table with 10,000 active users, the first version executes 10,001 queries. The second executes 1.
These aren't exotic vulnerabilities requiring deep expertise. They're common patterns that human reviewers miss because they're reviewing code sequentially, under time pressure, without automated pattern matching.
Extending for New Languages
The extension currently supports PHP and JavaScript. Adding a new language requires:
- Adding the language to the file extension map
- Writing a language-specific system prompt that includes common patterns and anti-patterns
- Adding any language-specific ignore patterns
const LANGUAGE_PROMPTS: Record<string, string> = {
php: `Review this PHP code for: SQL injection, XSS vulnerabilities,
improper input validation, insecure file operations...`,
javascript: `Review this JavaScript for: prototype pollution,
ReDoS vulnerabilities, unsafe eval usage...`,
python: `Review this Python for: command injection via subprocess,
pickle deserialization, SSRF in requests...`
};Python and Go support are on the roadmap. The review quality depends heavily on how well the system prompt captures language-specific security concerns.
The CI/CD Integration Vision
The current extension is developer-facing — you run it manually or on save. The natural evolution is pipeline integration: every pull request triggers an AI review before human review begins. Reviewers see the AI's findings before they start reading, which lets them allocate attention to issues the AI missed rather than rediscovering issues it already caught.
# GitHub Actions integration (roadmap)
- name: AI Code Review
uses: girishsahu008/code-reviewer-action@v1
with:
provider: deepseek
api-key: ${{ secrets.DEEPSEEK_API_KEY }}
fail-on-severity: criticalThe extension is available at github.com/girishsahu008/CodeReviewer.
AI-powered code review is one of the fastest security wins available to any engineering team. The tooling is mature enough and cheap enough that there's no reason not to have it. If you're thinking about how to integrate this into your development workflow — or want a review of your current codebase before a major release — let's talk.