AI Code Reviews on GitHub
Until now, Gemini helped you write code. This module flips the lens: Gemini reviews code arriving in your repository — yours, your teammates', and (after G06–G07) your agents'.
AI in the Pull Request
Every busy restaurant kitchen has an expeditor: the person who checks each plate before it leaves the pass — right dish? right temperature? anything missing? Without one, mistakes reach customers and the chef burns time on remakes. Most engineering teams use senior developers as expeditors, and it's the role they resent most: the bottleneck is real (PRs queueing for days), and humans are weakest at exactly the mechanical checks — spotting the unparameterized query on line 412 of a 600-line diff at 4:45pm. The Gemini Code Assist GitHub app is a tireless expeditor at the pass: it inspects every plate within minutes, flags the mechanical problems with severity labels, and frees your human reviewers for what humans are actually good at — judgment, architecture, "should we even build this?"
Gemini Code Assist on GitHub is a GitHub app (install from github.com/apps/gemini-code-assist) that activates on pull requests. On PR open it posts a summary of the change and a review: line-anchored comments, each tagged with a severity (Critical, High, Medium, Low), often including a committable suggested fix. It maintains persistent memory of prior interactions on the repo to reduce repeated nitpicks. GitLab and Bitbucket integrations exist on the Enterprise edition; an Enterprise-grade version with org-level controls is also available. The app is configured per-repo via files in a .gemini/ folder — covered below.
Review latency is a tax on every change a team ships: a PR that waits two days for review delays its feature by two days, every time. An AI first-pass arrives in minutes and clears the mechanical findings before the human looks, so human review time concentrates on design. And after G06: if agents write more of your code, automated review of agent output isn't a luxury — it's the control that keeps speed from outrunning safety.
How the GitHub App Works
The flow on every pull request:
- PR opened → the app posts a help message (optional), a summary of what the change does, and a full code review.
- Review comments appear inline on the exact lines, severity-labeled, with suggested fixes you can commit in one click where offered.
- You respond — commit fixes, reply to comments (tag
@gemini-code-assistor use/geminicommands), push updates. - Re-review on demand —
/gemini reviewruns a fresh pass over the updated diff.
The /gemini Commands
Type these as PR comments to drive the bot on demand:
| Command | Effect |
|---|---|
| /gemini summary | (Re)generate the PR summary |
| /gemini review | Run a fresh code review on the current diff |
| /gemini <question> | Ask anything in the context of this PR ("is this backwards compatible?") |
| /gemini help | List available commands |
You can also reply directly under any bot comment to debate a finding — the bot answers with the PR as context, and the exchange feeds its persistent memory for future reviews.
Tuning It: config.yaml & styleguide.md
Two files in a .gemini/ folder at the repo root customize the bot per-repository: config.yaml controls behavior (when it runs, how noisy it is), and styleguide.md controls judgment (your team's rules, in natural language — the PR-review equivalent of GEMINI.md).
comment_severity_threshold: MEDIUM: Low-severity nitpicks are where AI reviewers lose teams' trust — start at MEDIUM and lower it only if you find yourself wanting more. GOTCHA: the file must be on the repository's default branch to take effect.have_fun: false # no poems in PR summaries, thanks
code_review:
disable: false
comment_severity_threshold: MEDIUM # only Medium and above get comments
max_review_comments: -1 # -1 = unlimited
pull_request_opened:
help: false # skip the onboarding help comment
summary: true # post a summary on every new PR
code_review: true # review automatically on open
ignore_patterns: # paths the reviewer should skip
- "*.lock"
- "dist/**"
# Recipe Box Review Standards
## Must flag (treat as High)
- SQL built with f-strings or string concatenation (require parameterized queries)
- Routes that bypass storage.py and touch sqlite3 directly
- Endpoints returning non-JSON errors or wrong status codes
(created=201, deleted=204, bad input=400, missing=404)
- New code without corresponding pytest coverage
## Style preferences (Medium/Low)
- Type hints on all function signatures
- Google-style docstrings on public functions
- Tags and other user-supplied strings normalized to lowercase on write
## Do not flag
- Line length up to 100 characters
- Use of f-strings outside SQL contexts
Lab: Get a Real PR Reviewed
Prerequisites: the recipe-box GitHub repo from G07. You'll install the app, configure it, then open a PR containing a planted flaw and watch it get caught.
Install the app on your repo
Visit github.com/apps/gemini-code-assist → Install → choose your account → Only select repositories → recipe-box. (Free for public and private repos on the individual plan; org installs may need admin approval. Enterprise links the install to your Google Cloud subscription.)
Commit the configuration first
Create .gemini/config.yaml and .gemini/styleguide.md with the contents from the previous section, then:
git add .gemini/
git commit -m "Configure Gemini Code Assist PR reviews"
git push # must land on the default branch to take effect
Open a PR with a planted flaw
Create a branch with a CSV export endpoint written the wrong way on purpose:
git checkout -b csv-export
@app.route("/recipes/export", methods=["GET"])
def export_recipes():
rows = storage.list_recipes()
csv_text = "id,name,ingredients,minutes\n"
for r in rows:
csv_text += f"{r['id']},{r['name']},{';'.join(r['ingredients'])},{r['minutes']}\n"
return csv_text, 200, {"Content-Type": "text/csv"}
git add app.py
git commit -m "Add CSV export endpoint"
git push -u origin csv-export
gh pr create --title "Add CSV export endpoint" --body "Exports all recipes as CSV"
csv module); no test was added (your styleguide says High); and string concatenation in a loop. Let's see what the reviewer catches.Read the review like a teammate, not a defendant
Within a few minutes the bot posts its summary and review. For each finding, do one of three things — this discipline is the actual skill:
- Agree → fix. The CSV-escaping finding is correct: rewrite with
csv.writer+io.StringIO(ask your IDE Gemini to do it — full circle), commit, push. - Disagree → reply with reasoning. If it flags something your team intentionally does, reply under the comment explaining; persistent memory means it nags less next time.
- Unclear → interrogate. Comment
/gemini why is f-string CSV generation a problem? show a failing exampleand watch it answer with the PR as context.
After pushing fixes, comment /gemini review for a fresh pass.
Merge when clean
gh pr merge --squash
git checkout main; git pull
You closed the quality loop: the same standards you wrote for generation (GEMINI.md, G05) are now enforced at review (styleguide.md) — one set of rules guarding both the front door and the back. And you practiced the three-way response discipline (fix / push back / interrogate) that separates teams that benefit from AI review from teams that rubber-stamp it.
Knowledge Check
1. What happens automatically when a PR opens (default config)?
2. comment_severity_threshold: MEDIUM means…
3. The relationship between styleguide.md and GEMINI.md is best described as…
4. The bot flags something your team does intentionally. Best response?
5. Why does AI PR review become MORE important once teams use agent mode?
Quiz Complete!
Ready for G10: Google Cloud Integrations →