Skip to Content
Review

Review

Review is Cendriix’s AI-powered code review surface. It analyzes every pull request across your connected repositories — GitHub, GitLab, Bitbucket, and Azure DevOps — to surface bugs, security vulnerabilities, and code quality issues with file-and-line precision. Each finding comes with an explanation and a suggested fix you can apply in one click. Access via Operate → Review in the sidebar.


How it works

Review watches the repositories you’ve connected. When you click Sync, it discovers new pull requests across all your SCM providers, creates a review record for each one, and queues them for AI analysis. The analysis pipeline runs five steps for every PR:

  1. Initialize review — creates the review record and marks it as running.
  2. Fetch PR diff — retrieves the unified diff directly from your SCM provider’s API (GitHub, GitLab, Bitbucket, or Azure DevOps).
  3. Analyze code changes — sends the diff plus relevant Cortex context to an AI model (Amazon Bedrock) that reviews the code for bugs, vulnerabilities, performance issues, and style problems.
  4. Run security scan — a focused pass over the diff looking for SAST findings: unsafe patterns, deprecated APIs, hardcoded secrets, and known CVEs in dependency changes.
  5. Generate findings — parses the model output into structured findings with severities, categories, file paths, line numbers, and suggested fixes, then completes the review with a verdict and risk score.

Each step’s status is tracked in real time. If any step fails, it’s marked accordingly and you can retry.

Multi-SCM support

Review works identically across all four supported source control providers:

ProviderAuth methodWhat Review accesses
GitHubGitHub App installation tokensPR diffs, commit files, PR comments, CI check runs
BitbucketOAuth / App Password via Marketplace token resolverPR diffs, PR comments, build statuses
GitLabOAuth via Marketplace token resolverMerge request diffs, MR notes, pipeline statuses
Azure DevOpsPAT / Entra ID OAuth via Marketplace token resolverPull request diffs, PR threads, build statuses

The provider is detected automatically from the PR URL. No extra configuration is needed once the repository connection is set up in Connectors.


The dashboard

The Review landing page shows two views: Repos and All Reviews.

Repos tab

Groups your pull requests by repository. Each row shows:

  • Repository name (e.g. cendriix-ai/cendriixai-app)
  • PR count — total pull requests in the current time window
  • Avg Risk — average risk score across all reviewed PRs in that repo
  • Merge status breakdown — how many are open, merged, or closed
  • Health indicator — a colored dot: green (healthy), amber (warning), or red (critical)

Expand a repo to see its individual PRs with verdict badges, risk scores, finding counts, and relative timestamps.

All Reviews tab

A flat list of every PR across all repositories. Supports:

  • Search — filter by repo name, PR title, or author
  • Verdict filter — Approved, Changes Requested, Blocked, Pending
  • Merge status filter — Open, Merged, Closed
  • Sort — by risk score, date, or finding count

Summary cards

At the top of the dashboard, five cards summarize the current state:

CardMeaning
Repos ReviewedNumber of repos with at least one reviewed PR
Avg RiskAverage risk score across all PRs
HealthyRepos where the latest review is Approved and avg risk is low
WarningRepos with high-severity open findings or Changes Requested verdict
CriticalRepos with critical open findings, a Blocked verdict, or avg risk above 50

Time-window behavior

The dashboard shows a rolling three-day window by default:

  • Open pull requests are always shown regardless of when they were created. An open PR from two weeks ago still appears.
  • Merged and closed pull requests are shown only if they were created within the last three days. This prevents the dashboard from filling up with old, already-handled PRs.

Risk score

The risk score is a number from 0 to 100 that represents the overall risk level of a pull request. It is computed by the AI model during analysis based on the severity and quantity of findings.

How it’s calculated

The risk score is determined by the AI code reviewer during the analysis step. The model evaluates the PR diff and assigns a score based on these guidelines:

RangeMeaningTypical triggers
0 — 20CleanNo issues found, or only trivial info-level notes
21 — 40LowMinor style or info-level findings only
41 — 60MediumSome medium-severity findings that deserve attention
61 — 80HighHigh-severity issues are present — bugs, security, or performance
81 — 100CriticalCritical vulnerabilities or blocking issues found

The model considers:

  • Finding severity distribution — the presence of critical or high-severity findings pushes the score higher.
  • Finding category mix — security and correctness issues weigh more than style.
  • Quantity — more findings generally increase the score.
  • Impact scope — issues affecting auth, data handling, or public APIs score higher than internal utilities.

The score is clamped to the 0—100 range and rounded to an integer. If the AI response cannot be parsed, the score defaults to 50 (medium).

Repo-level average

Each repository’s Avg Risk is the arithmetic mean of all individual PR risk scores in that repo (within the time window). This drives the dashboard summary cards and the repo health indicator.


Health status

Every repository gets a health status based on the combination of open findings, the latest verdict, and average risk.

StatusCriteria
Healthy (green)No high/critical open findings, latest verdict is not Blocked or Changes Requested, avg risk at or below 20
Warning (amber)Any high-severity open finding, latest verdict is Changes Requested, or avg risk between 21 and 50
Critical (red)Any critical-severity open finding, latest verdict is Blocked, or avg risk above 50

Verdicts

The verdict is the top-level assessment of a pull request.

VerdictWhen it’s assigned
ApprovedNo significant issues found. Low and info findings are acceptable.
Changes RequestedMedium or higher findings exist that should be addressed before merging.
BlockedAt least one critical or high-severity security or correctness finding exists.
PendingAnalysis has not started or is still running.
ErrorAnalysis failed or could not complete (e.g., diff fetch failure, model unavailable).

Findings

A finding is a single issue identified in the PR diff. Each finding has:

FieldDescription
Severitycritical, high, medium, low, or info
Categorysecurity, correctness, performance, style, or sast
TitleA short summary (e.g., “SQL injection via string concatenation”)
DescriptionA detailed explanation of why this is an issue
File pathThe exact file where the issue was found
Line numberThe line in the diff where the issue starts
SuggestionA suggested code change to fix the issue
Statusopen, resolved, dismissed, or false_positive

Bugs vs. Flags

The findings list is split into two groups:

  • Bugs — high-priority items: critical/high severity, or security/correctness category. These are real issues that should be fixed.
  • Flags — everything else worth a look: medium/low/info severity style, performance, or SAST findings.

Reviewing a pull request

Click on any PR to open a three-pane workspace:

Left pane — Findings list

All findings for this PR, split into Bugs and Flags tabs. Supports:

  • Severity filter — show only critical, high, medium, etc.
  • Category filter — security, correctness, performance, style, sast
  • Keyboard shortcutsj / k to navigate up/down, Esc to deselect

Center pane

Switch between three views:

ViewContent
AnalysisThe five analysis steps with real-time status indicators (running, completed, failed)
DiffThe full unified diff with a file tree sidebar, line counts, and findings highlighted inline
FindingA single finding in detail: severity badge, category, file and line, explanation, and suggested code change

Right pane — Details

  • PR metadata — title, author, branch, head SHA, merge status
  • CI checks — status of each check run (GitHub Actions, Bitbucket Pipelines, GitLab CI)
  • Self-review verdict — the AI’s overall assessment badge
  • Merge readiness — a self-review panel summarizing whether the PR is ready to merge
  • Chat — a built-in AI chat to ask follow-up questions about the review (uses the review context + Cortex knowledge)

Acting on findings

Resolve, dismiss, or reopen

Change the status of any finding. Mark it resolved when fixed, dismiss it as a false positive, or reopen it if you change your mind.

Post a comment

Send a pre-formatted review comment directly to the PR on your SCM (GitHub, GitLab, or Bitbucket). Azure DevOps comment posting is not yet supported. The comment includes the severity, file location, description, and suggested fix.

Apply Fix (auto-fix)

For any finding with a suggested code change, click Apply to commit the fix straight to the PR branch. Review:

  1. Reads the current file content from the PR’s head branch
  2. Applies the suggested change
  3. Commits and pushes to the PR branch with a descriptive commit message
  4. Updates the finding status to Resolved

This works on the following SCMs:

  • GitHub — uses the Contents API to read and commit
  • GitLab — uses the Commits API to create a commit
  • Bitbucket — uses the Source API to push a commit

Azure DevOps auto-fix is not yet supported.

After applying, a notification comment is automatically posted on the PR with details of what was fixed.

Fix with Cendra

For more complex fixes that need broader context, click Fix with Cendra. This opens a Cendra chat session pre-loaded with the PR context and finding details. Cendra can then make multi-file changes, run tests, and open a follow-up PR.

Export

Download the full review as a Markdown report. The report includes the verdict, risk score, all findings with descriptions and suggestions, and the PR metadata.


Sync

The Sync button on the dashboard triggers a full pull request discovery cycle:

  1. Queries each connected SCM for the latest pull requests across all repositories
  2. Creates review records for any PRs not yet tracked
  3. Updates merge status for existing reviews (marks merged/closed PRs accordingly)
  4. Queues pending and previously failed reviews for AI analysis

Sync is also triggered automatically on a polling interval while the Review page is open (every five minutes).

Merge status refresh

Review keeps merge status up to date in two ways:

  • Bulk sync — during Sync, all open reviews are checked against the SCM for merge/close events
  • Lazy refresh — when you open a specific review that hasn’t been synced in the last hour, a background check updates its merge status

Cortex integration

When analyzing a PR, Review queries Cortex for relevant knowledge atoms — documentation, architecture notes, dependency context — and includes them in the analysis prompt. This gives the AI reviewer deeper understanding of your codebase, so findings are more accurate and suggestions are more relevant.

If a PR modifies dependency files (package.json, Cargo.toml, pyproject.toml, go.mod, requirements.txt), the dependency changes are noted separately in the analysis context.


Keyboard shortcuts

KeyAction
jNext finding
kPrevious finding
dToggle diff view
EscDeselect / close

API reference

Review exposes a RESTful API at /v1/reviews. All endpoints require authentication and are scoped to the current tenant.

MethodEndpointDescription
GET/reviewsList reviews with filtering and pagination
GET/reviews/summaryDashboard summary (total reviews, avg risk, verdict distribution)
GET/reviews/reposPer-repository health stats
GET/reviews/metricsTime-series metrics for charts
GET/reviews/:idGet a single review with all findings
GET/reviews/pr/:owner/:repo/:prNumberLook up review by PR
POST/reviewsCreate a new review
POST/reviews/:id/completeComplete a review with verdict and findings
POST/reviews/:id/failMark a review as failed
POST/reviews/:id/analyzeTrigger AI analysis on a PR
PATCH/reviews/findings/:id/statusUpdate finding status (resolve, dismiss, reopen)
POST/reviews/:id/commentPost a comment to the PR
POST/reviews/:id/autofixApply an auto-fix for a finding
POST/reviews/:id/chatChat about the review
POST/reviews/syncTrigger PR discovery and sync

Query parameters

The list endpoints accept optional from and to parameters (ISO 8601 datetime) to control the time window. The default frontend behavior sends from as three days ago.

Filtering

ParameterTypeDescription
repostringFilter by repository name
verdictenumapproved, changes_requested, blocked, pending, error
merge_statusenumopen, merged, closed
risk_minnumberMinimum risk score (0—100)
risk_maxnumberMaximum risk score (0—100)
fromdatetimeStart of time window
todatetimeEnd of time window
pagenumberPage number (default 1)
limitnumberResults per page (1—100, default 20)

Webhook integration

Review supports inbound webhooks from CI/CD systems. When a GitHub Actions, GitLab CI, Bitbucket Pipelines, or Azure DevOps Pipelines run completes, a webhook can notify Review to trigger analysis on the associated PR. Configure webhooks in Settings → Integrations.


See also: Cockpit, Cendra, Cortex, Connectors, Policies & Guardrails

Last updated on