Most people would agree that code reviews are essential. They raise code quality, minimize bugs and risks, and promote accountability and knowledge sharing within teams.
But here’s the question: should we review code generated by AI assistants like Copilot or Cursor? The argument against might be that their code quality often exceeds the average developer’s. It’s clean, well-structured, and likely sourced from millions, if not billions, of lines of code. Why not treat it like an open-source library, as a black box? After all, we don’t typically perform full reviews of open-source code (except for security audits). Skipping reviews could allow for exponentially faster code generation with fewer blockers.
Here’s my take:
Code reviews must still be done because there are critical aspects beyond just accelerating development velocity. Let me explain:
1. Operational Ownership
Your engineers must know what they’re pushing to production. They’ll need to monitor it, troubleshoot incidents, fix bugs, and maintain it. Faster development without review can lead to slower bug fixes and incident resolution when issues inevitably arise.
2. Knowledge Redundancy
Code reviews foster shared understanding across the team. If engineers only share knowledge during a production incident, you’re already in trouble. A review process ensures that operational context and code ownership aren’t siloed.
3. Best Practices Alignment
Code reviews help ensure alignment with engineering standards. They verify the use of shared libraries, services, and patterns, while considering efficiency, availability, cost, and risk. This consistency across repositories not only improves maintainability but also enhances operational readiness.
4. Bug Detection
AI-generated code often doesn’t account for edge cases specific to your organization or failure scenarios outside the “success path.” Additionally, writing code helps engineers internalize its logic. Without this, there’s a higher chance of missing critical requirements.
Embracing the AI Era in Software Development
We are in a transformative era, where AI offers tremendous opportunities to refine the software development lifecycle (SDLC). Here are three strategies to make the most of AI-generated code:
1. Make Organizational Standards AI-Friendly
Define and document schemas, templates, catalogs, and frameworks (e.g., GraphQL, gRPC). Ensure your AI tools can reference these standards when generating code. Providing examples of compliant code can further guide AI to produce outputs that align with your organization’s requirements.
2. Automate Code Reviews
Leverage automated tools to identify code quality and security issues before human reviewers step in. This not only lightens the workload for reviewers but also accelerates the overall review process, ensuring only higher-quality code reaches production.
3. Increase Testing Coverage
Expand your focus on functional, system, and integration tests. While AI can produce code quickly, broad testing coverage ensures the generated code aligns with your organization’s unique requirements and performs reliably across all scenarios.