AI Code Review for Azure DevOps (Powered by GitHub Copilot)

Automatically review Pull Requests using GitHub Models API. Get instant feedback on security vulnerabilities, performance issues, and best practices.

Features

GitHub Models API — Uses GPT-4o, Llama 3.1, Mistral models via your GitHub account
Multi-Model Support — Choose from GPT-4o, GPT-4o-mini, Llama 3.1, Mistral Large
Automated PR Reviews — Runs automatically on every Pull Request
Multi-Language Support — Python, JavaScript/TypeScript, C#, Java, Go, Rust, C++, and more
Framework-Aware — React, Vue, Angular, FastAPI, Flask, Express, Spring, ASP.NET
Security Analysis — OWASP Top 10, injection vulnerabilities, authentication issues
Performance Review — Algorithm complexity, database queries, memory management
Custom Prompts — Tailor review focus to your team's needs
Inline Comments — Posts structured review comments directly on your PR

Quick Start

1. Install the Extension

Install from the Visual Studio Marketplace.

2. Create a GitHub PAT

Go to GitHub Settings > Developer Settings > Personal Access Tokens
Generate a new Fine-grained token:
- Repository access: Public
- Permission: Copilot Requests
Store as a secret variable GITHUB_PAT in your Azure DevOps pipeline

3. Add to Your Pipeline

trigger: none

pr:
  branches:
    include:
      - main
      - develop

pool:
  vmImage: 'ubuntu-latest'

steps:
- checkout: self
  fetchDepth: 0  # Required for full diff

- task: AICodeReview@2
  inputs:
    githubPat: $(GITHUB_PAT)
  env:
    SYSTEM_ACCESSTOKEN: $(System.AccessToken)

4. Enable OAuth Token

In your pipeline settings, ensure "Allow scripts to access the OAuth token" is enabled.

Configuration Options

Input	Required	Default	Description
`githubPat`	Yes	-	GitHub PAT with Copilot access
`adoPat`	No	System.AccessToken	Azure DevOps PAT (for on-prem)
`copilotModel`	No	`claude-sonnet-4.5`	AI model for review
`maxFiles`	No	`50`	Max files to review per PR
`maxLinesPerFile`	No	`1000`	Truncate files larger than this
`customPrompt`	No	-	Custom review instructions
`promptFile`	No	-	Path to prompt file (.txt)
`debug`	No	`false`	Enable verbose logging
`continueOnError`	No	`true`	Don't fail pipeline on review error

Available Models

Model	Speed	Quality	Notes
`claude-sonnet-4.5`	Fast	High	Default — best for code review
`claude-opus-4.5`	Slower	Highest	Most thorough (3x cost)
`claude-haiku-4.5`	Fastest	Good	Best for large PRs (0.33x cost)
`gpt-5.1-codex`	Fast	High	OpenAI code specialist
`gpt-5.1`	Fast	High	OpenAI flagship
`gpt-5`	Fast	High	Previous generation
`gemini-3-pro`	Fast	High	Google latest

Custom Review Prompts

Inline Prompt

- task: AICodeReview@2
  inputs:
    githubPat: $(GITHUB_PAT)
    copilotModel: 'gpt-4o'
    customPrompt: |
      Review this code focusing only on:
      - Security vulnerabilities (OWASP Top 10)
      - .NET 8 migration best practices
      - BACnet protocol handling patterns
      - Async/await correctness
      Keep comments concise and actionable.

Prompt File

Create a .copilot/review-prompt.txt in your repo:

- task: AICodeReview@2
  inputs:
    githubPat: $(GITHUB_PAT)
    promptFile: '$(Build.SourcesDirectory)/.copilot/review-prompt.txt'

Supported Languages

Language	Review Coverage
Python	PEP 8, type hints, async patterns, testing
JavaScript/TypeScript	Modern ES, async/await, error handling
C#/.NET	LINQ, async/await, null safety, DI, .NET 8 patterns
Java	Streams, Optional, Spring patterns
Go	Error handling, concurrency, interfaces
Rust	Ownership, error handling, unsafe code
C/C++	Memory management, RAII, modern C++

Supported Frameworks

Framework	Review Coverage
React	Hooks, performance, accessibility
Vue	Composition API, reactivity, Pinia
Angular	Signals, standalone components, RxJS
FastAPI	Async, Pydantic, dependency injection
Flask	Blueprints, error handling
Express	Middleware, error handling, security
Spring Boot	DI, transactions, JPA
ASP.NET Core	DI, async, minimal APIs, Row-Level Security

Review Output

The task posts a structured review comment on your PR:

## AI Code Review (Powered by GitHub Copilot)

Overall Assessment: CHANGES REQUESTED

> Found 2 security issues and 1 performance concern in the authentication module.

### Critical Issues

**1. SQL Injection Vulnerability** [security] `src/repository.py:45`
  - **Problem**: String concatenation used in SQL query
  - **Suggestion**: Use parameterized queries with SqlParameter

### Medium Priority

**1. Consider async/await** [performance] `src/service.cs:23`
  - **Problem**: Synchronous database calls blocking thread pool
  - **Suggestion**: Use async overloads with await for I/O operations

How It Works

┌─────────────────┐     ┌─────────────────┐     ┌────────────────┐
│   PR Created     │────▶│  Pipeline Runs   │────▶│  Fetch Diff    │
│  (Azure DevOps)  │     │  (Build Agent)   │     │  (git / API)   │
└─────────────────┘     └─────────────────┘     └───────┬────────┘
                                                        │
                        ┌─────────────────┐     ┌───────▼────────┐
                        │ Post PR Comment  │◀────│ Copilot CLI    │
                        │ (ADO REST API)   │     │ Reviews Diff   │
                        └─────────────────┘     └────────────────┘

PR trigger — Branch policy triggers the review pipeline
Fetch diff — Gets code changes via git diff (preferred) or Azure DevOps API
Copilot review — Sends diff to GitHub Copilot CLI with review prompt
Post results — Formats findings and posts as a PR comment thread

Privacy & Security

Code is sent to GitHub Copilot for analysis (same as using Copilot in your IDE)
GitHub PAT is handled as a secret and never logged
No code is stored by this extension beyond the pipeline run
Review results are posted only to your PR

Troubleshooting

"GitHub Copilot CLI not found"

Linux: The task auto-installs via https://gh.io/copilot-install. Ensure the agent has internet access and curl/bash are available.
Windows: Requires winget. MS-hosted agents have this by default.

Authentication errors

Verify your GitHub PAT has Copilot Requests permission
If your GitHub account is in an organization, ensure the admin has enabled Copilot CLI under GitHub Policies > Copilot
Ensure "Allow scripts to access OAuth token" is enabled in the pipeline

Empty review or no comments

Add fetchDepth: 0 to the checkout step for complete git history
Check pipeline logs for Copilot CLI output
For very large PRs, try setting a lower maxFiles value or use claude-haiku-4.5 for better handling of large context

Timeout errors

Large PRs may take longer. The default timeout is 10 minutes.
Consider using claude-haiku-4.5 for faster reviews on large PRs
Break large PRs into smaller, focused changes

Build Service permissions

If using System.AccessToken, the Build Service identity needs "Contribute to pull requests" permission:

Go to Repos > Manage repositories > Security
Find "[Project] Build Service ([Org])"
Set "Contribute to pull requests" to Allow

Support

License

MIT License - See LICENSE for details.

AI Code Review (GitHub Copilot)

Rachit Singhal