> ## Documentation Index
> Fetch the complete documentation index at: https://factory-changelog-jul2.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Automated Code Review

> Set up automated pull request and merge request reviews with Droid

Set up automated code review for GitHub or GitLab repositories. Droid analyzes pull requests and merge requests, identifies issues, and posts feedback as inline comments. For GitHub repositories, the setup flow checks the Factory Droid GitHub App installation as part of configuring review automation.

<div style={{ display: 'flex', gap: '1rem', flexWrap: 'wrap' }}>
  <div style={{ flex: '1', minWidth: '300px' }}>
    <img src="https://mintcdn.com/factory-changelog-jul2/vEu9qy-36i8Z-SqR/guides/droid-exec/code-review-picture-1.png?fit=max&auto=format&n=vEu9qy-36i8Z-SqR&q=85&s=18ebf2c39b06f1598dff302899f30a93" alt="Factory Droid bot posting a code review summary with issues found" width="1442" height="682" data-path="guides/droid-exec/code-review-picture-1.png" />
  </div>

  <div style={{ flex: '1', minWidth: '300px' }}>
    <img src="https://mintcdn.com/factory-changelog-jul2/vEu9qy-36i8Z-SqR/guides/droid-exec/code-review-picture-2.png?fit=max&auto=format&n=vEu9qy-36i8Z-SqR&q=85&s=e1832bd5cc590126f9a2080445728955" alt="Factory Droid bot posting inline code review comment on specific lines" width="1430" height="760" data-path="guides/droid-exec/code-review-picture-2.png" />
  </div>
</div>

## Setup

Use the `/install-code-review` command to set up automated code review for GitHub or GitLab:

```bash theme={null}
droid
> /install-code-review
```

The guided flow will:

1. Detect your SCM platform (GitHub or GitLab)
2. Verify prerequisites (CLI tools, permissions)
3. Walk you through review configuration (depth, security, triggers)
4. Create a PR/MR with the workflow files

## How it works

Once enabled, the Droid Review workflow:

1. Triggers on pull request events (opened, synchronize, reopened, ready for review)
2. Skips draft PRs to avoid noise during development
3. Fetches the PR diff and existing comments
4. Analyzes code changes for bugs, security issues, and correctness problems
5. Posts inline comments on problematic lines
6. Submits an approval when no issues are found

## Authentication

Automated review needs two separate kinds of access: permission to run Droid, and permission to post on your pull requests. You set them up independently.

### 1. Factory API key (run Droid)

Droid runs using your Factory API key. Create one at [app.factory.ai/settings/api-keys](https://app.factory.ai/settings/api-keys), then add it to your repository or organization as a secret named `FACTORY_API_KEY`. The workflow passes it in like this:

```yaml theme={null}
- uses: Factory-AI/droid-action@main
  with:
    factory_api_key: ${{ secrets.FACTORY_API_KEY }}
```

This is required for every run.

### 2. GitHub access (post reviews)

To leave comments and approvals on your PRs, Droid needs a GitHub token. There are two ways to provide one:

* **Factory Droid GitHub App (default, recommended).** If you don't supply a token, the action securely requests one for the installed Factory Droid GitHub App. For most teams this is all you need: install the app on your repositories from [app.factory.ai/settings/organization](https://app.factory.ai/settings/organization) and you're done. It requires the `id-token: write` permission so the action can request the token:

  ```yaml theme={null}
  permissions:
    contents: write
    pull-requests: write
    issues: write
    id-token: write # required for GitHub App auth
  ```

* **Your own token (override).** If you'd rather use a personal access token or your own GitHub App, for example on GitHub Enterprise or to control which account posts comments, pass it as `github_token`. When set, Droid uses it directly and skips the app. The token needs write access to pull requests and repository contents.

  ```yaml theme={null}
  - uses: Factory-AI/droid-action@main
    with:
      factory_api_key: ${{ secrets.FACTORY_API_KEY }}
      github_token: ${{ secrets.MY_GITHUB_TOKEN }}
  ```

<Note>
  On GitLab, the same two pieces apply: set `FACTORY_API_KEY` and `GITLAB_TOKEN` as CI/CD variables. The `/install-code-review` flow configures both for you.
</Note>

For the security architecture behind the GitHub App, see [GitHub Integration Security](/enterprise/github-integration-security).

## Review depth

The `review_depth` input controls the thoroughness and cost of each review. You choose the depth during `/install-code-review` setup, or set it directly in your workflow.

* **`deep`** (default) — Thorough analysis with higher reasoning effort. Catches more subtle bugs but costs more per review. Best for production code and security-sensitive repos.
* **`shallow`** — Faster, more cost-effective reviews that cover surface-level issues. Good for high-volume repos, draft PRs, or teams watching spend.

```yaml theme={null}
with:
  automatic_review: true
  review_depth: deep  # or shallow
```

You can also override the model or reasoning effort directly with `review_model` and `reasoning_effort`, which take precedence over the depth preset.

## Security review

Security review is a dedicated workflow for STRIDE, OWASP, OWASP LLM Top 10, and supply-chain analysis. See [Security Review](/enterprise/security-review) for automatic PR security reviews, scheduled scans, and local full-codebase audits with the built-in `security-review` skill.

## What Droid reviews

The automated reviewer focuses on clear bugs and issues:

* Dead/unreachable code
* Broken control flow (missing break, fallthrough bugs)
* Async/await mistakes
* Null/undefined dereferences
* Resource leaks
* SQL/XSS injection vulnerabilities
* Missing error handling
* Off-by-one errors
* Race conditions

It skips stylistic concerns, minor optimizations, and architectural opinions.

## Customizing the workflow

After the workflow is created, you can customize it by editing `.github/workflows/droid-review.yml` in your repository.

### Change the trigger conditions

Modify when reviews run:

```yaml theme={null}
on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
    paths:
      - 'src/**'  # Only review changes in src/
      - '!**/*.test.ts'  # Skip test files
```

### Custom review guidelines

Add repository-specific review guidelines by creating a `.factory/skills/review-guidelines/SKILL.md` file in your repo:

```markdown theme={null}
<!-- .factory/skills/review-guidelines/SKILL.md -->

Additional checks for this codebase:
- React hooks rules violations
- Missing TypeScript types on public APIs
- Prisma query performance issues
```

These guidelines are automatically picked up and injected into every review run. No workflow changes needed.

### Change the model

Use a different model for reviews:

```yaml theme={null}
droid exec --auto high --model claude-sonnet-4-5-20250929 -f prompt.txt
# Or use a faster model for quicker feedback:
droid exec --auto high --model claude-haiku-4-5-20251001 -f prompt.txt
```

### Skip certain PRs

Add conditions to skip reviews for specific cases:

```yaml theme={null}
jobs:
  code-review:
    # Skip bot PRs and PRs with [skip-review] in title
    if: |
      github.event.pull_request.draft == false &&
      !contains(github.event.pull_request.user.login, '[bot]') &&
      !contains(github.event.pull_request.title, '[skip-review]')
```

### Limit comment count

Adjust the maximum number of comments in the prompt:

```
Guidelines:
- Submit at most 5 comments total, prioritizing the most critical issues
```

## All workflow inputs

| Input                 | Default      | Description                                          |
| --------------------- | ------------ | ---------------------------------------------------- |
| `automatic_review`    | `false`      | Automatically review PRs without `@droid review`     |
| `review_depth`        | `deep`       | Review preset: `deep` (thorough) or `shallow` (fast) |
| `review_model`        | (from depth) | Override model for code review                       |
| `reasoning_effort`    | (from depth) | Override reasoning effort                            |
| `include_suggestions` | `true`       | Include code suggestion blocks in comments           |

Security review inputs are documented in [Security Review](/enterprise/security-review#configuration).

## See also

* [Security Review](/enterprise/security-review) - Security-focused PR reviews and full-codebase audits
* [GitHub Integration Security](/enterprise/github-integration-security) - Security architecture for the GitHub App integration
* [GitHub Actions examples](/guides/droid-exec/github-actions) - More automation workflows
* [Droid Exec](/cli/droid-exec/overview) - Running Droid in CI/CD environments
