AI code review for Python
Python teams move fast; that speed shows up as mutable defaults, import side effects, async lifetime bugs, and security footguns in stdlib APIs. CodeCritic reviews your diff with emphasis on behavior, packaging, and data-handling paths linters rarely reason about.
Review focus
Python defects worth catching pre-merge
We focus on changes that read innocent in isolation but fail under concurrency, bad inputs, or deploy layout - not on PEP8 nitpicks you already automate.
- Mutable defaults, shared class attributes used as instance state, and dataclasses with unexpected mutability.
- Exception handling that logs and swallows, broken `try/finally` ordering, and retries without idempotency guards.
- asyncio: tasks not awaited, blocking calls inside coroutines, and cancellation not propagated through context vars.
- Scientific stacks: dtype mismatches, silent broadcasting, and in-place mutations aliasing arrays downstream.
- Packaging: implicit namespace packages, missing `__init__.py` assumptions, and editable installs that differ from prod.
- Security: `pickle`, `yaml.load`, shell=True subprocesses, tempfile races, and debug flags left on in WSGI/ASGI settings.
Regulated workloads still need your retention, access, and subprocess policies from compliance - not a summary on a ticket.
Stacks
Common Python codebases we see
Web frameworks
Django ORM N+1 queries, raw SQL strings, CSRF-exempt views, and FastAPI dependency injection ordering.
Scripts & CLIs
Argparse edge cases, env var precedence, and exit codes that CI interprets as success when work failed.
Notebooks → prod
Hidden global state, non-deterministic cell order, and code copied into services without tests.
Workflow
Review Python before it hits main
- 1
Choose the right slice
Include the function, its callers or callees, and models it touches. For Django, add the view + serializer when the bug is in validation logic.
- 2
Run the review
CodeCritic returns grouped findings with plain-language fixes - prioritize security and correctness before style.
- 3
Reproduce locally
Validate critical items with tests or a minimal script. AI can misread dynamic metaprogramming; treat high-severity items as hypotheses.
- 4
Automate on GitHub
Wire PR reviews when the team wants every change to a payment or auth module scanned automatically.
Practice
Python reviews that save time
Type hints help humans; they also steer the model. Add hints on public functions when you paste isolated helpers.
Keep config out of business modules in the review when possible - a giant settings import drowns the actual change.
For data science code, note expected tensor/array shapes in the PR description; reviewers anchor on that context.
GitHub integration keeps feedback on the diff your team already argues about in PR comments.
Use company billing and API keys when multiple squads share the same Python monorepo.
Read the limitations page before sending customer PII through any automated tool.
Details: Integrations, Limitations, Pricing.
Python merge checklist
- Inputs: Validate external data at the boundary; do not trust `.get()` defaults to hide missing keys.
- Concurrency: If the diff touches async code, trace cancellation and shared state across tasks.
- Dependencies: Lockfiles or constraints updated when new native wheels or GPL deps appear.
- Observability: Logs must not print secrets; exceptions should carry enough context without dumping payloads.
FAQ
Python code review FAQ
Review your Python change
Start with a paste review on the free tier, then standardize on GitHub PRs when the signal proves out.