Language focus

AI code review for Ruby

Ruby rewards expressiveness: blocks, metaprogramming, and Rails conventions that hide complexity until traffic spikes. CodeCritic reviews your diff with focus on ActiveRecord query shapes, callback ordering, and mutation paths that RuboCop marks as fine.

Rails & RackSinatraBackground jobsPaste or GitHub PRFree tier

Online paste review · All languages

Review focus

What we look for in Ruby changes

Ruby defects often live in dynamism: methods defined at runtime, params permitted too broadly, and jobs retried without idempotency. We steer the model toward those seams, not trailing comma debates.

  • ActiveRecord: N+1 queries, `default_scope` surprises, counter caches out of sync, and transactions that nest incorrectly around callbacks.
  • Strong parameters and mass assignment: nested attributes permitting foreign keys, open redirects in `redirect_to`, and SQL fragments built from user input.
  • Concurrency and jobs: Sidekiq retries on non-idempotent work, Redis connection pool exhaustion, and thread-unsafe class variables in Puma workers.
  • Metaprogramming: `method_missing` chains, `define_method` overrides that shadow core APIs, and monkey patches that break gem upgrades silently.
  • Blocks and enumerables: accidental lazy evaluation, mutating collections while iterating, and `tap` blocks that return the wrong object.
  • Security: constantize on user strings, YAML unsafe load paths, shell interpolation in system calls, and secrets logged in `Rails.logger.info`.

AI review does not replace manual review of payment flows, PII retention, or gem CVE triage. Use it as a fast second pass before human owners sign off.

Stacks

Common Ruby codebases we see

Rails applications

CSRF skipped on JSON endpoints, `skip_before_action` on the wrong controller, and view helpers that mark HTML safe without sanitization.

API-only & Grape

Auth middleware order, entity exposure of internal IDs, and pagination cursors that leak sequential primary keys.

Gems & engines

Public API surface changes without semver bumps, Zeitwerk autoload paths that differ between host and engine.

Workflow

Run a Ruby review in minutes

Paste a model, service object, or job class to test signal, then connect GitHub when PR automation fits your merge cadence.
  1. 1

    Paste or connect a repo

    Sign up, open a new review, and paste a controller action, service, or serializer. For ongoing work, connect GitHub and target the PR with your Ruby changes.

  2. 2

    Let detection set context

    CodeCritic picks up Rails, Sinatra, or plain Ruby cues from requires and module names so feedback stays stack-specific.

  3. 3

    Triage by severity

    Issues arrive grouped with short explanations. Fix data integrity and auth bypass risks before style suggestions.

  4. 4

    Scale to PR comments

    Enable GitHub integration so the same engine comments on pull requests your team already merges through.

How to use it

Ruby review without drowning in noise

Paste a coherent slice: a service object with the model it updates, or a job with the mailer it enqueues - not a lone concern module.

Keep RuboCop and Brakeman in CI. CodeCritic targets reasoning: "this callback fires after commit but assumes row still exists" beats line length.

For metaprogramming-heavy diffs, add a sentence in the PR about the intended call path so reviewers do not guess runtime behavior.

GitHub integration anchors comments on the diff your team already argues about in review threads.

Paid tiers add API automation when every push to a billing gem should trigger the same scan.

Reproduce high-severity findings with a request spec or job test - AI can miss custom Devise hooks and Warden strategies.

Details: Integrations, Limitations, Pricing.

Framework guide: Rails code review guide

Code patterns

Ruby examples worth reviewing

Small slices from real PRs. Paste similar units in the browser or run on the GitHub diff that contains them.

Strong params bypass in Rails

def create
  @post = Post.new(params[:post])
  @post.save!
end

Sample findings

Typical Ruby review output

Blocking

Mass assignment without permit

params[:post] may include admin flags. Use strong parameters before save.

Before

Post.new(params[:post])

Suggested direction

Post.new(post_params)
# ...
def post_params
  params.require(:post).permit(:title, :body)
end

Illustrative patterns from real review categories. Your output depends on diff size, language, and context.

Before you merge Ruby

  • Context size: Include associations, validations, and callbacks affected by the change - not only the method body you edited.
  • Queries: Check new loops and view partials for N+1 patterns; bulletproof with `includes` or `preload` where needed.
  • User input: Trace params through permits, `find_by`, and raw SQL fragments - especially dynamic `order` clauses.
  • Human owner: Assign a reviewer who knows the feature flag and multi-tenant scoping rules the diff touches.

FAQ

Ruby code review FAQ

Yes. Include Rails imports and familiar patterns (models, jobs, controllers) so feedback references ActiveRecord and Rack behavior you rely on.

Try AI code review on your Ruby

Start free in the browser, then connect GitHub when the team wants reviews on every pull request.

How it works