Mass assignment without permit
params[:post] may include admin flags. Use strong parameters before save.
Before
Post.new(params[:post])Suggested direction
Post.new(post_params)
# ...
def post_params
params.require(:post).permit(:title, :body)
endRuby rewards expressiveness: blocks, metaprogramming, and Rails conventions that hide complexity until traffic spikes. CodeCritic reviews your diff with focus on ActiveRecord query shapes, callback ordering, and mutation paths that RuboCop marks as fine.
Review focus
Ruby defects often live in dynamism: methods defined at runtime, params permitted too broadly, and jobs retried without idempotency. We steer the model toward those seams, not trailing comma debates.
AI review does not replace manual review of payment flows, PII retention, or gem CVE triage. Use it as a fast second pass before human owners sign off.
Stacks
CSRF skipped on JSON endpoints, `skip_before_action` on the wrong controller, and view helpers that mark HTML safe without sanitization.
Auth middleware order, entity exposure of internal IDs, and pagination cursors that leak sequential primary keys.
Public API surface changes without semver bumps, Zeitwerk autoload paths that differ between host and engine.
Workflow
Sign up, open a new review, and paste a controller action, service, or serializer. For ongoing work, connect GitHub and target the PR with your Ruby changes.
CodeCritic picks up Rails, Sinatra, or plain Ruby cues from requires and module names so feedback stays stack-specific.
Issues arrive grouped with short explanations. Fix data integrity and auth bypass risks before style suggestions.
Enable GitHub integration so the same engine comments on pull requests your team already merges through.
How to use it
Paste a coherent slice: a service object with the model it updates, or a job with the mailer it enqueues - not a lone concern module.
Keep RuboCop and Brakeman in CI. CodeCritic targets reasoning: "this callback fires after commit but assumes row still exists" beats line length.
For metaprogramming-heavy diffs, add a sentence in the PR about the intended call path so reviewers do not guess runtime behavior.
GitHub integration anchors comments on the diff your team already argues about in review threads.
Paid tiers add API automation when every push to a billing gem should trigger the same scan.
Reproduce high-severity findings with a request spec or job test - AI can miss custom Devise hooks and Warden strategies.
Details: Integrations, Limitations, Pricing.
Framework guide: Rails code review guide
Code patterns
Small slices from real PRs. Paste similar units in the browser or run on the GitHub diff that contains them.
def create
@post = Post.new(params[:post])
@post.save!
endSample findings
params[:post] may include admin flags. Use strong parameters before save.
Before
Post.new(params[:post])Suggested direction
Post.new(post_params)
# ...
def post_params
params.require(:post).permit(:title, :body)
endIllustrative patterns from real review categories. Your output depends on diff size, language, and context.
FAQ
Start free in the browser, then connect GitHub when the team wants reviews on every pull request.