Home / Blog /
Unveiling Tabnine’s Code Review Agent: Improving quality, security, and compliance uniquely for every development team
//

Unveiling Tabnine’s Code Review Agent: Improving quality, security, and compliance uniquely for every development team

//
Shantanu Kedar /
6 minutes /
October 29, 2024

When we think of generative AI, we most often think about its ability to create materials based on prompts and directions. In software development, we see that in action every day as AI code assistants like Tabnine generate code, documentation, tests, and more from plain text or documented requirements. The impacts on productivity have already been transformative. However, just as AI is capable of writing code like a human, AI is also capable of reading code like a human. 

That means AI’s greatest contribution to software development might be not in helping us write more code, but in helping us improve the quality, security, and compliance of our codebases in real time as we work. 

AI is already in use in limited ways reviewing and validating code. However, like the static code analysis tools that came before them, current AI tools have been limited to checking code against generic, predefined standards. The challenge is that every mature engineering organization has unique and intricate ways of creating software applications. What one team sees as their irrefutable standard, another team might reject outright. 

For AI to add meaningful value in improving software quality for most teams, it must have the same level of understanding as a fully onboarded, senior member of the team. And to become an integral part of software development for mature engineering organizations, it’s imperative for AI to be aware of that team’s standards, best practices, and policies — and explicitly adhere to those guidelines.

A deeply knowledgeable AI that can read your code, review it looking for the unique characteristics your team finds acceptable, and autonomously apply edits to improve quality, security, and compliance is no longer science fiction. 

Tabnine’s first-of-its-kind AI Code Review Agent

We’re proud to introduce Tabnine’s Code Review Agent — a first-of-its-kind AI software validation agent that enables organizations to produce higher quality, more secure code by leveraging and enforcing any given team’s unique best practices and standards for software development. 

Tabnine enables customers to codify their institutional knowledge (e.g., accepted standards for software development, unique best practices, or corporate policies) into rules that can be applied in code review at the pull request or in the IDE. You provide the parameters you’d like to see your code comply with via plain language (no complex setup required) and Tabnine converts this into a set of comprehensive rules (also reviewable via plain language). When developers create a pull request, the Code Review Agent checks the code and information in the pull request against that set of rules. If the code doesn’t conform to your expectations in any way, the agent flags it to the code reviewer and provides guidance and suggested edits to fix the issue.

In addition to each engineering team being able to define its own unique rules, Tabnine is also offering a vast array of predefined rules any team can activate, including commonly used industry standards, as well as language or framework-specific best practices. Tabnine administrators have complete control and can enable or disable specific rules, and set the severity of rules.

Tabnine’s Code Review Agent will also be visible in the IDE. Once the developers invoke the agent, it will check their code against the set of rules and identify deviations directly inside the code editor. A developer can review what’s been flagged to determine the rule that was violated, understand why the code violated the rule, and get suggestions to fix the code. The suggested fixes are offered directly in the code file, along with a diff view that makes it easy to review the suggestions and accept them.

Using a set of rules personalized to each given organization, the Tabnine Code Review Agent sets a new bar for the category. By comprehensively reading through code and ensuring that it matches each team’s unique expectations, Tabnine saves engineering teams significant time and effort while applying a level of rigor in code review that was never possible with static code analysis. Just like AI code generation automates away simpler coding tasks so developers can focus on more valuable tasks, Tabnine’s AI Code Review agent automates common review tasks, freeing up code reviewers to focus on higher-order analysis instead of adherence to best practices. As part of this, Tabnine’s unique approach to personalization allows our agents to behave like an onboarded member of your engineering team steeped in your team’s ways of working.

Getting started with Tabnine’s Code Review Agent

To get started with Tabnine’s Code Review Agent, you first provide it with the standards and practices you want your code to conform to. Ingesting this institutional knowledge is easy: you can provide Tabnine with this information in plain English (such as through documentation, a wiki, or any other written format) and Tabnine will convert it into rules for validating code. Alternatively, if you don’t have documented standards, you can also provide Tabnine with access to selected code repositories to serve as the standard from which to capture patterns. Tabnine extracts the recurring PR comments and other relevant code patterns and converts them into rules for validating code.

Whichever source material you provide, rules are then documented in Tabnine in plain language and are easily vetted, accepted/declined, and editable by a Tabnine administrator to ensure that they’re accurately captured and applied. 

In addition to creating custom rules for your specific organization, Tabnine also provides predefined rules. Tabnine has crafted a set of predefined rules by leveraging various best practices documents, as well as thorough vetting by language-specific experts. We have more than 140 rules for each supported language (half are related to security, while the rest verify the code’s correctness, readability, and performance). Although some rules are generic (e.g., relevant to all Python code), most are library-specific (e.g., Cryptography, SSL, lxml), which ensures that the Code Review Agent validates not only the high-level structure of the code, but also specific functions. 

These are some examples of rules that some of our early customers have applied in their code reviews:

  • Predefined rules
    • “Never send sensitive information (such as usernames, password) in the URLs and query parameters as they are not secure. The recommendation is to use headers.”
    • “Only use SHA256 to securely hash data.”
    • “Use timeouts when sending HTTP requests to avoid blocks in the application.”
  • Customer-specific rules
    • “Only use library acme_secure_api_access for accessing external APIs, do not use standard http libraries,” or “Never encrypt data yourself, always use acme_encryption_service.” (These rules use a company-specific service instead of allowing new code to be added that repeats an existing function.)
    • “Never access the users database table directly, use acme_user_service APIs.” (This rule applies another company-specific policy for service reuse.)
    • “Use acme_dropdown components instead of the react standard dropdown component” 

Tabnine administrators have complete control and can enable or disable specific rules, as well as set the severity of rules. 

There’s no limit on the number of rules that you can have, and Tabnine supports all of the most common languages and frameworks — if Tabnine and the variety of LLMs we work with can generate code in that language, then our AI agent can complete the code review. In addition, since the Tabnine AI Code Review Agent reads the code like a human engineer, it vastly reduces the number of both false positives (missed issues) and false negatives (incorrect error notifications) typical of traditional code analysis tools. 

Once the rules are loaded, the Tabnine AI Code Review agent validates the code at every pull request. If Tabnine detects deviations from a specific rule, it flags it to the code reviewer. Tabnine lists the rule that the code violates and provides a description of why the code is deviating from the rule. Most importantly, Tabnine offers suggestions on how to fix the code. The code reviewer can then modify the code and accept the pull request. 

Check out this video to see the Code Review Agent in action.

 

How to take advantage of Tabnine Code Review Agent

The Code Review Agent is currently in Private Preview and is available to any Tabnine Enterprise customer. Existing Tabnine Enterprise customers should contact our Support team to request early access. 

Not yet a customer? Tabnine’s AI Code Review Agent is just a first step in enabling each engineering team to explicitly control how Tabnine behaves. If you’d like to learn more about how Tabnine is tailored to your team or to participate in this Private Preview as a design partner, we encourage you to reach out to us. 

To learn more about the Code Review Agent, please check out the Docs and attend our Tabnine Live session on November 7 at 8 am PT.