Skip to main content
Set up automated code review for your repository using the Factory GitHub App. Droid will analyze pull requests, identify issues, and post feedback as inline comments.
Factory Droid bot posting a code review summary with issues found
Factory Droid bot posting inline code review comment on specific lines

Setup

Use the /install-code-review command to set up automated code review for GitHub or GitLab: 
droid
> /install-code-review
The guided flow will:
  1. Detect your SCM platform (GitHub or GitLab)
  2. Verify prerequisites (CLI tools, permissions)
  3. Walk you through review configuration (depth, security, triggers)
  4. Create a PR/MR with the workflow files
You can also use /install-github-app for GitHub-only setup. For detailed setup instructions, see the GitHub App installation guide.

How it works

Once enabled, the Droid Review workflow:
  1. Triggers on pull request events (opened, synchronize, reopened, ready for review)
  2. Skips draft PRs to avoid noise during development
  3. Fetches the PR diff and existing comments
  4. Analyzes code changes for bugs, security issues, and correctness problems
  5. Posts inline comments on problematic lines
  6. Submits an approval when no issues are found

Review depth

The review_depth input controls the thoroughness and cost of each review. You choose the depth during /install-code-review setup, or set it directly in your workflow.
  • deep (default) — Thorough analysis with higher reasoning effort. Catches more subtle bugs but costs more per review. Best for production code and security-sensitive repos.
  • shallow — Faster, more cost-effective reviews that cover surface-level issues. Good for high-volume repos, draft PRs, or teams watching spend.
with:
  automatic_review: true
  review_depth: deep  # or shallow
You can also override the model or reasoning effort directly with review_model and reasoning_effort, which take precedence over the depth preset.

Security review

Security review runs a STRIDE-based analysis alongside (or instead of) the standard code review. It uses a dedicated security-reviewer subagent that scans for spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege vulnerabilities.

Enabling automatic security review

Add automatic_security_review: true to your workflow. When both automatic_review and automatic_security_review are enabled, the security reviewer runs as a parallel subagent during the code review pass: 
with:
  automatic_review: true
  automatic_security_review: true
The security review findings are included in the same PR comment, appended as a Security Review Summary section with its own severity ratings.

On-demand security review

You can also trigger a security review manually by commenting on any PR: 
@droid security
For a full repository security scan that creates a dedicated report: 
@droid security --full
The --full scan creates a new branch (droid/security-report-{date}), generates a report at .factory/security/reports/security-report-{date}.md, and opens a PR with the findings.

Security configuration

InputDefaultDescription
automatic_security_reviewfalseRun security review automatically on every PR
security_model(inherits from review_model)Model for security analysis
security_severity_thresholdmediumMinimum severity to report: critical, high, medium, low
security_block_on_criticaltrueSubmit REQUEST_CHANGES on critical findings
security_block_on_highfalseSubmit REQUEST_CHANGES on high findings
security_notify_team(empty)GitHub team to @mention on critical findings (e.g., @org/security-team)

Scheduled security scans

Run periodic full-repository scans on a schedule by adding a cron trigger to your workflow: 
name: Security Scan
on:
  schedule:
    - cron: '0 6 * * 1'  # Every Monday at 6am

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: Factory-AI/droid-action@v3
        with:
          security_scan_schedule: true
          security_scan_days: 7  # Scan commits from the last 7 days

What Droid reviews

The automated reviewer focuses on clear bugs and issues:
  • Dead/unreachable code
  • Broken control flow (missing break, fallthrough bugs)
  • Async/await mistakes
  • Null/undefined dereferences
  • Resource leaks
  • SQL/XSS injection vulnerabilities
  • Missing error handling
  • Off-by-one errors
  • Race conditions
It skips stylistic concerns, minor optimizations, and architectural opinions.

Customizing the workflow

After the workflow is created, you can customize it by editing .github/workflows/droid-review.yml in your repository.

Change the trigger conditions

Modify when reviews run: 
on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]
    paths:
      - 'src/**'  # Only review changes in src/
      - '!**/*.test.ts'  # Skip test files

Custom review guidelines

Add repository-specific review guidelines by creating a .factory/skills/review-guidelines/SKILL.md file in your repo: 
<!-- .factory/skills/review-guidelines/SKILL.md -->

Additional checks for this codebase:
- React hooks rules violations
- Missing TypeScript types on public APIs
- Prisma query performance issues
These guidelines are automatically picked up and injected into every review run. No workflow changes needed.

Change the model

Use a different model for reviews: 
droid exec --auto high --model claude-sonnet-4-5-20250929 -f prompt.txt
# Or use a faster model for quicker feedback:
droid exec --auto high --model claude-haiku-4-5-20251001 -f prompt.txt

Skip certain PRs

Add conditions to skip reviews for specific cases: 
jobs:
  code-review:
    # Skip bot PRs and PRs with [skip-review] in title
    if: |
      github.event.pull_request.draft == false &&
      !contains(github.event.pull_request.user.login, '[bot]') &&
      !contains(github.event.pull_request.title, '[skip-review]')

Limit comment count

Adjust the maximum number of comments in the prompt: 
Guidelines:
- Submit at most 5 comments total, prioritizing the most critical issues

All workflow inputs

InputDefaultDescription
automatic_reviewfalseAutomatically review PRs without @droid review
review_depthdeepReview preset: deep (thorough) or shallow (fast)
review_model(from depth)Override model for code review
reasoning_effort(from depth)Override reasoning effort
include_suggestionstrueInclude code suggestion blocks in comments
automatic_security_reviewfalseRun security review on every PR
security_model(from review_model)Override model for security review
security_severity_thresholdmediumMinimum severity to report
security_block_on_criticaltrueBlock PRs on critical findings
security_block_on_highfalseBlock PRs on high findings
security_notify_team(empty)Team to @mention on critical findings
security_scan_schedulefalseEnable scheduled full-repo scans
security_scan_days7Days of commits to scan

See also