How to Use CodeRabbit for Automated Pull Request Reviews

What you will learn

This guide walks through every step of using CodeRabbit for automated pull request reviews - from creating your account and installing the GitHub or GitLab app to configuring advanced review behavior with .coderabbit.yaml and getting the most value from AI-generated feedback.

CodeRabbit is the most widely adopted AI code review tool, with over 2 million connected repositories and more than 13 million pull requests reviewed. It installs as a native GitHub App (or GitLab, Azure DevOps, and Bitbucket integration) and automatically reviews every pull request within minutes of it being opened. The platform uses large language models to analyze diffs in the context of your full repository, posting human-like review comments that cover logic errors, security vulnerabilities, performance issues, and code style.

By the end of this guide, you will know how to:

• Sign up and connect your repositories to CodeRabbit
• Install the GitHub or GitLab App and configure repository access
• Write a .coderabbit.yaml configuration file with review profiles, path filters, and natural language instructions
• Trigger and interpret your first AI-powered PR review
• Use CodeRabbit’s conversational commands to interact with review comments
• Customize review rules to match your team’s coding standards
• Reduce noise and false positives for a better developer experience

If you are looking for a more concise setup walkthrough, see our How to Setup CodeRabbit guide. For pricing details, check the CodeRabbit Pricing breakdown.

Prerequisites

Before you start using CodeRabbit, make sure you have the following:

• A GitHub, GitLab, Azure DevOps, or Bitbucket account with at least one repository that has active pull request activity
• Admin or owner permissions on the repositories where you want to install CodeRabbit (required to authorize the GitHub App)
• A test pull request or the ability to create one so you can verify the installation is working (optional but strongly recommended)

No other prerequisites are needed. CodeRabbit does not require a CI/CD pipeline, Docker, API keys, or any local tooling. Everything happens through the browser and the native Git platform integration.

Step 1 - Sign up and connect your repository

Navigate to coderabbit.ai and click the “Get Started Free” button. CodeRabbit supports sign-up through four Git platforms:

1. Choose your Git platform - GitHub, GitLab, Azure DevOps, or Bitbucket
2. Authorize CodeRabbit - your platform’s OAuth screen will ask you to grant CodeRabbit permission to read your profile information. Click “Authorize” to proceed
3. Land on the CodeRabbit dashboard - after authorization, you arrive at your central control panel for managing repositories, viewing review activity, and configuring organization-level settings

The free tier requires no credit card and gives you unlimited public and private repositories with AI-powered PR summaries and inline review comments. Rate limits of 3 back-to-back reviews and then 4 reviews per hour apply, but for most small to mid-size teams these limits are rarely hit in practice.

The sign-up process itself takes under two minutes. The OAuth authorization grants CodeRabbit access to your identity, but it does not yet give CodeRabbit access to your repositories - that happens in the next step when you install the platform-specific app.

Step 2 - Install the GitHub or GitLab App

The app installation is the step that connects CodeRabbit to your actual repositories and pull requests. This is separate from the OAuth sign-in you completed in Step 1.

For GitHub users

1. From the CodeRabbit dashboard, click “Add Repositories” or “Install GitHub App”
2. GitHub displays the App installation page showing the permissions CodeRabbit needs:
   • Read access to repository contents, metadata, and pull requests
   • Write access to pull request comments and checks (so it can post review comments)
   • Webhook events for pull request creation and updates (so it knows when to review)
3. Choose your installation scope:
   • All repositories - CodeRabbit automatically reviews PRs on every repository in your organization or account, including future repositories
   • Only select repositories - pick specific repositories from a list and add more later
4. Click “Install” to complete the installation

For organizations, you may need an organization owner to approve the installation. If you see a “Request” button instead of “Install,” the request is sent to your organization owner for approval.

For GitLab users

1. From the CodeRabbit dashboard, select GitLab as your platform
2. Authenticate through GitLab OAuth
3. Select the projects you want CodeRabbit to review
4. CodeRabbit configures webhooks automatically

For Azure DevOps and Bitbucket users

The process follows a similar pattern - authenticate with your platform, authorize CodeRabbit, and select the repositories you want to enable. The .coderabbit.yaml configuration file works identically across all platforms.

Once the app is installed, CodeRabbit is ready to review pull requests. Any new PR opened on an enabled repository will trigger an automatic AI review within minutes.

Step 3 - Configure .coderabbit.yaml

While CodeRabbit works out of the box with sensible defaults, the .coderabbit.yaml configuration file is where you unlock its full potential. This file lives in the root of your repository on the default branch (usually main) and controls every aspect of how CodeRabbit reviews your pull requests.

Create a file named .coderabbit.yaml in your repository root:

# .coderabbit.yaml
language: en-US

reviews:
  profile: chill
  request_changes_workflow: false
  high_level_summary: true
  high_level_summary_placeholder: "@coderabbitai summary"
  auto_title_placeholder: "@coderabbitai"
  poem: false
  review_status: true
  collapse_walkthrough: false
  sequence_diagrams: true
  changed_files_summary: true
  path_filters:
    - "!**/*.lock"
    - "!**/*.generated.*"
    - "!**/dist/**"
    - "!**/node_modules/**"
    - "!**/*.min.js"
    - "!**/coverage/**"
    - "!**/__snapshots__/**"
  path_instructions:
    - path: "src/api/**"
      instructions: |
        Review all API endpoints for:
        - Input validation on all parameters
        - Proper error handling with appropriate HTTP status codes
        - Authentication and authorization checks
        - Rate limiting considerations
    - path: "src/db/**"
      instructions: |
        Review all database code for:
        - SQL injection prevention (parameterized queries only)
        - Proper connection handling and cleanup
        - Transaction usage where multiple writes occur
    - path: "**/*.test.*"
      instructions: |
        For test files, focus on:
        - Test coverage of edge cases
        - Proper assertion usage
        - Mock cleanup and isolation between tests

chat:
  auto_reply: true

knowledge_base:
  opt_out: false
  learnings:
    scope: auto

Commit and push this file to your default branch. CodeRabbit reads the configuration on every new PR and applies your settings immediately - no restart or reinstallation required.

Key configuration options

profile controls the verbosity of CodeRabbit’s reviews:

• chill - fewer comments, focused on significant issues like bugs, security vulnerabilities, and logic errors. Best for teams starting out or those that want minimal noise
• assertive - thorough reviews covering style, naming, documentation, and best practices alongside bugs and security. Best for teams that want comprehensive feedback
• followup - like assertive, but also checks whether previous review comments were addressed in subsequent commits. Best for teams that want accountability

path_filters controls which files CodeRabbit reviews. Use negation patterns (prefixed with !) to exclude files like lock files, build output, generated code, and test snapshots. This is one of the most important settings for reducing noise.

path_instructions lets you provide natural language instructions for specific directories or file patterns. This is CodeRabbit’s most powerful feature - you can tell it exactly what to look for in different parts of your codebase without writing complex rule configurations.

knowledge_base enables CodeRabbit to learn from your repository over time. When enabled, CodeRabbit builds context about your codebase patterns, conventions, and architecture, improving review quality as it learns.

Step 4 - Create your first PR

With CodeRabbit installed and configured, it is time to see it in action. Open a pull request on one of your enabled repositories:

1. Create a new branch in an enabled repository
2. Make a code change - even a small one like adding a function, fixing a bug, or refactoring a method
3. Push the branch and open a pull request targeting your default branch
4. Wait 1 to 5 minutes for CodeRabbit to complete its review

If you want to test immediately but do not have a pending change, create a simple branch with a minor code modification. Any change that touches a file not excluded by your path_filters will trigger CodeRabbit’s review.

What CodeRabbit posts on your PR

After analyzing your PR, CodeRabbit posts several things:

A walkthrough summary appears as the first comment on the PR conversation. It describes what changed across all files, organized by file and purpose. This summary is useful for human reviewers who want to quickly understand the scope of the PR before diving into the diff.

Inline review comments appear on specific lines of code where CodeRabbit identifies potential issues, improvements, or suggestions. Each comment includes a description of the issue, an explanation of why it matters, and often a suggested code fix that you can apply with one click.

A review status indicator shows whether the review is complete and how many comments were generated.

Here is an example of what a typical CodeRabbit walkthrough looks like:

## Walkthrough
This PR adds input validation to the user registration endpoint.
The registerUser function now validates email format, password
strength, and username uniqueness before creating the user record.

## Changes
| File | Change Summary |
|------|---------------|
| src/api/auth.ts | Added validation logic with three new checks |
| src/types/errors.ts | New error code enum and structured error type |
| tests/api/auth.test.ts | Six new test cases covering validation scenarios |

If CodeRabbit does not post any comments within 5 minutes, check the troubleshooting section later in this guide or refer to our CodeRabbit setup troubleshooting for detailed debugging steps.

Step 5 - Review and respond to AI comments

Understanding how to work with CodeRabbit’s review comments is what separates teams that get real value from the tool and teams that treat it as background noise.

Reading inline comments

Each inline comment from CodeRabbit follows a consistent structure:

• Issue description - what the problem or opportunity is
• Context - why this matters in the context of the change
• Suggested fix - when applicable, a concrete code change you can apply

CodeRabbit’s inline comments appear directly on the relevant lines in the GitHub or GitLab diff view, just like comments from a human reviewer. The difference is that they arrive in minutes rather than hours.

Replying to comments

CodeRabbit is conversational. Every comment it posts is the start of a potential dialogue. You can reply directly to any comment, and CodeRabbit will respond with context from the same PR thread:

• Ask for clarification: “Why is this a security issue? We validate the input in the middleware layer before this function is called.”
• Request an alternative: “This approach would break our caching layer. Can you suggest an alternative that preserves the cache key structure?”
• Accept and request the fix: “Good catch. Can you generate the corrected code for this?”
• Provide context: “We intentionally use any here because the type comes from a third-party library that does not export its types.”

Every reply teaches CodeRabbit about your preferences. When you explain why a suggestion does not apply, CodeRabbit stores that as a learning and avoids making the same suggestion in future reviews. Teams that spend two weeks actively replying to and correcting CodeRabbit’s comments typically see a significant drop in false positives by the end of the first month.

Using command keywords

CodeRabbit responds to specific commands posted as PR comments:

Command	What it does
@coderabbitai review	Triggers a full re-review of the PR
@coderabbitai resolve	Dismisses a specific review comment
@coderabbitai explain	Provides a detailed explanation of a finding
@coderabbitai generate docstring	Generates documentation for the function in context
@coderabbitai configuration	Shows the current configuration for the repository
@coderabbitai help	Lists all available commands

The @coderabbitai review command is particularly useful after you push additional commits to a PR. While CodeRabbit automatically re-reviews when new commits are pushed, manually triggering a review ensures it picks up the latest changes immediately.

Applying one-click fixes

On the Pro plan, CodeRabbit generates GitHub suggested changes for many of the issues it identifies. These appear as expandable code blocks within the comment, and you can commit the fix directly from the PR interface with a single click. For routine fixes like null-check additions, missing error handling, or import cleanup, this saves the time of switching to your editor, making the change, and pushing a new commit.

Step 6 - Customize review rules

Once CodeRabbit has reviewed 10 to 20 pull requests on your repository, you will have a clear sense of which suggestions are consistently helpful and which generate unnecessary noise. This is the point where customizing your review rules pays the biggest dividends.

Adding global review instructions

Add a top-level instructions field to your .coderabbit.yaml to guide CodeRabbit’s behavior across all files:

reviews:
  profile: chill
  instructions: |
    This is a Node.js backend service using Express and PostgreSQL.
    We follow these conventions:
    - All async functions must use try/catch with proper error logging
    - Database queries must use parameterized statements
    - API responses must follow our standard envelope format: { data, error, meta }
    - Do not comment on variable naming unless the name is actively misleading
    - Do not comment on import ordering (handled by our linter)
    - Focus on bugs, security issues, and logic errors over style preferences

Global instructions set the tone and prevent false positives on patterns your team has already decided are acceptable. They apply to every file in every PR.

Expanding path-specific instructions

As you identify which directories benefit from specialized review criteria, expand the path_instructions section:

  path_instructions:
    - path: "src/middleware/**"
      instructions: |
        Middleware must:
        - Always call next() or send a response
        - Not modify the request object beyond adding typed properties
        - Include error handling that passes errors to the error middleware
    - path: "src/migrations/**"
      instructions: |
        Database migrations must:
        - Be reversible (include both up and down functions)
        - Not drop columns or tables without a data migration step
        - Use transactions for multi-step changes
    - path: "*.config.*"
      instructions: |
        Configuration files should be reviewed for:
        - Hardcoded secrets or credentials (flag immediately)
        - Environment-specific values that should use env variables
        - Reasonable default values

Switching from chill to assertive

If your team finds the chill profile too quiet after the initial adjustment period, switch to assertive while adding exclusions for the specific categories of comments that generate noise:

reviews:
  profile: assertive
  instructions: |
    Do not comment on:
    - Import ordering (handled by our linter)
    - Line length (handled by Prettier)
    - Missing JSDoc comments on internal functions
    Focus extra attention on:
    - Error handling completeness
    - Security vulnerabilities
    - Performance in database queries and loops
    - Missing input validation on user-facing endpoints

This gives you the breadth of assertive mode while filtering out feedback that your other tools already handle. The combination of a strict review profile with well-tuned exclusion instructions produces the best signal-to-noise ratio.

Integrating with Jira or Linear

On the Pro and Enterprise plans, CodeRabbit can read linked Jira or Linear issues to understand the context of a PR. When it knows the ticket description and acceptance criteria, it can validate whether the PR actually addresses the requirements:

integrations:
  jira:
    enabled: true
    project_keys:
      - "BACKEND"
      - "FRONTEND"
  linear:
    enabled: true

This context-aware review catches a category of issues that pure code analysis misses - cases where the code works correctly but does not actually solve the problem described in the ticket.

Tips for getting the most out of CodeRabbit

After covering the step-by-step setup and configuration, here are the practices that separate teams that love CodeRabbit from teams that abandon it after a month.

Start with the chill profile and increase strictness gradually. The worst outcome is overwhelming your team with comments on the first day and having developers permanently tune out all automated feedback. Begin with chill, build trust in the tool over two to four weeks, and then switch to assertive if the team wants more comprehensive feedback.

Write descriptive PR titles and descriptions. CodeRabbit uses the PR title and description as context for its review. A PR titled “fix bug” gives CodeRabbit almost nothing to work with. A PR titled “Fix race condition in user session cleanup during concurrent logout requests” with a description of the problem helps CodeRabbit provide targeted and relevant feedback.

Keep pull requests small and focused. CodeRabbit - like human reviewers - provides better feedback on focused PRs. A PR that changes 50 lines across 3 files gets more precise comments than a PR that changes 2,000 lines across 40 files. Aim for PRs under 400 lines of changed code whenever possible.

Reply to comments instead of silently dismissing them. Every reply teaches CodeRabbit about your team’s preferences and conventions. A team that spends two weeks actively correcting false positives ends up with a tool that is far more accurate than a team that silently ignores everything. Use @coderabbitai resolve with a brief explanation when dismissing a comment.

Exclude files that do not benefit from AI review. Lock files, build output, auto-generated code, test snapshots, and vendored dependencies will generate noise without providing value. Configure path_filters in your .coderabbit.yaml to exclude them from the start.

Use CodeRabbit alongside static analysis tools, not instead of them. CodeRabbit catches logic errors, design issues, and contextual problems that rule-based tools miss. Static analysis tools like SonarQube and Semgrep provide deterministic bug detection, security scanning, and quality gate enforcement that AI review cannot replace. The strongest review setup uses both layers together. Our guide on how to automate code reviews covers this three-layer approach in detail.

Review the CodeRabbit dashboard monthly. The dashboard shows metrics like review activity, common issue types, and resolution rates. Use these insights to adjust your .coderabbit.yaml configuration and identify areas of your codebase that generate the most review findings.

Encourage your team to interact with CodeRabbit. The conversational interface is one of CodeRabbit’s strongest features. Developers who reply to comments, ask follow-up questions, and request explanations get significantly more value than those who just read and move on. Share examples of useful CodeRabbit catches with the team to build confidence in the tool.

Alternatives to CodeRabbit

While CodeRabbit is the most widely adopted AI code review tool, it is not the only option. Depending on your team’s requirements around pricing, self-hosting, platform support, or specialized features, one of these alternatives may be a better fit.

CodeAnt AI is a Y Combinator-backed platform that combines AI-powered PR reviews with SAST scanning, secrets detection, IaC security, and DORA metrics in a single tool. Pricing starts at $24/user/month for the Basic plan (AI PR reviews, summaries, and auto-fix suggestions) and $40/user/month for the Premium plan (adds SAST, secrets detection, IaC security, and engineering dashboards). CodeAnt AI is a strong choice for teams that want AI code review bundled with security scanning in one platform rather than assembling separate tools.

PR-Agent by Qodo is the leading open-source alternative. It can be self-hosted using your own LLM API keys (OpenAI, Anthropic, Azure OpenAI), giving teams full control over where their code is processed. The trade-off is setup complexity and the need to manage LLM API costs directly.

GitHub Copilot includes native code review capabilities built into the GitHub interface for teams on Copilot Enterprise at $39/user/month. The advantage is zero-configuration native integration, but it only works on GitHub and offers less customization than CodeRabbit.

Sourcery focuses on Python-first AI code review with strong refactoring suggestions at $24/user/month for teams. It is the best option for Python-heavy teams that want deep refactoring analysis.

For a detailed comparison of all options, see our CodeRabbit Alternatives guide and our roundup of the Best AI Code Review Tools in 2026.

Troubleshooting common issues

Even with a straightforward setup, you may run into situations where CodeRabbit does not behave as expected. Here are the most common issues and how to resolve them.

CodeRabbit is not reviewing pull requests

Check these causes in order:

1. The GitHub App may not be installed on the repository. Go to your GitHub organization or account settings, then Applications, and verify that CodeRabbit has access to the repository
2. The repository may be disabled in the CodeRabbit dashboard. Log in to app.coderabbit.ai and verify the repository is toggled on
3. The PR may be a draft. CodeRabbit skips draft pull requests by default. Either mark the PR as ready for review or configure CodeRabbit to review drafts in the dashboard settings
4. All changed files may be excluded by path_filters. If your .coderabbit.yaml excludes every path that changed in the PR, CodeRabbit has nothing to review
5. You may have hit rate limits. On the free tier, reviews are limited to 4 per hour. Queued reviews will process when capacity is available

CodeRabbit posts too many comments

1. Switch the review profile to chill if you are on assertive or followup
2. Add path_filters to exclude generated files, lock files, and build artifacts
3. Add global instructions telling CodeRabbit what not to comment on
4. Reply to unhelpful comments with explanations so CodeRabbit learns your preferences

YAML configuration is not taking effect

1. Verify the file name is exactly .coderabbit.yaml - not .coderabbit.yml and not coderabbit.yaml
2. Verify the file is in the repository root, not in a subdirectory
3. Verify the file is on the default branch. CodeRabbit reads configuration from the default branch, not from the PR branch
4. Validate the YAML syntax using a YAML validator to check for indentation errors
5. Trigger a re-review by commenting @coderabbitai review on a PR

Conclusion

CodeRabbit is one of the fastest ways to add AI-powered code review to your development workflow. The combination of a generous free tier, one-click GitHub App installation, and the .coderabbit.yaml configuration file means you can go from zero to fully customized automated PR reviews in under 30 minutes.

The key to long-term success with CodeRabbit is treating it as a team member rather than a static tool. Start with the chill profile, actively reply to comments during the first two weeks, tune your path_filters and path_instructions based on real review feedback, and gradually increase the review strictness as the team builds trust.

For teams that want to layer CodeRabbit with additional review automation, our guide on how to automate code reviews covers the three-layer approach of linting, static analysis, and AI review. For a deep dive into CodeRabbit’s features and whether it is the right tool for your team, see our CodeRabbit Review.