Automated Code Reviews helps you identify, block and fix security and quality issues across code and configuration in Pull Requests (PRs) in your pipeline. It does this with a configurable ruleset, aligned to Salesforce's Well-Architected framework and OWASP top 10 vulnerabilities.
Getting setup with Automated Code Reviews
Automated Code Reviews is currently available only on team-shared pipelines.
To enable Automatic Code Reviews, go to your Pipeline and open an existing PR.
Expand the Automated Code Reviews section and click Get Started. This will create your Code Reviews workspace and kick off a one-time baseline scan of your repository.
Code Reviews needs to do a single baseline scan before it can start giving you feedback on PRs. This initial scan will start automatically and might take a while depending on how big your repository is. We'll send an email and an in-product notification when it's done and ready to go, so you don't need to wait for this to complete.
Once the baseline scan has finished, Code Reviews will automatically scan any new PRs or any new commits to PRs that you promote to your chosen pipelines environment. When it's done, you'll see a summary of any issues found.
Understanding the results
Once the baseline scan has completed you'll see all PRs now show quick overview of the scan on the pipelines environment screen. This shows you the total number of issues found in each PR, broken down by Critical, Error, and Warning.
This new tab in pipelines gives you a list of every issue found in the PR, grouped by the rules they relate to. You can expand a rule to see the individual issues, and clicking on an issue shows you a preview of where it is in the code.
To narrow down the list, use the filters on the left side of the screen. You can filter by severity level to show just the issues that matter most to you.
If you want to see more information about the issues raised can always visit the main Code Reviews app for the full picture. Just click View in app to open that in a new tab.
For more information on understanding scan results in the Code Reviews app, see this guide.
For a complete over view of the rules, what they flag, and how to fix violations, see this guide.
How to dismiss issues
In some cases, Code Reviews may flag an issue that you want to exclude from the results. This can happen if the behavior is intentional, part of a test, or identified as a false positive.
To dismiss an issue, simply select it and choose the dismiss option. When dismissing an issue, you will be required to provide a reason and add a comment explaining your decision.
This information is recorded for auditing purposes. Additionally, any issues marked as false positives are reported to Code Reviews to enhance the accuracy and quality of its analysis over time.
You can dismiss issues by clicking on the Dismiss button and you'll then be able to select which issues you'd like to dismiss:
Once the issue has been selected, click on Dismiss issues , select the reason for dismissal from the drop down menu and then click again on Dismiss issues to confirm your action.
Once this is done, you should see the issue disappearing from your PR scan results.
Note: Dismissing an issue applies at a project level and it will remove it from all reports, branches, and PRs. For repositories, this occurs when the commit that introduced the dismissed issue reaches the main branch and the issue will remain dismissed in all future branches and PRs.
How to create an Autofix PR
The Code Reviews Autofix feature helps streamline your code review process by automatically identifying and fixing certain issues in your code. It reduces manual effort by creating pull requests (PRs) for changes that are considered safe to apply automatically. Its important to note that not all rules support Autofix.
Select the rule and then click on Create Autofix PR . You'll then see the summary of the rules and issues that will be fixed:
If everything looks good, you can go ahead to Create Autofix PR.
The Autofix PR will then be generated and you'll see an Autofix Bot icon in pipelines next to your original developer sandbox. You can click on it to check its details and Apply fixes:
For more info about how the Autofix in pipelines work read this guide.
Quality gates
Code review integrations with pipelines let you prevent pull requests (PRs) from being promoted if they have issues. This is managed using branch protection rules in your Version Control System (VCS), which act as quality gates before changes can be merged or deployed. You can also use protection mode to control how strictly these rules are enforced, depending on your workflow.
The setup process varies by VCS, so we provide separate guides for each supported platform.
Create a quality gate with Azure DevOps
Create a quality gate with Bitbucket
Create a quality gate with GitHub
Create a quality gate with GitLab
Status checks
Unlike PR scan results, which focus only on the changes introduced in the pull request (PR), status checks evaluate the full revision. This means they can fail due to existing issues in the codebase, not just new ones.
Status checks let you enforce Code Reviews results as part of your PR workflow. Once configured in your VCS, they act as quality gates that must pass before a PR can be merged or promoted.
For more information on setting up status checks, see this guide: Using the PR Review Status Check for Quality Gating.
To learn more about the difference between status checks and PR scan results, see: Understanding Status Checks vs Code Review PR Reviews.
Further guidance
Setting up Code Reviews gives you greater visibility into the changes you are promoting through your pipeline and the impact those changes may have on your org.There are multiple ways to configure Code Reviews and quality gates, so you can tailor the setup to match your team’s workflow and level of control.
If you need help understanding these features or setting them up, you can contact support through the in-app chat.