Tom Arnold

We've been using CodeRabbit for the last 9 months as part of our PR review process in Github, and so far, I'm a happy customer. I've personally learned a lot from CR's feedback, as well as its strengths and weaknesses. BLUF: CR does provide a lot value, but only when you're able to separate the legitimate issues from bad suggested fixes. As with anything produced by AI, validation is extremely important. CodeRabbit is not infallible and will produce false positives. To address this, our implementation orchestration agents monitor new PRs and run a /rabbit skill that processes all CR reported issues through a multi-phase multi-agent validation and adversarial review workflow. Here's what we've learned from our freshest batch of 58 CodeRabbit scorecards we've produced over the last few weeks: 1. The 58 scorecards contained 227 findings (issues and nitpicks reported by CR.) ~71% of the findings were judged to be valid and received fixes. 2. If we break things down further between CR issues and nitpicks, we've seen a false positive rate of 26.8% for issues, and 51.6% for nitpicks. Even though nitpicks had a noisier FP rate, they did help expose real weaknesses in our code, stale-comments, artifacts, and repo-convention problems. 3. Some of the highest value CR findings were solid boundary/contract issues: * auth/tenant/RBAC gaps * API/OpenAPI drift * DB/RLS invariants * race/idempotency bugs * test/mock parity failures 4. False positive patterns observed: * "Issue" already handled elsewhere * contradictions to repo conventions * misunderstanding of test intent * generic repo-wide heuristic warnings 5. Our /rabbit workflow currently has Opus & Sonnet performing an objective review and an adversarial review. Obj/adversarial reviews agreed 83.7% of the time. Interestingly, in disagreements, the judging agent (Opus) split between the obj and adversarial agents at 50%. 17 objective / 17 adversarial. 6. Reviewer consensus was highly predictive: when objective + adversarial reviews agreed, the judge matched consensus 99.4% of the time. 7. We saw ~156 valid CR findings. In the subset with explicit fix verification, 129/130 remediations were verified. *Fixes for some valid findings were deferred as "won't-fix", addressed later, or weren't successfully logged/tracked by our /rabbit workflow. 8. We need to continually analyze and improve the consistency and reliability of our agentic logging, especially when a new model releases. The most interesting negative result to me: I expected PR size to be predictive of higher false positives rates. So far, my assumption is wrong. In this batch of scorecards, CR false positive rates did NOT reliably increase with PR size. Additional CR Scorecard PR context: - Median PR size: 1,233 changed loc - Min: 6 - Max: 12,916 (docs/archive) Over the last month we've created over 150 PRs. Not all PRs returned CR reported issues triggering a /rabbit review and scorecard. With proper validation CR has helped prevent shipping a lot of bad bugs that slipped past our pre-commit review agents, saving a significant amount of time/money