Can AI code review catch async and await problems in .NET?

Yes. AI review tools are good at catching sync-over-async patterns such as .Result, .Wait(), and GetAwaiter().GetResult(), as well as other common async mistakes that can reduce throughput or create reliability issues in .NET applications.

Code Review 18 de May de 2026

.Net Code Review: Best Practices and AI Tools (2026)

Q: What is the best AI code review tool for .NET?

It depends on the goal. GitHub Copilot and CodeRabbit work well for pull request summaries and line-level suggestions. Kodus is a better fit when the team wants repository-level context, natural-language custom rules, external context, and more control over how the review workflow works.

Q: Does Kodus work with .NET?

Yes. Kodus works with any language and fits well with .NET solutions that span multiple projects. Its repository-level context and rule system make it useful for C#, ASP.NET Core, and Entity Framework Core codebases.

Q: Are there free code review tools for .NET?

Yes. Several AI code review tools offer free plans, trials, or free options for open source projects and small teams. That usually makes it possible to test the review workflow before moving to a paid plan.

Q: Are there self-hosted options for .NET reviews?

Yes. Kodus is the most complete self-hosted option in this comparison. It combines self-hosted deployment, BYOK by default, open source code, and freedom to choose the model and provider, which gives teams more control over infrastructure, privacy, and governance.

Edvaldo Freitas

A good .NET code review process should do more than just quality control. It can be a way to transfer knowledge, reduce risk, and keep the architecture coherent. For many teams, though, it is just a bottleneck. Pull requests sit idle, feedback becomes inconsistent, and senior engineers burn out fixing typos instead of evaluating design decisions. The standard review process simply does not scale with today’s .NET applications.

The main problem is divided attention. A human reviewer has to switch between finding style guide violations, looking for common bugs such as poor async patterns, and thinking about the architectural impact of a change. AI tools can automate the first two jobs, leaving engineers free to focus on architecture, where their experience actually matters.

Why code review in .NET is different

Reviewing .NET code is different from reviewing code in other languages. C# is expressive and often gives you several ways to solve the same problem, which leads to inconsistency if you do not have clear standards. The .NET Base Class Library (BCL) is huge, and it takes experience to know which APIs are better for performance and memory usage.

On top of that, frameworks like ASP.NET Core and Entity Framework Core add their own layers of abstraction. A change that looks good in isolation can generate terrible SQL queries or slow down the middleware pipeline. A good review requires understanding how the code interacts with the runtime and the framework, not just the code itself.

Best practices for .NET code review

Correct behavior

Does the code do what the change promises to do, including error, timeout, cancellation, and edge cases? In .NET, this matters a lot for async flows, external integrations, and public API contracts.

Maintainability

Six months from now, will someone on the team understand this code without opening four files and guessing the intent? Oversized classes, vague names, too many dependencies, and mixed responsibilities tend to become expensive in C#.

Performance

Are there obvious signs of unnecessary cost? This includes blocking async calls, poor EF Core queries, bad projections, avoidable allocations in hot paths, and careless use of serialization or I/O.

Security

Does the change create room for a known problem? Unvalidated input, exposed secrets, loose authorization, logs with sensitive data, and new endpoints without proper access control still show up often.

Architectural cohesion

Does the change respect the way this system is already organized? Does it belong in this service, this layer, and this boundary? In larger .NET codebases, this matters a lot because it is easy to solve a local problem while creating structural mess elsewhere.

When these criteria are clear, feedback improves a lot. Instead of isolated comments, reviewers can explain why something needs to change.

A practical .NET code review checklist

A checklist systematizes the review process and helps make sure common issues are not missed. It should be a living document, updated as the team learns and the codebase changes.

Architecture and design

responsibility of the change: does this class, method, or handler have a clear responsibility, or is it mixing business logic, data access, and external integration?
architectural cohesion: does the change belong in this service, project, and layer? Does it follow the patterns already used by the codebase, or does it create a deviation that will be hard to maintain?
dependency management: are dependencies coming through dependency injection in the right way? Does the lifetime make sense? Is there unnecessary coupling to concrete implementations?
configuration and secrets: are critical configurations strongly typed and validated? Do secrets come from a secure source instead of code or a versioned file?
error handling: are exceptions handled consistently? Does the code distinguish expected errors, domain errors, and unexpected failures? Do logs help with investigation without leaking sensitive information?

C# and .NET specifics

async/await usage: is the flow async end-to-end when there is I/O? Look for .Result, .Wait(), and .GetAwaiter().GetResult() in controllers, handlers, jobs, and consumers. In ASP.NET Core, this often turns into blocking and lower throughput.
cancellation: is CancellationToken being propagated to the database, HTTP, storage, and queues when the operation can be canceled?
LINQ and EF Core queries: is the query executed only when needed? Is there premature materialization with .ToList() or .ToArray()? Is there a risk of N+1, lazy loading in a hot path, unnecessary tracking, or poor projection?
resource management: are disposable objects, such as streams, HTTP responses, and readers, being disposed of correctly? Does the code avoid unnecessary resource retention?
allocations and hot paths: in critical paths, does the code avoid unnecessary allocations, repeated string concatenation, large payload copying, and excessive serialization?

API and ASP.NET Core pipeline

HTTP contract: do the route, verb, status code, and payload make sense for the case? Does the endpoint make it clear what happens on success, validation error, not found, and conflict?
input validation: is all external input treated as untrusted and validated before use?
middleware and pipeline: do changes in Program.cs or in the HTTP pipeline respect the correct order of routing, CORS, authentication, and authorization? Is any custom middleware doing too much work?

Security

authorization: does the new endpoint or operation require authentication and authorization at the right level? Is access protected by the appropriate policy, role, or rule?
data access: does the code avoid SQL injection, unsafe concatenation, and uncontrolled dynamic execution? In EF Core, is the query being built safely?
sensitive data: do secrets, tokens, connection strings, and personal information stay out of code, versioned config, exceptions, and logs?
output and rendered content: in applications with rendered HTML, is output encoding preserved to avoid XSS?

Testing and operations

coverage for the change: does the new endpoint, critical query, or important rule have a test at the right level?
observability: if this fails in production, can the team investigate it? Do logs, metrics, and traces carry enough context?
operational impact: does the change alter timeouts, retries, queues, cache, health checks, or behavior under load without making that clear?

Common .NET problems that AI finds

Static analysis tools can find some of these things, but they often do not have enough context to catch subtle problems. AI tools analyze code in a different way. They can recognize anti-patterns by understanding what the developer was trying to do and how data flows through the application. They can automate a good part of the checklist above.

Here are a few examples of common .NET problems that AI reviewers tend to catch well.

1. Blocking async code

A classic mistake that can lead to thread pool exhaustion and deadlocks in server applications.

Before:

public class UserController : ControllerBase
{
    private readonly IUserService _userService;

    public UserController(IUserService userService)
    {
        _userService = userService;
    }

    [HttpGet("{id}")]
    public ActionResult<User> GetUser(int id)
    {
        // This blocks the request thread, waiting for the async operation.
        var user = _userService.GetUserByIdAsync(id).Result; 
        if (user == null)
        {
            return NotFound();
        }
        return Ok(user);
    }
}

After, AI suggestion:

public class UserController : ControllerBase
{
    private readonly IUserService _userService;

    public UserController(IUserService userService)
    {
        _userService = userService;
    }

    [HttpGet("{id}")]
    public async Task<ActionResult<User>> GetUser(int id)
    {
        var user = await _userService.GetUserByIdAsync(id);
        if (user == null)
        {
            return NotFound();
        }
        return Ok(user);
    }
}

AI tools can trace the call chain and flag the synchronous call over async code as a high-risk pattern, suggesting the correct implementation with async/await.

2. Inefficient queries with Entity Framework Core

Loading a full dataset into memory before filtering is a common problem that destroys performance.

Before:

public async Task<List<ProductDto>> GetActiveProducts(string category)
{
    // Pulls ALL products from the database into memory first.
    var allProducts = await _context.Products.ToListAsync(); 

    // Then filters in-memory.
    return allProducts
        .Where(p => p.IsActive && p.Category == category)
        .Select(p => new ProductDto { Name = p.Name, Price = p.Price })
        .ToList();
}

After, AI suggestion:

public async Task<List<ProductDto>> GetActiveProducts(string category)
{
    // Builds a SQL query with a WHERE clause, only fetching needed data.
    return await _context.Products
        .Where(p => p.IsActive && p.Category == category)
        .Select(p => new ProductDto { Name = p.Name, Price = p.Price })
        .ToListAsync();
}

An AI with context can recognize that _context.Products is an EF Core IQueryable and that calling .ToListAsync() immediately is almost always a mistake. It understands the semantics of deferred execution.

3. Improper use of HttpClient

Instantiating HttpClient inside a using block is a well-known anti-pattern that can lead to socket exhaustion.

Before:

public async Task<string> GetExternalData()
{
    using (var client = new HttpClient())
    {
        var response = await client.GetStringAsync("https://api.example.com/data");
        return response;
    }
}

After, AI suggestion using IHttpClientFactory:

// In Startup.cs or Program.cs
services.AddHttpClient();

// In the service class
public class MyService
{
    private readonly HttpClient _client;

    public MyService(IHttpClientFactory clientFactory)
    {
        _client = clientFactory.CreateClient();
    }

    public async Task<string> GetExternalData()
    {
        var response = await _client.GetStringAsync("https://api.example.com/data");
        return response;
    }
}

AI tools can identify this pattern and suggest a refactor to use IHttpClientFactory, which is the standard practice in .NET applications for managing the lifecycle of HttpClient instances.

4. Forgetting to dispose IDisposable resources

A simple mistake that can lead to resource leaks.

Before:

public void WriteToFile(string filePath, string text)
{
    var stream = new FileStream(filePath, FileMode.Create);
    var writer = new StreamWriter(stream);
    writer.Write(text);
    writer.Flush();
    // stream.Close() and writer.Close() are never called if an exception occurs.
}

After, AI suggestion:

public void WriteToFile(string filePath, string text)
{
    using var stream = new FileStream(filePath, FileMode.Create);
    using var writer = new StreamWriter(stream);
    writer.Write(text);
}

This is a direct check that advanced linters can also perform, but AI tools can suggest the more modern C# syntax, with using declarations, for the fix.

Best AI code review tools for .NET

The market for AI code review tools is growing. Although many tools offer generic language support, their effectiveness in .NET varies. A tool’s understanding of the CLR, BCL, and common frameworks like ASP.NET Core is what separates a useful assistant from a noisy one.

Here is a comparison of several tools and how they apply to .NET development.

Kodus

Kodus is the best option for .NET teams when the goal is to improve review inside a real codebase, not just add an AI commenting on pull requests. In C# and ASP.NET Core projects, many problems depend on context: incorrect use of async/await, poor Entity Framework queries, authorization rules spread across the codebase, services that are too large, or changes that drift away from internal architectural patterns. This is where Kodus stands out. Kody reviews PRs automatically or on demand, comments directly in the Git workflow, and lets teams configure their own rules so the review follows the team’s standards, not just generic best practices.

The main differentiator for .NET is Kody Rules. The team can turn internal standards into review rules, with file scope, severity, and path filters. In a .NET application, this makes it possible to create specific rules for controllers, services, repositories, migrations, tests, or the domain layer. For example: avoiding business logic in controllers, requiring validation on public endpoints, reviewing Include usage in Entity Framework, or ensuring tests for critical changes.

Kodus also learns from team feedback, which helps reduce noise over time. This matters a lot in .NET because each codebase usually has its own decisions around architecture, exception handling, service organization, testing, and framework usage. Instead of treating every C# project the same way, Kodus becomes more aligned with the team’s standards as it is used.

Another important point is control. Kodus is open source, works with GitHub, GitLab, Bitbucket, and Azure DevOps, supports BYOK, and lets the team choose the AI provider and model. For .NET teams that care about cost, privacy, and lock-in, this makes the tool a more flexible option for bringing AI code review into the pull request workflow.

CodeRabbit

CodeRabbit is an AI code review platform focused on pull requests, IDE, and CLI. For .NET teams, it can mainly help as an initial review layer in PRs, pointing out bugs, inconsistent patterns, and quality issues before a human reviewer goes deeper. The tool also allows teams to configure guidelines, path filters, and directory-specific instructions, which can be useful in C# projects with a clear separation between APIs, domain, infrastructure, tests, and front-end. In an ASP.NET Core application, for example, the team can use different instructions for controllers, migrations, services, middlewares, and tests. This helps reduce generic comments and brings the review closer to the decisions that actually matter in a .NET codebase.

GitHub Copilot Code Review

Copilot makes sense when the company is already heavily centered on GitHub and wants to add automated review to the workflow with as little friction as possible. For many teams, this already solves part of the problem. It helps capture basic patterns, localized improvements, and quick comments in smaller PRs.

The limitation appears when the team wants more control over the process, more model freedom, and more specific rules based on repository context.

Bito

Bito positions its AI Code Review Agent as a set of specialized agents that analyze different aspects of the PR, such as performance, code structure, security, optimization, and scalability. This fits well with the kind of care .NET applications often require, since a seemingly simple change can affect Entity Framework performance, authentication flow, dependency injection, API serialization, or async behavior. The documentation also mentions the use of Symbol Indexing, AST, and embeddings to better understand the code and its dependencies. In practice, Bito can work as a review layer that helps the team identify common problems before human review, leaving seniors more focused on architecture, domain, and long-term decisions.

CodeAnt AI

CodeAnt AI has an approach closer to code health and security, combining AI code review with quality analysis and security risk detection. For .NET teams, this is relevant when review needs to cover not only readability and maintainability, but also vulnerabilities, bad practices, and risks related to authorization, input validation, data exposure, and unsafe dependency usage. The documentation shows that codeant review analyzes changes with an agentic architecture, reads context around the codebase, and returns suggestions with severity. This kind of approach can be useful in C# projects where the team wants to prioritize findings by risk, especially in APIs, internal systems, financial applications, or products with stronger security and compliance requirements.

Comparison of code review tools for .NET

Tool	Best fit in .NET	Context used in review	How review is customized	Before the PR	Infrastructure and control
Kodus	Teams that want to turn internal C#, ASP.NET Core, and EF Core standards into versioned rules in the repository itself	Diff, repository files, code search, repo-wide semantic context, and MCP plugins for external context	`Repository Rules` in Markdown, rules by path, directory, and severity, sync of existing rule files	Yes, via CLI on the working tree, staged diff, branch, or commit	Cloud or self-hosted, BYOK by default, choice of provider and model
CodeRabbit	Teams with a monorepo or context spread across code, issues, docs, and related repositories	Diff, knowledge base, linked repos, code guidelines, MCP, web search, issues, and learnings	`.coderabbit.yaml`, `path_instructions`, AST rules, custom checks, and code guidelines	Yes, via IDE and CLI, in addition to PR review	Flow centered on the CodeRabbit service, with versioned configuration in the repository
GitHub Copilot Code Review	GitHub-first teams that want to add automatic review to the workflow with little friction	Diff, additional repository context, and repo instructions	`.github/copilot-instructions.md`, path-specific instructions in `.github/instructions/**`, `AGENTS.md`, `CLAUDE.md`, or `GEMINI.md`	Yes, in IDEs like Visual Studio and VS Code; in PRs, it runs directly on GitHub	Managed service in the GitHub ecosystem; customization through repository files
Bito	Teams that want contextual review by repository, with local configuration and the option to run on their own infrastructure	Diff, repository context, symbol indexes, embeddings, and AST	`.bito.yaml`, general and language-specific guidelines, filters, summaries, secret scanner, and lint feedback	Yes, via CLI and also in the PR workflow	Bito-hosted or self-hosted; supports GitHub/GitLab self-managed
CodeAnt AI	Teams that want to combine PR review with security, code policy, and broader codebase analysis	Diff, full codebase context, security and quality findings, language rules, and application security	`.codeant/configuration.json`, custom review rules, code governance, and review instructions	Yes, via IDE and CLI, in addition to automatic PR review	Cloud and documented self-hosted scenarios for SCM and private deployments

How I would set up an AI review workflow for a .NET team

If I were setting this up for a .NET team today, I would start with a few rules and a lot of focus. The most common mistake at this stage is trying to turn the tool into a universal reviewer in the first month. That almost always increases comment volume and reduces trust. I would rather start with the areas where C# and ASP.NET Core tend to hide expensive problems: blocking async, EF Core reads, nullability, new endpoints without tests, and changes to the middleware pipeline.

The second important decision would be to limit automatic review to issues that actually change risk, cost, or maintainability. Too many comments get tiring fast, especially in a small PR. It also makes sense to version the rules in the repository itself, so the team reviews the rule with the same care it reviews code. External context, such as a ticket, spec, or internal contract, I would only add when it improves the review decision. And I would measure it from the start: comment usefulness, false positives, and time to merge by PR type.

If I were doing this with Kodus, an initial rule for C# could be this:

---
title: "Blocking async calls in HTTP and background execution paths"
scope: "file"
path: ["src/**/*.cs", "app/**/*.cs", "api/**/*.cs", "services/**/*.cs", "workers/**/*.cs"]
severity_min: "critical"
languages: ["csharp"]
buckets: ["performance", "error-handling", "public-contract"]
enabled: true
---

## Instructions
Review C# code that runs in ASP.NET Core request paths, background jobs, hosted services, queue consumers, and application services for blocking async calls.
- Flag any use of `.Result`, `.Wait()`, or `.GetAwaiter().GetResult()` on `Task` or `Task`.
- Flag sync wrappers around async I/O, especially database, HTTP, storage, cache, and message broker calls.
- Treat this as critical when the code is reachable from controllers, endpoints, MediatR handlers, background workers, or consumer handlers.
- Prefer async end-to-end, including `async` method signatures, `await`, and propagation of `CancellationToken`.
- If a sync boundary is truly unavoidable, require explicit justification and verify that it is outside latency-sensitive or high-concurrency flows.

## Examples

### Bad example
```csharp
public IActionResult GetCustomer(Guid id)
{
    var customer = _customerService.GetByIdAsync(id).Result;
    return Ok(customer);
}
```

### Good example
```csharp
public async Task GetCustomer(Guid id, CancellationToken ct)
{
    var customer = await _customerService.GetByIdAsync(id, ct);
    return Ok(customer);
}
```

After that, I would add three more rules: one for EF Core reads, focused on N+1, lazy loading, and poor projections; another to require tests when the PR creates or changes an endpoint; and a third to review changes in the middleware pipeline, since order in ASP.NET Core affects authentication, authorization, CORS, and observability.

The future of code quality in .NET

Where AI helps, and where human review is still irreplaceable

AI tools help a lot when the problem is pattern recognition. In .NET, this includes blocking async, poor use of CancellationToken, suspicious EF Core queries, unresolved nullability, and new endpoints without tests. This type of error shows up often, costs a lot, and, with the right rule, can be caught early.

What AI still does not do well is the hardest part of review. It does not understand with the same depth whether a change respects the architectural direction of the system, whether the business rule was translated correctly, or whether that trade-off between simplicity and performance makes sense for the current product moment. It also does not replace the role of review as mentorship. When a more senior engineer explains why a solution is technically correct, but still a bad idea in that context, that kind of learning does not come from a checklist.

When the tool takes over the repetitive, rule-driven part, the PR conversation moves up a level. Instead of spending time on mechanical details, the team can discuss production impact, public contracts, behavior under load, and long-term consequences.

How I would improve the .NET review process from here

I would not start by trying to automate everything. I would start with a tool running in consultative mode, without blocking merges, and measure two things from the beginning: comment usefulness and false-positive rate. If the feedback is not helping, the problem is almost always in the rule, the scope, or the comment volume.

The next step would be to use real incidents to improve the system. After a regression, a bad query in production, or a long debugging session, the useful question is not “who made the mistake?” The useful question is “could this have been caught in review?” If the answer is yes, then it is worth turning that learning into a team checklist or a tool rule.

In the end, the most interesting gain from AI review in .NET is not reviewing more PRs per day. It is making human review spend less energy on noise and more energy on decisions that actually change the quality of the system.

Frequently asked questions

What is the best AI code review tool for .NET?

It depends on your main goal. For PR summaries and line-level suggestions, GitHub Copilot or CodeRabbit are good choices. For deeper architectural analysis and applying custom team standards, Kodus was built for that purpose with repository-level context and natural-language rules.

Does Kodus work with .NET?

Yes. Kodus works with any language and was designed to understand the structure of complex projects, including .NET solutions with multiple projects. Its ability to track dependencies across a repository makes it especially effective for C# and the .NET ecosystem.

What about the complexity of async/await in .NET?

This is an area where AI tools help a lot. They can detect common async pitfalls, such as sync-over-async blocking, forgetting to use await on a Task, or using async void in inappropriate contexts. Because they can analyze the full call stack, they can find problems that a simple linter may miss.

Are there free code review tools for .NET?

Many AI tools, including Kodus, offer free plans for open source projects or small teams, which is a good way to evaluate them before committing to a paid plan.

Are there self-hosted options for .NET reviews?

Yes. Kodus is the most complete option on this list. The platform combines self-hosted deployment, BYOK by default, open source code, and freedom to choose the model and provider. In practice, this gives more control over where the code runs, how keys are managed, and which external services enter the review workflow. For organizations with strong privacy, security, or governance requirements, this combination puts Kodus in a better position than tools that treat self-hosting as an exception or limit model choice.