Code Review

Ruby on rails Code Review: Best pratices + AI tools (2026)

Avatar photo Edvaldo Freitas
Ruby on rails Code Review

A good code review in Ruby on Rails might be one of the most valuable things a team can do. It is also one of the easiest things to get wrong. Junior developers get stuck with vague feedback, and senior engineers do not have time to do more than a quick review. The whole process is frustrating and rarely helps as much as it should.

We treat code review as a generic engineering practice, but Rails is not a generic framework. Its conventions and its “magic” create unique problems. This guide gives you a checklist for manual reviews and shows how AI tools can handle the repetitive parts, letting your team focus on the code itself.

Why Ruby on Rails code review is different

Reviewing Rails code is different from reviewing code in other languages or frameworks. You need to check the explicit logic and also the implicit behavior driven by convention. A one-line change in an ActiveRecord model can introduce serious performance or security problems that are easy to miss. Because of the framework’s metaprogramming and convention over configuration approach, sometimes the most important code is the code that is not written. A good review needs to see that context, from automatically loaded modules to ActiveRecord query generation.

Best practices for Ruby on Rails code reviews

Checklists and tools are useless if your process is a mess. AI does not fix a broken workflow. Good reviews depend on good pull requests.

Getting code ready for review

  • One change per pull request. A PR should do one thing. If the title includes “and,” it is probably too big. A PR called “Add user avatar upload and refactor billing service” should be split into two PRs. This makes the reviewer’s job easier.
  • Write a useful description. Do not just copy the task title. Explain why you made the change, not just what you changed. What problem does this solve? How did you approach the solution? Did you consider other alternatives? Link the task and add screenshots for UI changes. A good description gives the reviewer the context they need.
  • Do a self-review first. Read your own diff before asking for review. You will catch a surprising number of typos, forgotten binding.pry calls, and commented-out code. It is a simple way to respect your teammates’ time.

What to look for as a reviewer

  • Does this solve the right problem? First, check whether the code actually solves the business problem described in the task. It is easy to get lost in implementation details and forget the original goal.
  • Is the code clear? Can you understand what is happening? If you need to spend ten minutes decoding a single method, the code needs to be simplified or commented. Your future self will thank you.
  • Are there obvious Rails performance issues? Look for the usual suspects, such as N+1 queries, expensive operations inside loops, or missing database indexes. We will cover this in the checklist.
  • Are the tests sufficient? Tests should cover the new logic and its edge cases. If a change fixes a bug, there should be a regression test that would have failed before the fix.
  • Are there any obvious security concerns? Check for things like SQL injection, unsafe redirects, or missing authorization checks.

A Ruby on Rails code review checklist

This checklist is a starting point for reviewing Rails applications. It is not exhaustive, but it covers the most common issues that cause problems in production.

Security

  • Mass Assignment: Are you using strong parameters (require and permit) to prevent users from updating model attributes they should not be able to access?
  • SQL Injection: Are all database query parameters properly sanitized? Avoid string interpolation in where clauses. Use array or hash conditions instead. Example: User.where("name = ?", params[:name]).
  • Cross-Site Scripting (XSS): Is user-generated content being escaped correctly in views? Rails does this by default, but be careful with raw or html_safe.
  • Authorization: Does the code check whether the current user is authorized to perform the action? Look for missing authorize! calls if you are using Pundit, or similar checks.
  • Unsafe redirects: Is the application redirecting based on user-submitted parameters? This can be exploited. Use redirect_to carefully and validate URLs.

Performance

  • N+1 queries: This is the most common performance problem in Rails. Check loops that access associations. Use a tool like Bullet in development and look for places where adding .includes() or .preload() in the controller makes sense.
  • Database indexes: Are the new database queries backed by indexes? A query that filters or sorts by a column without an index will become slow on large tables. Migrations that add foreign keys should almost always include an index.
  • Excessive memory usage: Are you loading too many records into memory with .all or .load? Use .find_each for batch processing and to keep memory usage low.
  • Cache: Are there opportunities to cache expensive queries or partials? Check whether existing cache strategies are being invalidated correctly.

Idiomatic Ruby on Rails

  • Fat Model, Skinny Controller: Business logic should live in the model, or in service objects/concerns, not in the controller. Controllers should be a thin layer for handling HTTP requests and responses.
  • Use scopes and class methods: Keep query logic out of controllers. Encapsulate common queries in ActiveRecord scopes or class methods in the model.
  • Service Objects: For complex actions that involve multiple models or external services, consider extracting the logic into a plain old Ruby object (PORO) instead of bloating a model or controller.
  • Follow RESTful conventions: Do the controller actions and routes follow RESTful principles? This makes the application more predictable.

Testing

  • Test coverage: Does the PR include tests for the new code? Pay attention to tests for edge cases and failure conditions, not just the happy path.
  • Test one thing at a time: Each test should verify one specific behavior. Avoid long tests that do many things at once.
  • Types of tests: Is there a good mix of unit, integration, and system tests? Do not rely on just one type.

Database

  • Safe migrations: Are the database migrations safe for production deployments? Adding an index or a column with a default value to a large table can lock it and cause downtime. Use add_index :users, :email, algorithm: :concurrently to add indexes without a lock.
  • Reversible migrations: Can the migration be rolled back? Make sure the change method is reversible, or implement separate up and down methods.

Common Ruby on Rails issues that AI catches

AI is not going to replace senior developers in code reviews anytime soon. It is becoming an assistant that handles the first layer of review, finding common and predictable problems. This frees people up to focus on architecture and intent. Here are some examples of what a good AI tool can identify.

1. N+1 queries

The classic Rails performance bug. A person can easily miss this in a large PR, but an AI that understands ActiveRecord patterns can identify it.

Before:

# app/controllers/projects_controller.rb
class ProjectsController < ApplicationController
  def index
    @projects = Project.all
  end
end

# app/views/projects/index.html.erb
<% @projects.each do |project| %>
  <%= project.name %> - <%= project.owner.name %> <!-- N+1 query here -->
<% end %>

AI suggestion:

The project.owner association is being called inside a loop, which will result in N+1 queries. Consider eager loading the owner association in the controller to improve performance.

@projects = Project.includes(:owner).all

After:

# app/controllers/projects_controller.rb
class ProjectsController < ApplicationController
  def index
    @projects = Project.includes(:owner).all
  end
end

2. Unsafe SQL query

A critical security vulnerability that is easy to introduce without noticing.

Before:

# app/models/user.rb
class User < ApplicationRecord
  def self.search(term)
    where("name LIKE '#{term}%'") # Unsafe!
  end
end

AI suggestion:

This query uses string interpolation to include a variable, making it vulnerable to SQL injection. Use parameterized queries with a placeholder to pass the term safely.

where("name LIKE ?", "#{term}%")

After:

# app/models/user.rb
class User < ApplicationRecord
  def self.search(term)
    where("name LIKE ?", "#{term}%")
  end
end

3. Leaking business logic into a controller

A common pattern that leads to hard-to-maintain code.

Before:

# app/controllers/orders_controller.rb
class OrdersController < ApplicationController
  def create
    @order = Order.new(order_params)
    if @order.save
      PaymentGateway.charge(@order.amount, @order.user.credit_card)
      @order.update(status: 'paid')
      Notifier.order_confirmation(@order).deliver_later
      redirect_to @order
    else
      render :new
    end
  end
end

AI suggestion, from a tool with repository context:

This create action contains complex business logic for payment processing and notifications. This pattern differs from other controllers in the project that use service objects, such as RegistrationService. Consider extracting this logic into an OrderPlacementService to follow the already established pattern and keep the controller thin.

After:

# app/controllers/orders_controller.rb
class OrdersController < ApplicationController
  def create
    @order = OrderPlacementService.new(order_params).call
    if @order.persisted?
      redirect_to @order
    else
      render :new
    end
  end
end

# app/services/order_placement_service.rb
class OrderPlacementService
  # ... logic to create order, charge payment, send notification ...
end

4. Unsafe redirect

A security issue that is often overlooked.

Before:

# app/controllers/sessions_controller.rb
def create
  # ... authentication logic ...
  redirect_to params[:return_to] if params[:return_to].present?
end

AI suggestion:

Redirecting to a URL provided in params is unsafe and can lead to phishing attacks. Validate that the return_to URL is a path inside your application or use an allowlist of approved external domains.

After:

# app/controllers/sessions_controller.rb
def create
  # ... authentication logic ...
  return_path = safe_redirect_path(params[:return_to])
  redirect_to return_path
end

private

def safe_redirect_path(path)
  return root_path if path.blank?
  # Naive example: ensures it is a relative path
  uri = URI.parse(path)
  (uri.host.nil? && path.start_with?('/')) ? path : root_path
end

Best AI code review tools for Ruby on Rails in 2026

The market for AI code review tools is crowded, but most of them are generic. For a Rails project, you need a tool that understands the specifics of the framework. Here are a few of them.

Kodus

Kodus - AI Code Review

Kodus is open source and model-agnostic, so you can use your API key and run reviews with the model you prefer (OpenAI, Gemini, Claude, etc.). It stands out by operating with repository-level context. Instead of only looking at the diff, it understands the patterns and architecture of the entire application. This allows deeper feedback, such as noticing when new code breaks from a pattern already established elsewhere in the codebase. It also allows custom rules written in natural language, so you can teach it your team’s specific conventions. Its model-agnostic and open source approach gives teams more control and avoids vendor lock-in.

GitHub Copilot Code Review

GitHub Copilot Code Review

Integrated directly into GitHub, Copilot provides suggestions and summaries based on the PR diff. It is convenient and good at finding local errors or suggesting small refactors. Its main limitation is the lack of deep context from the entire repository. It reviews the diff, not the system.

CodeRabbit

CodeRabbit

Known for detailed line-by-line feedback and PR summaries. It is great for explaining changes and suggesting improvements. It offers more depth than Copilot’s basic review, but it can sometimes generate too many comments if it is not configured carefully.

SonarQube

SonarQube

An established player in static analysis. It is powerful for security scanning and for maintaining code quality metrics over time. It is widely used in larger and enterprise environments. The trade-off is that it can be complex to configure and maintain, and its feedback feels less like a collaborative review and more like a strict linter.

Qodo

Qodo

A newer tool focused on providing actionable, high-quality feedback. It tries to reduce the noise common in other automated tools and focus on suggestions that have real impact.

For a larger Rails application, applying project-specific patterns is the difference between a useful tool and a noisy one. A generic linter can flag a long method. A context-aware tool like Kodus can point out that you are using the wrong service object pattern for a specific domain, which is a much more valuable insight.

Ruby on Rails code review tools comparison

Feature Kodus CodeRabbit GitHub Copilot SonarQube Qodo
Repository-level context Excellent Limited Limited to the diff Good, through static analysis Moderate
Rails-specific rules Excellent, customizable Good, preconfigured General Good, preconfigured Good, preconfigured
Custom rules Yes, in natural language Limited, through configuration files No Yes, with complex setup Limited
Security scanning Yes Basic Basic Excellent Good
PR summaries Excellent Good Good No Good
Self-hosted option Yes Yes No Yes No
Pricing $10 $60 $19 $32 $38

How to set up AI code review for Ruby on Rails

Integrating a tool like Kodus is simple. The goal is to get automated feedback on your pull requests without disrupting the workflow.

1 – Create the account and connect GitHub: the starting point is to integrate the platform with the Git provider your team already uses. In the case of GitHub, OAuth connection is usually the most natural path, because it simplifies authorization and grants access to the repositories that can be included in the analysis scope.

2 – Select the repositories: after the integration, the next step is to define which projects Kody will monitor. This allows you to adopt automated review gradually, starting with the most critical or mature repositories, without needing to expand everything at once.

3- Enable automatic review and adjust review behavior: with the repositories connected, the next step is to define how the review will work day to day. This can be done through the Kodus interface or through a kodus-config.yml file at the root of the repository, which takes priority over the web configuration. This file is where settings like automatedReviewActive, baseBranches, severity filters, and review cadence are defined.

4- Define custom rules: from there, the review can better reflect how the team works, whether by inheriting settings across levels, reusing existing rules, versioning rules in the repository, or generating suggestions based on review history.

Also, Kodus has a library of ready-to-use rules you can apply, such as:

No live network or DB in unit tests—use fakes/mocks CRITICAL

Why is it important?

Live I/O introduces slowness, nondeterminism, and external failures unrelated to the code.

Instructions

Unit tests must stub or fake external HTTP/DB calls; allow real I/O only in integration/e2e tests tagged accordingly.

Bad
unit: calls https://…
Good
unit: uses fakeHttp()/mockClient()

5- Integrate with CI: Kodus runs automatically on new pull requests, publishing comments like a human reviewer. There is nothing else to configure.

You can find more detailed instructions and examples in the official documentation.

Making good code review a habit

Tools only take you so far. A good review culture matters just as much.

  • Start small. Do not try to apply everything in this checklist at once. Choose one or two things to focus on, such as smaller PRs or better descriptions.
  • Talk. If a review turns into a long comment thread, a quick call is usually more efficient.
  • Use reviews to learn. The goal is to build collective ownership of the code and share knowledge. Both the author and the reviewer should learn something from the exchange.

Frequently asked questions

What is the best AI code review tool for Ruby on Rails?

If you need something beyond generic linting, Kodus is a good option. It uses repository context and allows you to define rules in natural language, so the feedback is more aligned with your application’s patterns, not just the diff.

Does Kodus work with Ruby on Rails?

Yes. It works with any language. For Ruby, for example, you can write rules to teach it your “fat model” strategy, your service object patterns, or how your team handles authorization.

What about performance concerns, like N+1 queries?

AI is good at this. You can configure a tool like Kodus with a custom rule to look for N+1 patterns. It can analyze controllers and views to find loops that access unloaded associations and suggest adding the correct .includes().

Are there free code review tools for Ruby on Rails?

Yes. Some AI tools offer free plans, especially for open source projects or small teams. Kodus, for example, is open source and can be used at no cost in this type of scenario.

Are there self-hosted options for Ruby on Rails reviews?

Yes. If you have strict data privacy requirements, Kodus and SonarQube offer self-hosted versions.