A client called last year with an urgent problem. Their contact form had been broken for three weeks. Three weeks of lost enquiries from a site ranking well in Google.
The issue? A single missing character in a validation script. The form looked fine. It felt like it worked. But nothing was actually submitting.
A human developer tested the form once, saw it worked, moved on. AI code review would have caught it immediately by checking all form validation paths.
Here’s how I use AI to catch what I’d otherwise miss.
What AI Code Review Actually Does
AI code review isn’t magic. It’s systematic checking at a scale humans can’t match.
Pattern matching: AI knows thousands of code patterns that commonly cause bugs. It checks your code against all of them.
Consistency checking: It verifies you’re following the same patterns throughout the codebase. Humans get tired and inconsistent. AI doesn’t.
Security scanning: It checks for known vulnerabilities like SQL injection risks, XSS vulnerabilities, exposed credentials.
Performance analysis: It identifies code that will be slow, files that are too large, inefficient database queries.
Accessibility checking: It verifies your HTML meets WCAG standards for screen readers and keyboard navigation.
Think of it as a checklist with 10,000 items that runs in seconds.
Real Issues AI Has Caught for Me
These are actual problems found by automated review on websites I’ve built:
Security Issues
Exposed API keys in code: I’d hardcoded an API key in a development file and forgotten to remove it before deploying. AI scanner flagged it immediately. In production, this would have exposed the client’s paid service to anyone viewing the page source.
Missing CSRF protection: A contact form didn’t have cross-site request forgery protection. Not obvious to spot manually, but a known vulnerability pattern that AI checks for automatically.
Insecure dependencies: A npm package I’d installed had a known security vulnerability. AI flagged it and suggested the patched version. I’d never have known without automated checking.
Performance Problems
Unoptimized images: I’d uploaded full-resolution photos (3MB each) that displayed at 400px wide. AI caught that the images were 10x larger than needed, flagging a major performance issue.
Bundle size warnings: I’d imported an entire icon library to use three icons. AI calculated the bundle size impact and suggested importing only the specific icons needed. Saved 180KB.
Unused CSS: AI identified that 40% of my CSS file was unused on the actual pages. It helped me remove the dead code and speed up load times.
Accessibility Issues
Missing alt text: I’d forgotten alt text on five images. AI flagged every one.
Insufficient color contrast: The light grey text on white background looked fine to me but failed WCAG contrast requirements. AI measured the exact contrast ratio and flagged it.
Missing form labels: A form field had a placeholder but no proper label element. Worked fine visually, completely broken for screen readers. AI caught it immediately.
Code Quality Issues
Inconsistent naming: I’d used camelCase in some files and kebab-case in others. Not a bug, but makes code harder to maintain. AI enforced consistency.
Dead code: Functions I’d written for testing but never removed. AI identified unreferenced code that could be deleted.
Complex functions: AI flagged functions with high cyclomatic complexity (too many nested conditions). Not wrong, but a signal to refactor for maintainability.
My Code Review Workflow
I use a three-layer approach:
Layer 1: Real-Time AI Assistance (While Writing)
I use GitHub Copilot and Claude directly in my editor. As I write code, AI suggests completions and catches obvious issues immediately.
What it catches:
- Syntax errors
- Common bugs
- Missing imports
- Inconsistent patterns with code I just wrote
Example: I start writing a function to validate email addresses. AI suggests the complete regex pattern and validation logic, already tested and working. I don’t need to remember the exact regex or test edge cases manually.
Layer 2: Automated Linting (Before Committing)
Before I commit code to Git, automated linters run:
- ESLint for JavaScript/TypeScript
- Stylelint for CSS
- Markdownlint for content files
- Prettier for consistent formatting
What it catches:
- Code style violations
- Potential bugs
- Deprecated patterns
- Accessibility issues in JSX/HTML
Example:
I write a component with an onClick on a <div>. Linter catches that this isn’t keyboard accessible and suggests using a <button> instead.
Layer 3: Pre-Deploy Analysis (Before Production)
Before deploying, I run comprehensive scans:
- Lighthouse for performance, accessibility, SEO
- npm audit for dependency vulnerabilities
- Bundle analyzer for file size issues
- Link checker for broken links
What it catches:
- Performance regressions
- Security vulnerabilities in dependencies
- SEO issues
- Production-specific problems
Example: Lighthouse reports that my hero image is 2.1MB and delaying page load by 4 seconds. I compress it to 200KB before deploying.
What AI Review Can’t Do
AI is excellent at systematic checking, but it has limitations:
Doesn’t understand business context: AI can’t tell you if a feature makes sense for your business model or if the copy will resonate with your customers.
Can’t evaluate user experience: It can check technical accessibility, but can’t judge whether the site is actually pleasant to use.
Misses complex logical errors: AI can catch common bug patterns, but won’t spot that your discount calculation is wrong because it doesn’t understand your business rules.
Suggests outdated patterns: AI is trained on existing code, including bad patterns. It sometimes suggests approaches that are technically correct but not best practice.
Can’t make judgment calls: Whether to prioritize speed over features, simplicity over flexibility - these are decisions AI can inform but not make.
This is why I use AI to handle the systematic checking while I focus on context, user experience, and business logic.
Specific Tools I Use
These are the tools in my actual workflow.
For every business website I build, these automated checks run before launch:
During Development
GitHub Copilot (£8/month): AI pair programmer that suggests code as I type. Particularly good for boilerplate, common patterns, and test writing.
Claude (API access, ~£15/month): For code review conversations. I paste code and ask “What could go wrong here?” or “How would you improve this?”
TypeScript: Not strictly AI, but catches type errors before runtime. Prevents entire categories of bugs.
Pre-Commit
ESLint with recommended configs: Free, catches JavaScript errors and enforces code quality rules.
Prettier: Free, automatically formats code consistently. Removes all formatting debates.
Husky: Free, runs checks automatically before allowing Git commits.
Pre-Deploy
Lighthouse (built into Chrome): Free Google tool that scores performance, accessibility, SEO, best practices.
npm audit: Built into npm, checks for known security vulnerabilities in dependencies.
Vercel’s automated checks: My hosting platform runs additional checks during deployment. Catches production-specific issues.
Total cost for solo developer: About £25/month for the AI tools, everything else is free.
Real Examples: Before and After
Example 1: Contact Form Bug
Human review: I tested the form. It submitted. Looked good.
What I missed: The form only worked if all fields were filled. If someone left the optional message field empty, validation failed silently. No error message, just nothing happened.
AI caught it:
ESLint flagged that the validation function could return undefined in some cases, which would break the submit handler.
Fix: Added proper handling for optional fields. Took 5 minutes once I knew the issue existed.
Example 2: Slow Image Loading
Human review: Images loaded fine on my fiber connection. Site felt fast.
What I missed: Images were 5-8MB each. On mobile connections, they took 15+ seconds to load.
AI caught it: Lighthouse gave me a 32/100 performance score and specifically flagged oversized images.
Fix: Compressed all images to under 200KB each. Performance score improved to 95/100. Mobile load time dropped from 18 seconds to 2.3 seconds.
Example 3: Accessibility Failure
Human review: I’m not a screen reader user. The site looked fine and seemed to work.
What I missed: The mobile menu was completely inaccessible to keyboard users. You couldn’t tab to it or activate it with Enter.
AI caught it:
Accessibility linter flagged that the menu button was a <div> with onClick, not a proper <button> element.
Fix: Changed to semantic HTML. Added proper ARIA labels. Now keyboard accessible.
When to Use Human Review vs AI
Use AI for:
- Systematic checking of known issues
- Consistency across large codebases
- Security vulnerability scanning
- Performance measurement
- Accessibility compliance
- Code formatting
Use human review for:
- Business logic validation
- User experience evaluation
- Design decisions
- Content review
- Complex feature interaction
- Strategic technical decisions
Ideally, use both. AI handles the tireless systematic checking. Humans handle context and judgment.
How This Affects Clients
My clients don’t see the code or the review process. What they see is:
Fewer bugs in production: Issues get caught before launch, not after customers complain.
Faster load times: Performance issues are identified and fixed before anyone notices the site is slow.
Better accessibility: Sites work properly for users with disabilities, without requiring specialized accessibility expertise from me.
More secure: Vulnerabilities are caught and patched before they can be exploited.
Consistent quality: Every project gets the same thorough review, even when I’m tired or rushed.
The result is websites that work better and require less emergency fixing after launch.
Common Questions
Does AI replace manual testing?
No. AI catches systematic issues, but you still need to click through the site, test forms, check mobile display, and verify everything works as intended.
Is AI-reviewed code perfect?
No. AI catches categories of issues humans commonly miss. But it can miss things too, particularly context-specific problems or complex logical errors.
Do I need to be technical to use these tools?
Some require setup, but many are built into modern development tools. If you’re working with a developer, ask what automated review they use.
Can AI review find malicious code?
It can find known vulnerability patterns and suspicious code patterns, but sophisticated malicious code might not be caught. Use trusted sources for code and dependencies.
Does this slow down development?
Initially yes - you have to set up the tools. Long term no - catching bugs early is faster than fixing them in production.
What I Recommend for Different Situations
AI review is less critical for:
- Static brochure sites that rarely change
- Very simple single-page sites
- Websites managed by non-technical owners who can’t act on the feedback
But even simple sites benefit from pre-launch accessibility and performance scanning.
How to Ask Your Developer About This
If you’re hiring a developer, ask:
“What automated code review and testing do you use?”
Good answers:
- “I use ESLint and Prettier for code quality, Lighthouse for performance, and automated accessibility checking.”
- “My CI/CD pipeline runs automated tests and security scans before deployment.”
- “I use AI tools like Copilot for assistance and run pre-commit hooks for quality checks.”
Concerning answers:
- “I manually check everything.” (Humans miss things systematically.)
- “I have 20 years experience, I don’t need automated tools.” (Pride before a fall.)
- “What’s ESLint?” (They’re not keeping up with current practices.)
The best developers use automation to handle systematic checking, freeing them to focus on problems that require human judgment.
The Future: More AI, Not Less
AI code review is getting better rapidly:
Current AI can:
- Catch known bugs and vulnerabilities
- Enforce style consistency
- Measure performance impact
- Check accessibility compliance
Near-future AI will:
- Understand business logic and catch logical errors
- Suggest optimizations specific to your use case
- Write comprehensive tests automatically
- Predict production issues before deployment
I expect AI review to become standard practice within two years, the way version control and automated testing already are.
The developers who embrace it will deliver better quality faster. The ones who resist will fall behind.
What I Do on Every Project
My standard process includes:
Development:
- AI assistance while writing code
- Real-time linting and error checking
- Type checking with TypeScript
Pre-commit:
- Automated code formatting
- Linting for code quality
- Accessibility checks on components
Pre-deploy:
- Performance testing with Lighthouse
- Security scanning with npm audit
- Bundle size analysis
- Link checking
- Manual testing on real devices
Post-deploy:
- Monitoring for JavaScript errors
- Performance monitoring
- Uptime monitoring
The AI-powered parts of this process run automatically. I don’t have to remember to do them, they just happen.
The result is websites that work better, load faster, are more accessible, and have fewer production bugs. This is part of why our growth service can focus on optimization rather than emergency fixes.
AI code review isn’t about replacing human developers. It’s about letting machines do what they do best - tireless systematic checking of thousands of potential issues - so humans can focus on what we do best: understanding context, user needs, and business goals.
I catch more bugs now than I did five years ago, despite having more experience. Not because I’m better at spotting bugs, but because AI handles the systematic checking while I focus on the problems that actually require human judgment.
The websites are better for it.
