AI Code Review for Database PRs in 2026

Human code review still matters. So does the fact that humans don't always read carefully on a Friday afternoon. AI reviewers shipped on GitHub PRs in 2025 are the cheap second pair of eyes that catches the boring bugs - especially in database PRs, where boring bugs are usually the expensive ones.

Why AI reviews the human review#

AI reviewers are good at the exact thing humans are bad at: reading every line, checking every invariant, every time. They're not replacing the senior who looks at the PR for architectural sense. They're catching the migration that forgot WITH CHECK, the index that's redundant with another, the N+1 query the test suite never exercises.

What AI reviewers catch reliably#

Migration safety issues

• ALTER COLUMN ... TYPE that will rewrite a hot table.
• NOT NULL additions without a backfill or default.
• Index creation without CONCURRENTLY.
• Volatile defaults on new columns (DEFAULT now(), gen_random_uuid()).

RLS issues

• New table without RLS enabled or without policies.
• Policies missing WITH CHECK on writes.
• Policies that forget the role binding (no TO authenticated).
• Functions in policies that aren't SECURITY DEFINER when they should be.

Query shape issues

• N+1 queries inside loops.
• Missing indexes on FK columns when the new code joins through them.
• Queries that fetch * when only a few columns are used.

What they still miss#

Domain logic. Architectural choices. Whether a feature should exist. AI reviewers are very good at "this code is technically wrong" and very bad at "this code is in the wrong place". Use them for the former; keep humans for the latter.

A working setup#

The pattern that ships at most teams in 2026:

1. GitHub PR triggers a GitHub Action.
2. Action diffs the PR, builds a focused prompt with the changed migration files + the related table schemas + a project rules file.
3. Hits the OpenRouter (or Anthropic, or OpenAI) API with a strict review prompt.
4. Posts inline review comments via the GitHub REST API.
5. Sets a check status: pass or "needs review".

The whole setup is ~150 lines of TypeScript. Cost per PR is a few cents.

name: AI database review
on: pull_request
jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - run: |
          # Collect just the changed files under drizzle/ and src/db/
          git diff --name-only origin/main HEAD \
            | grep -E '^(drizzle|src/db)/' > changed.txt
          if [ -s changed.txt ]; then
            pnpm tsx scripts/ai-review.ts < changed.txt
          fi

Database-specific checklist prompt#

Generic AI review prompts are okay; specific ones are great. We use this checklist for our own database PRs:

Review this PR for database safety issues only. Ignore style.

Check each of these and call out specific lines:

1. Migrations
   - Any ALTER TABLE that rewrites the table on a busy production table?
   - Adding NOT NULL without a backfill plan?
   - Creating an index without CONCURRENTLY?
   - Using a volatile default on a new column?

2. RLS
   - New table: is RLS enabled and at least one policy per intended verb?
   - Write policies: do they have WITH CHECK matching USING?
   - Are policies scoped TO authenticated (or stricter)?

3. Queries
   - Any N+1 patterns in the diff?
   - New JOIN through a column that doesn't have an index?
   - SELECT * where only a couple of columns are used?

4. Types
   - Generated types committed in this PR if the schema changed?

For each finding, post a comment with the file:line and what to do
instead. If none, post LGTM.

AI code review for database PRs is one of the highest-leverage AI integrations a team can ship. It catches the bugs that are most expensive to fix in production and least visible during a normal review. Worth the afternoon to set up.

For the broader vibe-coding-era patterns, see our database patterns playbook.