Comprehensive AI-powered code review agent following Bitwarden engineering standards.
This plugin provides an autonomous code review agent that conducts thorough, professional code reviews following Bitwarden's organizational standards. The agent focuses on security, correctness, and high-value feedback while maintaining a high signal-to-noise ratio.
- Autonomous Review Agent: Single agent handles all code review tasks without manual invocation
- Organizational Standards: Consistent review process, finding classification, and comment formatting across all repositories
- Thread Detection: Prevents duplicate comments by detecting existing threads before posting
- Security-First Approach: Prioritizes security vulnerabilities, data exposure, and authentication issues
- Structured Thinking: Uses explicit reasoning blocks to improve review quality and consistency
- Confidence Scoring: Pre-filters findings with a 0-100 confidence score (≥75 threshold) before validation to reduce false positives
| Skill | Triggers | Purpose |
|---|---|---|
classifying-review-findings |
"classify finding", "severity" | 5-tier severity system (CRITICAL / IMPORTANT / DEBT / SUGGESTED / QUESTION) with emoji and label mapping |
avoiding-false-positives |
"validate finding", "verify before posting" | Rejection criteria and verification checks that drop low-confidence findings before they reach a comment |
posting-bitwarden-review-comments |
"post inline comment", "post PR comment" | Inline PR comment formatting per Bitwarden standards (severity emojis, explanation, actionable suggestion) |
posting-review-summary |
"post summary", "summary comment" | Final summary comment handling — routes to sticky comment, GitHub Actions MCP tool, or local file based on context |
reviewing-dependency-changes |
"package.json", "Renovate PR", "dependency manifest" | Flags dependency manifest changes for AppSec approval, version-bump significance, and lock-file hygiene |
addressing-code-review-comments |
"address review comments", "respond to PR feedback" | Guides developers working through review comments locally — verify before implementing, surface ambiguity, no performative agreement |
The plugin provides a single agent (bitwarden-code-reviewer) that follows a linear 7-step review process — from context gathering through validation to posting. See AGENT.md for the full flow.
See classifying-review-findings for the 5-tier severity system and classification criteria.
bitwarden-code-review/
├── .claude/
│ └── settings.json # Security boundaries
├── .claude-plugin/
│ └── plugin.json # Plugin metadata
├── agents/
│ └── bitwarden-code-reviewer/
│ └── AGENT.md # Main review agent
├── commands/
│ ├── code-review/ # Code review command
│ └── code-review-local/ # Local review command
├── skills/ # See Skills table above
├── tests/
│ └── TESTING.md # Test plan and validation
└── README.md # This file
The plugin includes a .claude/settings.json file that defines security boundaries by explicitly denying dangerous GitHub operations.
When using this plugin in your repositories, copy the security settings to your project's .claude/settings.json. This ensures the code review agent cannot perform destructive operations in your project, following the principle of least privilege.
The agent is automatically invoked by Claude when:
- User mentions "review", "PR", or "pull request"
- User requests code review feedback
- User analyzes code changes
# Invoke the review agent explicitly
Use the bitwarden-code-reviewer agent to review this PRSee the production implementation: bitwarden/gh-actions _review-code.yml
Available through Bitwarden's internal Claude Code marketplace:
# Add the Bitwarden marketplace (if not already added)
/plugin marketplace add https://github.com/bitwarden/ai-plugins
# Install the code review plugin
/plugin install bitwarden-code-review@bitwarden-marketplace
# Restart Claude CodeSee CONTRIBUTING.md for guidelines on updating this plugin.
Bitwarden
- @team-ai-sme
For issues or questions:
- Internal: #ai-discussions Slack channel
- GitHub Issues: bitwarden/ai-plugins