
Critiq team
- ci
- guides
Automate pull request review checks in GitHub Actions
Automate PR review checks with critiq-action: diff scans, inline comments, severity gates, and reusable workflows on every pull request.
Read articleBlog
Engineering notes on deterministic code review, pull request workflows, security rules, and OSS updates from the Critiq team.
16 articles

Critiq team
Automate PR review checks with critiq-action: diff scans, inline comments, severity gates, and reusable workflows on every pull request.
Read article
Compare linting vs rule-based code review: style and syntax from ESLint and friends, security and correctness from inspectable Critiq rules.
Read article
Integrate Critiq in your GitHub workflow: local checks, pull_request scans, branch protection, and monorepo paths with critiq-action.
Read article
Rule-based vs AI code review: stable rule IDs and local reproduction vs fluent PR summaries that shift between runs.
Read article
AI code review vs rule-based review: why developers distrust PR bots and how inspectable rules, evidence, and local checks close the gap.
Read article
Evidence-based code review ties findings to a rule, line, severity, and references, not confident prose or AI vibes on the pull request.
Read article
Open source static analysis rules: the Critiq engine, DSL, and 435+ OSS catalog you can run locally, inspect, and tune before CI.
Read article
Run critiq check locally: install the OSS CLI, read pretty and JSON output, and triage severity, rule IDs, and fixes like a senior review.
Read article
Secret scanning in CI with critiq audit secrets: what pattern-based detection finds, what it skips, and when to gate merges vs check.
Read article
Automate pull request review in GitHub Actions: inline PR comments, dedupe across reruns, and fail-on-severity merge gates with critiq-action.
Read article
N+1 and unbounded concurrency in code review: performance rules for map awaits and Promise fan-out, with fixes and CLI commands.
Read article
SQL injection detection in code review: how security.no-sql-interpolation flags interpolated SQL and why parameterized queries fix CWE-89.
Read article
OWASP and CWE rule metadata in @critiq/rules: how references keep security findings traceable in CLI JSON, SARIF, and pull request review.
Read article
TypeScript security code review: eight rule-backed patterns Critiq flags in PRs, with bad code, good code, and catalog rule IDs for each fix.
Read article
Correctness bugs in code review: nine ts.correctness rules for duplicate keys, async executors, and defects that pass a casual diff.
Read article
Testing hygiene and change-risk signals: merge-confidence gaps, silent skips, flaky timers, and diff-scoped coverage holes before ship.
Read article