The Integration of AI Code Reviews at Funnel

By: Andreas Svitzer, Engineering Manager

Funnel is an organization with learning front and center. Our preferred way in the product development organization is to put features, improvements and new products in the hands of our users, measure and draw conclusions. We think it’s important to get early and continuous insights used to improve the next iteration of our product offering.

This article details how Funnel integrated AI code reviews to significantly reduce friction in our deployment and release cycles. Leveraging the advancements in Generative AI and a new suite of development tools, we embarked on an exploration of their potential to accelerate our release cadence and, crucially, enhance our user-centric feedback loop.

Code Reviews as part of the release cycle

Our approach to code reviews is driven by two fundamental objectives:

Regulatory Compliance: Our SOC2 certification mandates a "four-eyes principle," requiring two human reviewers for every code change before it can be deployed to production. This ensures the integrity of our security posture, with reviewers expected to possess a deep understanding of Funnel's security principles and general industry standards.

Engineering Excellence: Beyond compliance, code reviews are important for maintaining and elevating the quality of our codebase over time, and for fostering knowledge sharing across our engineering teams. We recognize that robust maintainability and effective knowledge sharing necessitate a formalized process to ensure their consistent execution.

Why we think it is a good time to introduce AI code reviews

Funnel has made a significant strategic investment in AI-powered developer tools to amplify productivity, with Cursor and Copilot being key components of our toolkit. All engineers are encouraged to leverage these tools to enhance their effectiveness. Specifically, we've enabled engineers to utilize Large Language Models (LLMs) to self-review their changes before pushing to version control, fostering an ongoing conversational feedback loop with their code.

Code reviews are one of the last stages in our release pipeline, following rigorous testing and security scanning. With the initial developer having already conducted a self-review, changes reaching the second reviewer are generally robust, often requiring only minor adjustments or "nitpicks." 

We encourage continuous, early feedback through collaboration between engineers. This means that large changes are reviewed by peers frequently throughout the development process. The knowledge sharing part of the code review should ideally be detached from the release process.

Keeping pace with the ever-evolving landscape of security vulnerabilities and industry standards is a significant task. AI code review tools, trained on vast datasets encompassing security best practices, vulnerabilities, and coding standards, are ideally positioned to suggest improvements and remediations with notable speed. Adding repetitive consistent reviewing of common pitfalls and issues. In contrast, human reviews can be subject to variability, with quality often dependent on the reviewer's seniority. Even highly experienced engineers cannot process the sheer volume of data an LLM can, leading to AI tools analyzing a broader range of parameters and a larger contextual scope.

How we introduced AI code reviews in a safe and reliable way

Early in our adoption, we integrated GitHub Copilot and Cursor Bugbot into our release process, enabling them to generate change summaries and suggest improvements to changes. This allowed us to operate with both the traditional four-eyes principle and AI code reviews concurrently, providing invaluable data for evaluating the efficacy of AI-driven reviews.

We provide our internal security guidelines as contextual input for the AI agents:

• Add context Github Copilot
• Add context Cursor Bugbot

We also conducted a series of evaluations to assess the LLMs' feedback when security issues were intentionally introduced in a safe manner. The results confirmed that the AI tools effectively leveraged both our internal security best practices and external industry standards when doing reviews and suggesting improvements.

After several weeks of dry runs and compiling examples of security issue prevention, we drafted a rationale and presented it to our SOC2 auditor. Our auditor expressed interest and thoroughly assessed the implications of replacing one human reviewer with an AI in our four-eyes principle, particularly regarding future audit compliance. Their feedback confirmed that we could proceed with a pilot program across a few teams, while documenting security issue prevention examples.

Through solid examples and detailed documentation of LLM functionality, we successfully argued that our change tracking management system would, at minimum, maintain its quality in delivering value to end-users, if not improve. And, our long-term strategic bet is on the continuous advancement of AI code review tools, making early adoption crucial for maintaining competitive advantage.

Working with the teams to find a balance and handle risk

Rollout of this new process is being conducted through a phased approach, working directly with development teams to define appropriate use cases for AI code reviews as one of the two "eyes". Initially, we are focusing on small, less complex changes, with a low impact on our end users and security. We are also actively assessing potential risks introduced by this new process on a per-team basis. Periodic reviews of deployed changes are conducted to validate our alignment with the defined scope of changes being deployed without a second human review.

Importantly, all AI-conducted reviews are tracked within our version control system. We must be able to demonstrate that a review report was generated and that appropriate actions were taken. Funnel leverages GitHub for version control and change management. Cursor and GitHub Copilot are integrated to appear as reviewers in the GitHub Pull Requests page, adding feedback and suggestions as comments. These comments are saved, enabling comprehensive tracking for audits. The change creator is required to explicitly acknowledge reading the review report and confirming that appropriate actions have been taken. Any disagreement with AI-generated suggestions requires a clear justification.

Actual Outcomes of AI-Driven Code Reviews

By weaving AI code reviews into our change management process, our engineers spend less time on low-impact changes and more time on meaningful, high-value work. This reduces context switching and helps us deliver improvements faster and with higher quality, ultimately driving more value for the company.

During March 2025, 1914 pull requests were merged into production by the whole Funnel development organization. A small pull request takes approximately 10 minutes to review. We expect about 30% of changes to go through AI code reviews with the current phase of adoption. This will free up about 80 development hours per month that can be spent on more motivating activities.

A big productivity tax comes from dropping what you are currently doing and understanding the intent of the new change you are about to review. When the review has been completed you need to pick up where you left your current work. Average context switching time is generally considered to be between 10-20 minutes.

AI code reviews are proving to be a good tool for continuous learning and skill development. Even when a review contains minor inaccuracies, it often provides valuable insights and compels the developer to reflect on their code. Seamless integrations with Integrated Development Environments facilitate a fluid transition between GitHub Pull Requests and edit mode, fostering a more conversational feedback loop.

When AI code reviews are deemed to not be appropriate as replacement for a human, they take the role of a copilot. Providing more context about the change by summarizing and adding walkthroughs. Providing suggestions and reasoning as part of a report. Making it easier and faster for engineers to review code.

Conclusion

The quality of AI-powered code reviews is on an upward trajectory. While we currently exercise caution and do not deploy AI code reviews for all changes due to current limitations in contextual understanding and occasional "hallucinations," this is not a significant impediment. The mandatory requirement for the change creator to read the review and confirm appropriate action mitigates the impact of such instances.

While we can measure increment in velocity for high-value work, what actually makes us excited is that our engineers spend less time on tedious and boring code reviews. Switching focus to engaging tasks. Increasing the feeling that they make a difference for Funnel.