GitHub Copilot code review is getting smarter with tool calling, deterministic security checks via CodeQL, and the ability to hand off suggested fixes directly to the Copilot coding agent. These features are in public preview now.
Tool calling for context#
The headline feature: Copilot code review now uses agentic tool calling to actively gather context about your codebase instead of guessing from the diff alone.
When reviewing a pull request, it can now read other files, examine directory structure, and understand references. This means feedback is based on how your change fits into the broader project architecture, not just what changed in isolation.
The difference is significant. A code review that only sees the diff might flag a function as unused because it doesn’t appear in the changed files. A code review with tool calling can check if that function is actually referenced elsewhere in the codebase before commenting.
This reduces false positives and makes feedback more specific. Whether it reduces false positives enough to be more helpful than noisy is the open question.
CodeQL and ESLint integration#
The second major addition: Copilot code review now combines LLM analysis with deterministic tools like CodeQL and ESLint.
This is GitHub’s differentiator. Other AI code review tools use LLMs alone or with generic static analysis. Only GitHub has CodeQL-powered security and quality insights built directly into AI reviews.
The practical impact: security vulnerabilities and common code quality issues get caught reliably with consistent explanations. LLM detections are probabilistic — they might catch something today and miss it tomorrow. CodeQL detections are deterministic — if the pattern matches, it triggers every time.
Combining both gives you the best of LLM flexibility (contextual feedback on architecture and design) and deterministic tools (reliable detection of known patterns).
Handoff to coding agent#
The most interesting workflow change: you can now mention @copilot in a pull request comment, and Copilot will apply suggested fixes in a stacked pull request.
This closes the loop. Code review suggests changes. You approve. Coding agent implements them automatically. You review the implementation and merge.
The question is whether this creates a better workflow or just adds more review cycles. If the coding agent’s fixes are correct, it saves time. If they need refinement, you’re now reviewing two PRs instead of one.
The value depends entirely on how often the coding agent gets the fix right on the first try. GitHub hasn’t published those numbers yet.
What changes in practice#
The workflow shift is subtle but meaningful:
Before: AI code review comments on your PR. You manually fix the issues. Push updates. Wait for another review.
After: AI code review comments with full project context. If you agree, you hand it off to the coding agent. It creates a stacked PR with fixes. You review and merge both.
The bottleneck moves from “implementing feedback” to “reviewing AI-generated fixes.” That’s probably a net win if you trust the quality of those fixes.
The trust problem#
GitHub is building toward AI handling more of the development loop: writing code, reviewing it, fixing issues, checking quality. That’s powerful if the AI is reliable.
But code review is where you catch mistakes. If your code reviewer is AI, and your code fixer is also AI, where does human verification happen?
The answer is supposed to be: you review what the AI suggests before merging. But the more automated the loop becomes, the easier it is to approve changes without deep inspection.
This isn’t a criticism of GitHub’s features. It’s a question about how developers adapt to workflows where AI does most of the work and humans mostly approve.
Bottom line#
Copilot code review with tool calling and CodeQL integration is available now in public preview for Copilot Pro and Copilot Pro Plus users. Business and Enterprise customers can opt in via policies.
The features are technically solid. Tool calling makes reviews more accurate. CodeQL integration adds reliability. The coding agent handoff closes the feedback loop.
Whether this becomes a trusted part of your workflow or just another notification stream depends on how well it balances signal and noise. Good AI code review should catch real issues without overwhelming you with false positives.
The early signs are promising. But the real test is whether teams start treating Copilot code review feedback as seriously as feedback from senior engineers — or whether they learn to ignore it.
Learn more: Check the GitHub Copilot code review announcement for setup instructions and feature details.