Ruby Code Review with LGTM
AI code review for Ruby: LGTM catches N+1 query patterns, dangerous send + eval calls, missing strong-params on Rails controllers, monkey-patch surprises, and unsafe deserialization.
How LGTM reviews Ruby PRs
Tree-sitter parses .rb files, extracting class, module, method, attr_accessor declarations + the require / require_relative graph. Ruby's open classes mean a 'final' symbol picture isn't always knowable statically — but the indexer captures enough structure to ground the agents.
Per-PR: PageRank ranks symbols related to the diff. The Bugs agent for Ruby focuses on the patterns Ruby's flexibility enables and Ruby developers commonly review for.
Rails specifics: the agents have light pattern-awareness for Rails idioms — controllers, models, views, concerns, migrations. The Best-Practices agent surfaces strong-params issues and 'fat model' warnings.
Common Ruby + Rails bugs LGTM catches
N+1 query patterns. `posts.each { |p| p.author.name }` without `posts.includes(:author)` — classic Rails performance bug. The Performance agent flags loops that call ActiveRecord associations inside.
Dangerous .send / .public_send with user input. `obj.send(params[:method])` allows arbitrary method invocation. Security agent flags these consistently.
Missing strong_params in controllers. `User.create(params)` instead of `User.create(params.require(:user).permit(:name, :email))` — mass-assignment vulnerability. Flagged by Security agent.
Hardcoded credentials. API keys in source. Standard secret-pattern detection across all languages but Ruby is especially noisy historically (rails secrets.yml leaks).
Monkey-patches without isolation. Reopening Array or String in production code without a Refinement scope. The Best-Practices agent flags these — surface-area changes that affect every other library loaded.
Unsafe deserialization. Marshal.load(user_input) — RCE. YAML.load (vs YAML.safe_load) — also dangerous in old Ruby. Standard finding.
Tree-sitter coverage for Ruby
Solid Ruby grammar. Methods, blocks, procs, lambdas, do-end vs braces, hash syntax variations (1.9+ symbol shortcut, rockets) — all parse cleanly.
Rails-specific files (routes.rb, application.rb, migrations) parse as ordinary Ruby. The agents have light heuristics to recognise these — e.g., a routes.rb is interpreted with route-DSL awareness.
Bundler (Gemfile / Gemfile.lock) is parsed for dependency context — what gems are in the project influences what patterns the agents look for (rspec vs minitest, sidekiq vs delayed_job, etc.).
Setup notes for Ruby projects
Install the LGTM GitHub App. Index time: 20-60 seconds for typical Rails apps.
Bundler config is detected. Gemfile groups (development, test) influence which directories get test-bar leniency.
Generated migrations and schema.rb are auto-excluded by the standard exclusion list (or by .lgtmignore for custom paths).
BYOK works the same. Ruby's expressive syntax means smaller diffs vs Java but more potential for ambiguity — review token cost lands similar to JS/Python.
Example bugs LGTM catches
# ❌ Bug: loads each author separately (N queries)
posts = Post.where(published: true)
posts.each do |post|
puts "#{post.title} by #{post.author.name}"
end
# LGTM finding:
# "Loop calls post.author for each iteration — generates N
# separate queries. Add .includes(:author) on the query:
# Post.where(published: true).includes(:author)."# ❌ Bug: lets attacker promote themselves to admin
class UsersController < ApplicationController
def update
@user = User.find(params[:id])
@user.update(params[:user]) # <-- includes :role, :admin?!
end
end
# LGTM finding:
# "Mass assignment from params. If User has :role or :admin
# fields, attackers can promote themselves. Use strong_params:
# @user.update(user_params)
# with params.require(:user).permit(:name, :email)."See LGTM reviewing Ruby + Rails
Rails-aware · N+1 detection · strong_params checks
Go to the product pageRuby review FAQs
Rails support level?
Pattern-aware (not framework-tied). The agents recognise Rails idioms — controllers, models, ActiveRecord, strong_params, ActionController — and surface common Rails bugs (N+1, mass assignment, strong_params, scope misuse). It's not a Rails-specific tool but Rails projects benefit.
RSpec test reviews?
Yes — spec_helper.rb, _spec.rb files reviewed with adjusted bar. The agents understand RSpec idioms (describe/context/it, let, before, expect).
Sorbet / RBS type annotations?
Parse correctly. Repos using Sorbet (.rbi files, T::Sig usage) get richer context. The agents reason about the type signatures when reviewing.
Sidekiq / background job patterns?
The Bugs agent recognises Sidekiq workers and surfaces common issues — argument serialization (ActiveRecord instances passed to perform), missing retries config, blocking I/O in perform.
Cost per Ruby review?
$0.04-$0.10 for a 300-line Rails PR on GPT-4o via BYOK. Ruby's expressive syntax means moderate token cost — less than Java, similar to Python.
Related across LGTM
AI code review explained
Multi-agent review tuned for Ruby's flexibility (open classes, monkey-patches).
LLM pipeline explained
How Rails-aware findings flow from agent → synthesizer → PR comment.
CI gate setup
Block bad merges on Rails apps via branch protection + LGTM check.
BYOK on Anthropic
Claude Haiku is the cheapest workable model for Rails review.
Other languages
Python
AI code review for Python: LGTM catches mutable-default-argument bugs, missing await on coroutines, missing type hints on public APIs, unsafe subprocess, and SQL injection — with full repo context.
JavaScript
AI code review for JavaScript: LGTM catches == vs === bugs, missing await on Promises, unhandled rejections, and event-listener cleanup leaks.
TypeScript
AI code review for TypeScript: LGTM catches type-narrowing bugs, unsafe assertions, async race conditions, React stale-closure bugs, and unused exports — across the diff and the wider repo context.
Go
AI code review for Go: LGTM catches ignored errors, shadowed variables in if-bodies, goroutine leaks, missing context.Context plumbing, unsafe nil-pointer derefs, and missing defer cleanup.