Structural PR Analysis That Makes AI Review Better
20 quality checks in 5 seconds. Zero tokens. CKB tells your AI reviewer which 10 files to read instead of 133 — cutting tokens by 48% while finding 8x more issues together.
The Problem: AI Code Review Doesn't Scale
When your AI assistant reviews a PR, it reads files to answer basic questions: any secrets? which files are risky? what's untested? what broke?
On a 50-file PR, that's ~100K tokens. On a 600-file PR, that's 500K+ tokens. Most of those tokens are spent computing things that don't need an LLM — churn history, reference counting, API diffing, pattern matching.
CKB pre-computes all of that in 5 seconds for 0 tokens. Your AI assistant calls CKB once, gets structured answers to 20 questions, then only reads the files that actually need semantic review.
Measured on a Real 133-File PR
| Approach | Files Read | Tokens | Findings |
|---|---|---|---|
| AI reviews alone (133 files) | 37 | 87,336 | 4 |
| CKB + AI review | ~10 | 45,784 | 33 |
| CKB only (no AI) | 0 | 0 | 31 |
48% fewer tokens. 8x more findings. 15.7x more efficient per finding.
What CKB Computes (0 Tokens)
These questions have deterministic answers that don't need an LLM. CKB answers all of them using SCIP indexes, tree-sitter, and git history.
| Question | How CKB Answers | LLM Cost to Answer Itself |
|---|---|---|
| Any leaked secrets? | Pattern + entropy scan, all files | ~160K tokens |
| Any breaking API changes? | SCIP index comparison | ~200K tokens |
| Which files are riskiest? | Git churn history, ranked | Impossible |
| Which functions lack tests? | Tree-sitter + coverage cross-ref | ~80K tokens |
| Complexity delta? | Tree-sitter AST analysis | ~100K tokens |
| Is there dead code? | SCIP reference counting + grep | ~200K tokens |
| Should this PR be split? | Module boundary clustering | ~50K tokens |
| Which files change together? | Git co-change analysis | Impossible |
Total: CKB answers in ~1K tokens what would cost an LLM ~790K tokens to compute from source. Two of these questions (churn history, co-change patterns) are impossible for an LLM without git access.
How It Works
CKB Analyzes
20 checks run in parallel using SCIP indexes, tree-sitter, and git history. Zero tokens. 5 seconds for 133 files.
AI Skips Clean
CKB confirmed secrets, breaking, dead-code, health all pass. The AI skips those categories entirely — zero tokens spent verifying.
AI Reads Flagged Files
CKB points to hotspots, test gaps, and bug patterns. The AI reads ~10 files instead of 133 — finding bugs it would have missed.
Drill Down via MCP
findReferences, analyzeImpact, explainSymbol — 80+ tools answer follow-up questions without reading source.
What You Get
CKB Review: WARN · 133 files · 19,200 lines
========================================================
Changes 133 files across 32 modules (go). 8 new bug
pattern(s); 1 co-changed file missing. Consider splitting
into 32 smaller PRs.
Checks:
⚠ bug-patterns 8 new bug pattern(s) (31 pre-existing filtered)
⚠ coupling 1 co-changed file missing
⚠ risk Risk score: 1.00 (high)
⚠ split 32 independent clusters
○ test-gaps 16 untested functions (top 10 shown)
○ hotspots 50 hotspot files (top 10 shown)
✓ secrets · breaking · dead-code · health · tests · complexity
· format-consistency · comment-drift
Top Findings:
⚠ review.go:267 err shadowed (outer error lost)
⚠ setup.go:215 err shadowed (non-fatal)
⚠ diff.go +11 cyclomatic in GetCommitRangeDiff()
⚠ pr.go +13 cyclomatic in SummarizePR()
... and 27 more findings
Code Health: 0 degraded · 8 new (avg 82)
Estimated Review: ~3 hours (133 files, 19K lines)
Reviewers: talantyyr (9%) · lisa.welsch (9%)20 checks, 5.2 seconds, 0 tokens, 0 API calls. Compact mode (~1K tokens) gives AI assistants exactly what they need for triage.
20 Quality Checks
All checks run concurrently. Tree-sitter calls are serialized via a mutex; git subprocess work overlaps with static analysis. 8 checks work without SCIP indexing; add ckb index for the full 20.
| Check | What It Does | Gate | SCIP |
|---|---|---|---|
breaking | SCIP-based breaking API change detection | fail | required |
secrets | Credential and secret scanning | fail | no |
critical | Safety-critical path enforcement | fail | no |
complexity | Cyclomatic/cognitive delta (tree-sitter) | warn | no |
health | 8-factor weighted code health score | warn | no |
coupling | Missing co-changed files from git history | warn | no |
risk | Multi-factor risk score | warn | no |
dead-code | Unreferenced symbols in changed files | warn | required |
blast-radius | High fan-out detection via SCIP caller graph | warn | required |
bug-patterns | High-confidence Go AST bug detection (10 rules) | warn | no |
comment-drift | Numeric constant vs comment mismatch detection | info | no |
format-consistency | Cross-formatter output consistency validation | info | no |
test-gaps | Untested functions above complexity threshold | info | no |
hotspots | Overlap with volatile/high-churn files | info | no |
tests | Affected test coverage | warn | no |
traceability | Commit-to-ticket linkage | warn | no |
independence | Author != reviewer enforcement | warn | no |
generated | Generated file detection and exclusion | info | no |
classify | Change classification (new/refactor/moved) | info | no |
split | Large PR split suggestion with clusters | warn | no |
Benchmark Data
All numbers from real measurements on a production PR (133 files, 19,200 lines, 37 commits).
Check Execution Times (133-file PR)
| Check | Time | What It Does |
|---|---|---|
complexity | 1.8s | Tree-sitter cyclomatic/cognitive analysis |
coupling | 1.8s | Git co-change analysis across history |
tests | 0.9s | SCIP + heuristic test coverage mapping |
health | 0.9s | 8-factor weighted health score per file |
bug-patterns | 0.9s | 10 AST rules with differential filtering |
dead-code | 0.8s | SCIP reference count + grep verification |
blast-radius | 0.7s | SCIP caller graph traversal |
secrets | 0.4s | Pattern + entropy scanning |
breaking | 39ms | SCIP API surface comparison |
risk + split + hotspots | <1ms | Pre-computed scores |
Total wall clock: 5.2s (parallel execution).
Cost Comparison (Claude Sonnet 4 pricing)
| PR Size | Without CKB | With CKB | Savings |
|---|---|---|---|
| 10 files | $0.09 | $0.08 | 10% |
| 100 files | $0.68 | $0.20 | 70% |
| 600 files | $1.65 | $0.32 | 80% |
| CKB only | — | $0.00 | 100% |
CKB alone (no AI) costs $0 and still produces 20-30 findings. Value scales with PR size.
120 KB
Full JSON (~30K tok)
4 KB
Compact JSON (~1K tok)
2 KB
Human text (~500 tok)
3 KB
Markdown (~750 tok)
Flexible Invocation
# Full PR review ckb review --base=main # Staged changes only (pre-commit) ckb review --staged # Scope to a directory ckb review internal/auth/ # Scope to a symbol ckb review --scope=AuthMiddleware # Specific checks only ckb review --checks=breaking,secrets,bug-patterns # CI mode (exit codes: 0=pass, 1=fail, 2=warn) ckb review --ci --format=sarif # Post as PR comment ckb review --base=main --post=123 # Via MCP (any AI tool) reviewPR(baseBranch: "main", compact: true)
Scope Filtering
Pass a path prefix or symbol name to narrow the review. Only files matching the scope are analyzed.
Staged Mode
Review what you're about to commit, not the whole branch. Use as a pre-commit quality gate.
Reviewer Routing
Suggests reviewers with expertise area, coverage percentage, and author conflict detection.
7 Output Formats
Human
--format=humanTerminal output with collapsed passes and grouped findings
JSON
--format=jsonMachine-readable for CI pipelines and AI triage
Markdown
--format=markdownPR comment-ready with tables and collapsible sections
GitHub Actions
--format=github-actionsInline annotations in PR diff view
SARIF
--format=sarifGitHub/GitLab Code Scanning integration
CodeClimate
--format=codeclimateGitLab Code Quality widget
Compliance
--format=complianceAudit trail for IEC 61508, ISO 26262
CI Integration
GitHub Actions
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: CKB Review
run: |
npx @tastehub/ckb review \
--base=${{ github.event.pull_request.base.ref }} \
--ci --format=sarif > review.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: review.sarifZero cost. No API keys. No cloud. Runs in your CI runner in 5 seconds.
What CI Gets (Without SCIP)
- secrets, complexity, health, coupling, hotspots, risk, bug-patterns, split — all work without indexing
- Posts PR comment, emits inline annotations, uploads SARIF
- Exits with verdict-based code (0/1/2) for branch protection
- Add
ckb indexfor breaking, dead-code, blast-radius (SCIP required)
GitLab CI
Use --format=codeclimate for GitLab Code Quality widget integration.
Performance
~500ms
Small PR (2 files)
~2s
Medium PR (30 files)
5.2s
Large PR (133 files, 19K lines)
Parallel check execution, batched git operations, cached hotspot scores, and mutex-based tree-sitter scheduling. The bottleneck is tree-sitter complexity analysis (~1.8s) and coupling analysis (~1.8s).
What It Does — and Doesn't
CKB Review is a structural pre-filter, not a replacement for code review. It tells your AI reviewer where the problems are. Finding what the problems are still requires reading the code.
Reliably catches
- Breaking API changes (SCIP static analysis)
- Exposed credentials and secrets
- Complexity spikes and health degradations
- Coupling gaps — files that should change together
- Dead code and untested functions in the diff
- Bug patterns: defer-in-loop, unchecked type assertions, shadowed errors, and 7 more (AST-based)
- Comment/code numeric drift (e.g., comment says 256 but code says 512)
- PR shape: clusters, risk distribution, which files are dangerous
Does not catch
- Semantic logic bugs — code that compiles but does the wrong thing
- Architectural design issues or missing abstractions
- Missing test edge cases (detects untested functions, not missing scenarios)
Validated on a real 19K-line, 133-file PR
Without CKB, the AI read 37 files and found 4 issues. With CKB, it read ~10 files and found 33 — including a deadlock bug in an untested function that CKB's test-gap data pointed it to. CKB didn't find that bug directly, but its triage reduced the search space by 73% while finding 8x more issues. Current false positive rate: 0% (0 of 31 CKB findings).
Ready to review smarter?
One command. 20 checks. Zero tokens. Free forever. Works with GitHub Actions, GitLab CI, Claude Code, Cursor, Windsurf, and any MCP-compatible tool.
npm install -g @tastehub/ckb ckb setup --tool=claude-code