Codex Code Review Workflow: Catch Bugs Before Human PR Review

Set up OpenAI Codex as a pre-reviewer with the /review command, @codex review on GitHub, and AGENTS.md guidelines that produce P0/P1 findings.

Most pull requests bounce off human review for the same three reasons: missing tests, broken team conventions, and accidental side effects. OpenAI’s Codex now ships a purpose-built reviewer that catches all three before a human ever opens the diff — but only if you brief it with your team’s actual rules instead of letting it fall back on internet-average advice. This guide covers the exact /review command in the Codex CLI, the @codex review trigger on GitHub, and the AGENTS.md review-guidelines block that turns Codex from a vibe-checker into a reviewer that posts cited P0/P1 findings.

TL;DR

  • Codex has a dedicated code reviewer (separate from the coding agent) that reads a diff and reports prioritized findings without touching your working tree.
  • Run it locally with the CLI /review command, or on GitHub by commenting @codex review on a pull request. As of June 2026, Codex is powered by GPT-5.5-Codex and is included in ChatGPT Plus ($20/mo), Pro, and Business ($30/user/mo) — there is no standalone Codex subscription.
  • On GitHub, Codex posts only P0 and P1 issues so the PR thread stays focused on real risks, not nits.
  • It honors a ## Review guidelines section in your top-level AGENTS.md, applying the nearest AGENTS.md to each changed file.
  • Treat it as the pre-pass, not the verdict: Codex catches convention drift and missing tests reliably; a human still owns business-logic judgment.

Who this is for

Engineering teams doing PR-based work, solo developers with no second reviewer, and tech leads who keep receiving PRs that “compile but feel wrong.” It is most valuable in fast-moving codebases where conventions have drifted and nobody has written them down.

When to skip it: trivial PRs under ~20 lines, where the round-trip costs more than it saves, and production hotfixes where speed outweighs thoroughness.

How Codex review actually works

Codex’s reviewer is trained specifically to catch high-severity flaws, and it differs from a linter in three ways:

  • It matches the stated intent of the PR (title, description, commit message) against the actual diff, so it flags changes that quietly do more than the PR claims.
  • It reasons over the surrounding codebase and dependencies, not just the changed lines, which is how it spots regressions in callers you forgot about.
  • It surfaces three concrete categories by default: regressions, missing tests, and documentation gaps.

In GitHub it deliberately reports only P0/P1 findings. Locally, the CLI reviewer returns prioritized findings and never edits your files — each review is its own turn in the transcript, so you can re-run it as the code evolves and diff the feedback.

Before you start

  1. Write or update a top-level AGENTS.md with a ## Review guidelines section listing your team’s real rules: naming, error handling, “never log PII,” “auth middleware wraps every route.” Codex applies the closest AGENTS.md to each changed file, so package-level files can add stricter rules deeper in the tree.
  2. Make sure CI is green on the base branch. Codex inherits a broken baseline as noise.
  3. Decide what “blocking” means for your team. Codex assigns P0/P1, but your taste makes the final call.

A minimal AGENTS.md block looks like this:

## Review guidelines

- Never log PII or secrets; flag any new logger call that touches user objects.
- Every new HTTP route must be wrapped by the auth middleware in src/middleware/auth.ts.
- New public functions require a unit test and a JSDoc block.
- Prefer Result<T, E> over throwing in the services/ layer.

Path A — review locally with the CLI /review command

Inside an interactive Codex CLI session, type /review. It launches the dedicated reviewer with four preset modes:

ModeWhat it reviewsUse it when
Review against a base branchMerge-base diff vs. upstreamRight before you open a PR
Review uncommitted changesStaged + unstaged + untrackedCatch issues before you commit
Review a commitThe exact change set for a SHA you pick from the listAuditing a specific commit
Custom review instructionsSame reviewer, your focus prompt”Focus on accessibility regressions”

By default the reviewer uses your current session model. To pin a stronger model just for reviews, set review_model in ~/.codex/config.toml:

review_model = "gpt-5.5-codex"

The reviewer reports prioritized, actionable findings and does not modify your working tree, so you can run it freely without fear of unwanted edits.

Path B — review on GitHub with @codex review

  1. Connect Codex cloud to your repo, then open the Codex code-review settings and enable the Code review toggle for that repository.
  2. On any PR, comment @codex review. Codex reacts with 👀 and posts a standard GitHub code review with inline comments.
  3. To scope a single run, add context in the comment: @codex review for security regressions.
  4. To run on every new PR automatically, turn on Automatic reviews in settings — no comment needed.
  5. When Codex flags something, ask it to fix it in a follow-up comment: @codex fix the P1 issue. That spins up a cloud task that updates the PR.

Because GitHub reviews are limited to P0/P1, you will not get a 40-item nit wall on the PR thread; tighten the rest with your AGENTS.md guidelines.

The human handoff

  1. Run Codex first (CLI or GitHub). Triage every finding yourself — disagree with anything that conflicts with your context. The P0/P1 labels make disagreements explicit instead of buried in prose.
  2. Fix accepted P0/P1 items before requesting human review. Annotate the ones you are intentionally leaving.
  3. When tests are missing, ask Codex directly: “For the change in auth.ts, propose 3 unit tests: invalid token, expired token, missing claims.” Implement what is reasonable; do not let it merge fixes unreviewed.
  4. Hand off to your human reviewer with a one-line note: “Pre-reviewed by Codex; outstanding follow-ups in PR comments.” It saves their time and signals you read the diff yourself.

First-run calibration

Run Codex on a PR that already merged, then compare its findings to what the human reviewer actually wrote. The overlap is what Codex catches reliably. The gaps are instructive in both directions: Codex tends to miss subtle business-logic bugs that need product context, while humans miss tedious convention drift. If Codex missed something obvious, that rule is missing from your AGENTS.md — add it. After two or three calibration runs you will know exactly how much to trust each priority level.

Common mistakes

  • Treating the Codex review as final. It misses business-logic bugs only a human with context catches. Pre-pass, not verdict.
  • Skipping human review entirely. Codex is the cheap first filter, not the decision-maker.
  • No AGENTS.md review guidelines. Without them Codex applies generic advice that can contradict your team’s actual choices.
  • Letting Codex propose and merge fixes unreviewed. Findings and proposed patches are fine; autonomous merges are not.
  • Ignoring lint and types because “Codex covers it.” Lint and type checks catch syntax-level issues cheaply; Codex catches convention and logic. Run both.
  • Never clearing the backlog. Even with P0/P1-only on GitHub, batch the lower-priority cleanup quarterly or it becomes tech debt.

FAQ

  • How long does a Codex review take?: Typically 2-10 minutes for a normal PR, scaling with diff size and how much surrounding code it reasons over.
  • What does it cost?: As of June 2026 Codex is bundled with ChatGPT Plus ($20/mo), Pro, and Business ($30/user/mo) — no standalone plan. On April 2, 2026 OpenAI moved Codex from per-message to token-based credits, so heavy review automation draws down credits like API usage.
  • Does it replace lint and type checks?: No. Those catch syntax-level issues; the Codex reviewer catches convention and logic issues. Keep both in CI.
  • Can it review a draft PR?: Yes, and it often should. Earlier feedback is cheaper than rework after the diff grows.
  • Why does it only report P0/P1 on GitHub?: By design, to keep PR threads focused on high-priority risk instead of style nits. Push lower-severity preferences into your AGENTS.md guidelines.
  • What model powers the review?: GPT-5.5-Codex by default; override per-run with review_model in config.toml if you want a different model for reviews than for coding.

Tags: #AI coding #Tutorial #Codex