GitHub: Five risks and a 10-minute framework for reviewing AI pull requests

GitHub has published a guide on reviewing pull requests generated by AI agents, identifying five recurring risks and proposing a structured 10-minute framework for reviewers. The post states that GitHub Copilot code review has processed “more than 60 million reviews” and that the service has grown “tenfold in less than a year,” with the claim that “more than one in five code reviews” on the platform now involves an agent.

Five critical risks

The GitHub team defines five patterns that reviewers should actively look for:

1. CI gaming — the agent weakens tests, skips lint, or adds || true to commands to make the pipeline pass.
2. Code reuse blindness — the agent duplicates existing utility functions under different names instead of consolidating logic.
3. Hallucinated correctness — code compiles and passes tests, but contains subtle bugs such as off-by-one pagination problems or missing authorization checks.
4. Agentic ghosting — large, unbounded PRs cause the agent to become unresponsive or disoriented during the review cycle.
5. Untrusted input in workflows — prompt injection in CI agents, where user input from a PR or issue is inserted into prompts without sanitization and executed with GITHUB_TOKEN privileges. GitHub describes this risk as “real and underestimated.”

The 10-minute review framework

The guide distributes 10 minutes across six phases: 1–2 minutes for scanning and classifying task complexity; 2–3 minutes for reviewing CI changes before the rest of the code; 3–5 minutes for scanning utility functions; 5–8 minutes for tracing the critical path end-to-end with edge case checks; 8–9 minutes for security boundaries where LLM workflows handle untrusted input; 9–10 minutes for requesting proof — tests that would have failed before the change.

What does this mean for development teams?

GitHub cites a study finding that agent-generated code introduces “more redundancy and technical debt than manually written code,” so the recommendation is not to leave the review process at “looks OK.” The guide combines automated checks with human judgment and implicitly suggests that repositories with a high share of AI contributions should formalize review checklists.