Are Llms Better Suited for PR Reviews Than Full Codebases?

Posted4 months agoActive4 months ago

aaa_2006

4 points

3 comments

Techstory

calmmixed

Debate

20/100

Large Language ModelsStatic AnalysisCode Review

Key topics

Large Language Models

Static Analysis

Code Review

Semgrep recently published an analysis of how LLMs perform at spotting vulnerabilities in code: https://semgrep.dev/blog/2025/finding-vulnerabilities-in-modern-web-apps-using-claude-code-and-openai-codex/

I’ve been thinking about this problem and wanted to share a perspective.

When evaluating LLMs for static analysis, I see four main dimensions: accuracy, coverage, context size, and cost.

On accuracy and coverage, today’s LLMs feel nowhere close to replacing dedicated SAST tools on real-world codebases. They do better on isolated snippets or smaller repos, but once you introduce deep dependency chains, results drop off quickly.

Context size is another bottleneck. Feeding an LLM a repo with millions of lines creates huge problems for reasoning across files, and the runtime gets impractical.

That leads to cost. Running an LLM across a massive codebase can be significantly more expensive than traditional scanners, without obvious ROI.

Where they do shine is at smaller scales — reviewing PRs, surfacing potential issues in context, or even suggesting precise fixes when the input is well-scoped. That seems like the most practical application right now. Whether providers will invest in solving the big scaling problems is still an open question.

Curious how others here think about the trade-offs between LLM-based approaches and existing SAST tools.

Discussion on the suitability of LLMs for code vulnerability detection, with a focus on PR reviews vs full codebases.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

0-1h

Avg / period

Key moments

01Story posted
Sep 5, 2025 at 2:33 PM EDT
4 months ago
Step 01
02First comment
Sep 5, 2025 at 2:39 PM EDT
7m after posting
Step 02
03Peak activity
3 comments in 0-1h
Hottest window of the conversation
Step 03
04Latest activity
Sep 5, 2025 at 2:57 PM EDT
4 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (3 comments)

Showing 3 comments

aafanah

4 months ago

1 reply

Interesting. LLMs are already shining at PR reviews even if they struggle with massive codebases right now. And they are evolving fast enough that those scaling limits might not stay limits much longer.

kogatlas

4 months ago

1 reply

I'd love to see your evidence that "LLMs are already shining at PR reviews". We've used a handful of them here where I work for months now and they are rarely correct, and thus, rarely useful. Instead they tend to just summarize nonsense that wasn't even introduced in that PR, make shit up entirely, or recommend bad fixes to things that would be better solved by being removed entirely.

aafanah

4 months ago

Fair point. I think the bottom line is that it depends a lot on the context and how the prompt is framed. For PRs with small enough scope, I have seen LLMs provide decent value, mostly in surfacing potential issues or offering quick summaries. That said, the Semgrep analysis highlights that accuracy and coverage still fall short even in these narrow cases, so clearly there is still a lot of work to be done before this becomes broadly reliable.

View full discussion on Hacker News

ID: 45141995Type: storyLast synced: 11/17/2025, 10:14:30 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

View on HN