Pull requests are the last checkpoint before code ships, and that checkpoint is under more pressure than ever. GitHub's own research found that AI assistants like Copilot now generate close to 46% of code in supported languages, and a 2023 Stanford study of 47 developers found that those who used an AI assistant wrote code that was measurably less secure while feeling more confident about it. At the same time, engineering teams are merging more PRs per day than reviewers can meaningfully read line by line. Vendors have raced to fill the gap with "AI code review" products, and Endor Labs is one of the most visible, pairing its dependency-risk platform with AI-assisted PR analysis. This post breaks down what AI security code review actually means, where tools like Endor Labs help and stop short, and how Safeguard approaches the same problem for teams shipping AI-written code every day.
What Is "AI Code Review Security," Really?
AI code review security is the practice of using machine learning models to flag vulnerabilities, insecure patterns, and risky dependency changes inside a pull request before a human approves it — not a replacement for static analysis, but a layer on top of it. Traditional SAST tools like Semgrep or CodeQL match code against known rule patterns; they're precise but blind to novel logic flaws and context (is this endpoint actually internet-facing? is this input actually user-controlled?). AI code review adds a reasoning layer that reads the diff the way a senior engineer would: tracing data flow across files, checking whether a new dependency changes the trust boundary, and writing a plain-English explanation of why a change is risky. Done well, it cuts the time between "PR opened" and "security finding triaged" from days to minutes. Done poorly, it's a chatbot bolted onto a diff view that hallucinates fixes nobody asked for.
The distinction matters because 2024 and 2025 saw a wave of "AI PR reviewer" launches — GitHub Copilot Autofix (announced at GitHub Universe, October 2023, expanded through 2024), Amazon Q Developer's code review agent, and Endor Labs' own AI-powered review, which the company folded into its platform through 2024 after its $93M Series B in November 2023. All of them promise to catch what static rules miss. Few of them are built to understand supply chain context — the fact that 70-90% of a typical application's code is now open source dependencies, not code your team wrote at all, according to Synopsys's 2024 Open Source Security and Risk Analysis report.
Why Doesn't Traditional SAST Catch What AI-Written Code Introduces?
Traditional SAST doesn't catch AI-written code risk because it was built to scan static rule violations, not to reason about intent, and AI-generated code tends to fail in ways that don't match known bad patterns. A rule engine can flag a hardcoded credential or an obvious SQL string concatenation. It's much weaker at catching a Copilot-suggested function that pulls in a package with a similar name to a popular one (a "slopsquatting" risk that researchers flagged growing through 2024-2025 as LLMs began hallucinating plausible-sounding but nonexistent package names that attackers then registered), or a refactor that quietly removes an authorization check three files away from the line that changed. Socket's research team documented hundreds of hallucinated package names recommended by mainstream coding assistants in testing throughout 2024, some of which were later squatted by malicious actors specifically because models kept suggesting them.
This is the gap AI code review tools are trying to close, and it's also where they most often fall short: understanding a single diff is tractable for an LLM, but understanding whether a diff changes your software's actual attack surface requires knowing your dependency graph, your deployment topology, and your prior findings — context that lives outside the pull request.
How Does Endor Labs Approach AI in the PR Workflow?
Endor Labs approaches AI in the PR workflow primarily through the lens of its core product — open source dependency risk and reachability analysis — with AI review layered on top to explain and prioritize findings. Endor Labs built its name on reachability analysis: determining whether a vulnerable function in a dependency is actually called by your code, which the company has cited as cutting reportable findings by roughly 80-90% compared to naive SCA tools that flag every CVE in the tree regardless of exploitability. Its AI capabilities extend that engine — summarizing why a package is risky, suggesting upgrade paths, and generating PR comments a developer can act on without leaving GitHub or GitLab.
That's a strong story for dependency and open-source risk, which is Endor Labs' founding wedge (the company was founded in 2021 by former Google and Palo Alto Networks engineers and reached unicorn valuation with its November 2023 round). It's a narrower story for first-party code review: teams have reported that Endor Labs' first-party SAST and secrets coverage matured later than its SCA product, and organizations running mixed AI-and-human codebases often still pair it with a separate SAST or code-review layer for logic-level vulnerabilities in code their own engineers (or their own Copilot) wrote. The practical takeaway: reachability-first tools are excellent at telling you which of your 500-plus dependencies actually matter, but that's a different question from "is this specific 40-line diff a new pull request introduces safe to merge."
What Risks Slip Through Purely AI-Driven Review?
Purely AI-driven review still misses supply chain attacks that don't look like bad code at all, because LLMs are trained to evaluate logic, not provenance. The xz-utils backdoor (CVE-2024-3094), discovered by a Microsoft engineer in March 2024 after more than two years of a patient social-engineering campaign to become a trusted maintainer, involved code that passed every plausible review — the malicious payload was hidden in binary test files and a build script, not in a diff an AI reviewer would have flagged as "suspicious logic." Sonatype's 2024 State of the Software Supply Chain report recorded a 156% year-over-year increase in malicious open source packages, the large majority of which are typosquats, dependency confusion attacks, or post-publish package takeovers — none of which show up as a risky pattern inside a pull request's code diff, because the attack happens in the package registry, not in your repository.
AI reviewers are also weak on secrets and identity risk that spans systems: a leaked API key committed in a PR is trivial for a scanner to catch, but a key that's valid, over-scoped, and actually reachable from the internet requires correlating the commit with cloud configuration, which is outside an LLM's context window unless a platform explicitly wires that data in. GitGuardian's 2024 State of Secrets Sprawl report found over 12.7 million secrets exposed in public GitHub commits in 2023 alone, up 28% from the prior year — a volume that outpaces what code-only review, AI or not, can meaningfully triage without inventory and validity context.
Does AI Code Review Actually Reduce Developer Fix Time?
Yes, when it's scoped correctly, AI code review measurably reduces fix time, but the gains come from prioritization and explanation, not from the AI "finding" more vulnerabilities. GitHub reported that Copilot Autofix reduced the time developers spent remediating certain vulnerability classes by roughly 3x in its own benchmarking after general availability in 2024, largely because the tool generates a candidate patch instead of leaving the developer to research the CVE from scratch. The pattern holds across the category: the value isn't a longer list of findings — most engineering teams already have more SAST and SCA alerts than they can process — it's turning a CVE ID and a stack trace into "here's the three-line fix, here's why it's needed, here's the PR comment explaining it to your reviewer."
The risk on the other side is alert fatigue from a new source. If an AI reviewer comments on every PR with speculative, low-confidence findings, developers learn to dismiss it within a few sprints, the same trust erosion that happened with first-generation SAST tools flooding PRs with false positives in the 2015-2020 era. The tools that stick are the ones that suppress noise as aggressively as they surface signal.
How Safeguard Helps
Safeguard was built around the premise that AI security code review only earns developer trust if it's grounded in real context — your actual dependency graph, your actual runtime reachability, and your actual prior findings — not just the diff in front of it. Inside a pull request, Safeguard's AI reviewer reads the change the way Endor Labs' does, but ties every finding back to software supply chain evidence: is this new dependency's maintainer account recently transferred, does this package have a publish history consistent with typosquatting, is the vulnerable function actually reachable from an exposed entry point, and has this exact secret pattern already shown up validated and live elsewhere in your infrastructure. That context is what separates "AI flagged something" from "AI flagged the two things in this 40-file PR that actually matter," and it's why Safeguard's reviews carry an explicit confidence and reachability rationale on every comment instead of a bare severity label.
Safeguard also closes the provenance gap that pure code-diff review can't reach on its own. Because supply chain attacks like the xz backdoor and the wave of malicious npm and PyPI packages Sonatype tracked through 2024 don't announce themselves as bad code, Safeguard correlates PR-level dependency changes against package registry signals — maintainer changes, publish anomalies, known-malicious package databases — before the AI reviewer ever writes a comment, so the review is grounded in what the package is doing, not just what the diff says it does. For secrets, Safeguard checks exposure against live validity and cloud reachability rather than flagging every string that looks credential-shaped, which is the single biggest driver of AI-review fatigue teams report after the first few weeks of adoption.
Finally, Safeguard is built for the SOC 2 and compliance reality most security and platform teams actually live in: every AI-generated finding, every suppression, and every merge decision is logged with the evidence behind it, so the same review that speeds up a Friday-afternoon PR also produces the audit trail a compliance analyst needs six months later. For teams evaluating Endor Labs alongside AI-native alternatives, the question worth asking isn't just "does it review my pull requests" — it's whether the tool understands your software supply chain well enough to know which of those reviews actually matter.