AI-Assisted Code Review and Quality Assurance: A Comparative Analysis of Code Smell and Security Vulnerability Detection

Abstract

Code review is a fundamental practice in software engineering for ensuring code quality, maintainability, and security, yet it remains largely manual, time-consuming, and dependent on individual expertise. As software systems increase in size and complexity, traditional review processes and rule-based static analysis tools struggle to maintain consistency and accuracy, often failing to detect deeper design flaws, contextual defects, and complex security vulnerabilities. Advances in artificial intelligence (AI) and machine learning (ML), particularly in natural language processing and deep learning, have introduced new opportunities to enhance code review automation by enabling models to learn from large codebases and historical review data to identify code smells, defects, and security issues beyond the capabilities of traditional approaches. Despite growing interest in these AI-assisted techniques, their effectiveness, reliability, and practical integration into real-world development workflows remain insufficiently explored.

This thesis investigates AI-assisted code review tools through a two-part approach. First, a literature review of 26 empirical studies is conducted to identify current research trends, evaluated techniques, and common limitations in AI-based code smell and vulnerability detection. Second, an experimental study is performed using selected Large Language Models (Codex 5.5, GPT-5.5, and Claude Sonnet 4.6) and a static analysis tool (SonarQube) to compare their performance on code smell and security vulnerability detection tasks. To the best of our knowledge, this is the first study to evaluate Codex 5.5 for code smell detection, and one of the first to jointly investigate both code smell and security vulnerability detection within a unified experimental framework. The results indicate that LLM-based approaches outperform the static analysis tool in terms of accuracy, recall, and F1-score across both code smell and vulnerability detection tasks. However, the study also identifies limitations such as prompt dependency, context window constraints, and non-deterministic model behavior, which may affect reproducibility and consistency of results.