this is so profoundly wrong from like every possible angle:
1. for any code that has any security requirement:
GDPR effectively requires that reasonable and accountable controls for security/privacy are embedded into delivery processes
idk what the plan here is when auditors come knocking but i don't think u can point them to coderabbit summaries and go "see slopmachine said lgtm"
if your app does basically anything at all of value tho, "nobody has read the code" is not a reasonable or risk-aligned SDLC process and u will get executed by German lawyers
2. for unshipped internal tooling and whatever:
shadow IT is just the new IT now and internal security is dead. we have people in legal and in sales running apps that claude wrote for them locally that we don't even know exist and don't know what they do
has a rogue dependency popped someone's claude.md and is now exfilling every line of prod code and all our creds to some north korean gigachad? probably. fuck if we know
(PS Embroidery fixes this I think, u should buy it)
3. i cannot stress enough that this is the worst issue by miles:
not knowing what your code does is chudded and lame
You should be reviewing a MUCH smaller % of your code today than you were 5 years ago.
If your code is so important it needs every line verified, you better be writing a LOT of slop that verifies it too.