The Code Review Agent Benchmark: What CR-bench Reveals and How to Configure Codex CLI for Higher-Quality Reviews

Every team that has enabled automated code review — whether through Codex’s GitHub integration, Claude Code, Devin, or the open-source PR-Agent — has wondered the same thing: how good are these reviews, really? In March 2026, researchers at the National University of Singapore published CR-bench, the first rigorous executable benchmark for code review agents ¹. The results are sobering: the four agents tested, taken together, pass only 41.5% of the benchmark’s tests. Codex scored 20.1% out of the box.

That number deserves context rather than alarm. The benchmark’s own analysis shows that 84% of agent-generated review comments are genuinely useful ¹ — the low pass rate reflects a mismatch in what agents look at, not an inability to find real issues. This article unpacks the CR-bench methodology, examines where Codex’s review capabilities excel and where they fall short, and provides concrete configuration patterns to close the gap.

How CR-bench Works

Traditional evaluations of code review agents rely on textual similarity: does the agent’s comment match the human reviewer’s wording? This approach is fundamentally flawed. The CR-bench authors demonstrate that an agent can identify the same bug with completely different phrasing, score near zero on n-gram metrics, yet still enable a correct fix ¹.

CR-bench replaces textual similarity with executable tests. The pipeline has four stages:

flowchart LR
    A[Human PR Reviews] --> B[LLM Classification & Filtering]
    B --> C[Docker Environment Construction]
    C --> D[Test Generation from Review Comments]
    D --> E[Validation: Can Agent Fix Code Using Review?]

Review filtering — An LLM classifier selects actionable review comments from real pull requests, calibrated against 100 manually annotated examples ¹.
Environment construction — Each PR is reproduced in a Docker container with full dependency installation.
Test generation — Natural-language review comments are converted into executable tests through execution-guided refinement.
Validation — A coding agent attempts to revise the code using the generated review feedback. If the test passes, the review successfully identified an actionable issue.

The resulting dataset, c-CRAB, contains tests derived from real-world pull requests across multiple open-source repositories ¹.

The Scoreboard

Agent	Pass Rate	Strengths	Weaknesses
Claude Code	32.1%	Broadest coverage	Suggests alternative fixes to what humans intended
Devin	24.8%	Good at robustness issues	Misses design concerns
PR-Agent	23.1%	Consistent on functional correctness	Limited context awareness
Codex	20.1%	Strong on edge cases and robustness	Under-reports maintainability, documentation
All four combined	41.5%	—	—

Source: Zhang et al., CR-bench ¹

The combined score of 41.5% tells us something crucial: these agents find different things. There is remarkably little overlap between the issues each tool flags ¹. This has direct implications for configuration — the goal is not to replace human review but to maximise the unique value an agent brings to the review cycle.

Where Codex Reviews Excel

CR-bench categorises review comments into six types. Codex’s review engine — the same one powering @codex review on GitHub PRs and the /review slash command in the CLI ² — performs strongest in two areas:

Robustness and Edge Cases

Codex generates significantly more robustness-related comments than human reviewers ¹. It catches unsafe indexing, missing null checks, unhandled error paths, and boundary conditions that humans routinely overlook during review. In the benchmark’s concrete example, a human flagged unsafe nested indexing (keyboard[0][0] before validation), and Codex identified the same issue independently, albeit with different wording ¹.

Functional Correctness

When the logic is simply wrong — an off-by-one error, an inverted condition, a missing return — Codex catches it reliably. This aligns with the model’s training on code generation and bug-fixing tasks ³.

Where Codex Reviews Fall Short

Maintainability and Design (7.9%–27.0% Pass Rate)

This is the largest gap. Codex under-reports concerns about API design, abstraction boundaries, naming consistency, and architectural coherence ¹. These are precisely the review comments that require deep repository context — the kind of knowledge a long-tenured maintainer carries implicitly.

Documentation

Agents produce substantially fewer documentation-related comments than humans ¹. Missing docstrings, outdated README sections, and changelog omissions slip through.

Repository-Specific Conventions

Domain-specific patterns — naming schemes, import ordering preferences, commit message formats, test file organisation — are invisible to the model unless explicitly documented ¹. This is the most actionable gap for Codex CLI users.

Closing the Gap: Practical Codex CLI Configuration

The CR-bench findings map directly onto Codex CLI’s configuration surface. The benchmark’s recommendation to “integrate repository context” through architecture notes and style guides ¹ is precisely what AGENTS.md was designed for ⁴.

1. Write Review-Specific AGENTS.md Sections

Create a dedicated review guidelines section in your project’s AGENTS.md:

## Review Guidelines

### Priority Classification
- **P0**: Security vulnerabilities, data loss risks, authentication bypasses
- **P1**: Logic errors, race conditions, missing error handling, API contract violations
- **P2**: Naming inconsistencies, missing tests for new code paths, documentation gaps
- **P3**: Style nits, formatting, minor readability improvements

### Repository Conventions
- All public API methods require JSDoc with @param and @returns
- Error handling: use Result<T, AppError> — never unwrap() in library code
- Test files mirror source structure: src/foo/bar.ts → tests/foo/bar.test.ts
- Imports: stdlib first, then external deps, then internal — separated by blank lines

### Design Review Checklist
- Does this change respect existing abstraction boundaries?
- Are new public interfaces minimal and consistent with adjacent APIs?
- Could this be achieved with less surface area?

This directly addresses the maintainability and convention gaps that CR-bench identified. Codex applies guidance from the closest AGENTS.md to each changed file, so place more specific instructions deeper in the tree when particular packages need extra scrutiny ².

2. Create a Dedicated code_review.md

For teams with extensive review standards, extract them into a separate file and reference it from AGENTS.md:

## Review
See [code_review.md](./code_review.md) for full review guidelines.

This keeps AGENTS.md manageable while giving the review context room to be comprehensive ⁵.

3. Use Custom /review Instructions

The /review slash command in Codex CLI accepts custom focus instructions ⁵:

/review Focus on API design consistency and documentation completeness

For GitHub PR reviews, append context to the trigger:

@codex review for maintainability regressions and naming consistency

This steers the model towards the exact categories where CR-bench showed agents under-perform.

4. Layer a PostToolUse Hook for Documentation Checks

CR-bench found agents miss documentation gaps. A PostToolUse hook can enforce documentation standards automatically:

# .codex/config.toml
[[hooks]]
event = "PostToolUse"
command = "python3 .codex/hooks/check_docstrings.py"
timeout_ms = 10000

#!/usr/bin/env python3
# .codex/hooks/check_docstrings.py
import json, sys, ast, os

event = json.loads(os.environ.get("CODEX_HOOK_EVENT", "{}"))
tool_name = event.get("tool_name", "")

if tool_name != "apply_patch":
    sys.exit(0)

file_path = event.get("tool_input", {}).get("path", "")
if not file_path.endswith(".py"):
    sys.exit(0)

try:
    with open(file_path) as f:
        tree = ast.parse(f.read())
    missing = []
    for node in ast.walk(tree):
        if isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef, ast.ClassDef)):
            if not ast.get_docstring(node) and not node.name.startswith("_"):
                missing.append(f"  - {node.name} (line {node.lineno})")
    if missing:
        print(f"WARNING: Public symbols missing docstrings in {file_path}:")
        print("\n".join(missing))
except Exception:
    pass

5. Combine Agent Review with Human Review

The most important CR-bench finding is that agent reviews and human reviews are complementary, not substitutional ¹. The optimal workflow uses both:

flowchart TD
    A[PR Opened] --> B[Codex Automatic Review]
    B --> C{P0/P1 Issues Found?}
    C -->|Yes| D[Author Fixes Critical Issues]
    D --> B
    C -->|No| E[Human Reviewer Assigned]
    E --> F[Human Focuses on Design, Conventions, Architecture]
    F --> G{Issues Found?}
    G -->|Yes| H[Author Addresses Feedback]
    H --> E
    G -->|No| I[PR Approved]

This workflow lets Codex handle the robustness and correctness sweep first — where it outperforms humans on coverage — while human reviewers focus on maintainability, design, and conventions — where agents score worst ¹.

Measuring Improvement

CR-bench’s executable test approach suggests a measurement strategy for your own review quality. Track these metrics over time:

Review escape rate — issues found in production that a review should have caught.
Agent-unique findings — issues Codex flagged that human reviewers confirmed were genuine but would have missed.
False positive rate — review comments the author rightfully dismissed.
Category distribution — use Codex’s P0–P3 classification to track whether AGENTS.md changes shift the balance towards maintainability and documentation comments.

OpenAI reports that Codex reviews 100% of pull requests internally ⁵, which provides a large enough sample to track these trends weekly.

The Bigger Picture: Why 20% Is Not the Whole Story

The 20.1% pass rate sounds damning in isolation, but three factors contextualise it:

Usefulness is not the same as pass rate. CR-bench’s own analysis found 84% of agent review comments are genuinely useful ¹. The test suite captures a specific definition of “correct” — matching the human reviewer’s intended fix — but agents often identify the same problem and propose a different, equally valid solution.
The benchmark tests review-then-fix, not review alone. A review comment that correctly identifies a problem but suggests a slightly different fix path still fails the test. Claude Code’s tendency to suggest alternative fixes (e.g., increasing a CharField max length rather than switching to TextField) penalises it despite identifying the right issue ¹.
Configuration matters enormously. The benchmark tested agents with default configurations against repositories they had no prior context for. Adding AGENTS.md review guidelines, custom instructions, and repository conventions directly addresses the categories where agents score worst.

The path from 20% to a meaningfully higher score is not a model upgrade — it is a configuration effort.

Quick-Reference Configuration Checklist

Gap Identified by CR-bench	Codex CLI Configuration Response
Missing repository conventions	`AGENTS.md` with explicit naming, import, and style rules ⁴
Under-reported documentation issues	`PostToolUse` hook checking docstrings; P1 classification for doc gaps ²
Weak maintainability feedback	Custom `/review` instructions targeting design and API consistency ⁵
Low design/architecture coverage	`code_review.md` with design review checklist referenced from `AGENTS.md` ⁵
Different issues found per agent	Layer Codex automatic review before human review ²

Citations

Zhang, Y. et al. “Code Review Agent Benchmark.” arXiv:2603.23448v3, March 2026. https://arxiv.org/abs/2603.23448 ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷ ↩⁸ ↩⁹ ↩¹⁰ ↩¹¹ ↩¹² ↩¹³ ↩¹⁴ ↩¹⁵ ↩¹⁶ ↩¹⁷
OpenAI. “Code review in GitHub — Codex.” OpenAI Developers, 2026. https://developers.openai.com/codex/integrations/github ↩ ↩² ↩³ ↩⁴
OpenAI. “Introducing GPT-5.3-Codex.” OpenAI Blog, 2026. https://openai.com/index/introducing-gpt-5-3-codex/ ↩
OpenAI. “Custom instructions with AGENTS.md — Codex.” OpenAI Developers, 2026. https://developers.openai.com/codex/guides/agents-md ↩ ↩²
OpenAI. “Best practices — Codex.” OpenAI Developers, 2026. https://developers.openai.com/codex/learn/best-practices ↩ ↩² ↩³ ↩⁴ ↩⁵