Testing & Review with AI Agents

Practical quick reference for AI-assisted test generation, code review, and security scanning.

โ† Back to AI-SDLC main site

๐Ÿงช Testing with Copilot

Test Generation โ€” The Basics

Command What It Does
/tests Generate unit tests for selected code. Infers framework (Jest, pytest, xUnit).
/tests #file Generate tests for an entire file
Agent mode "List edge cases for X, then write tests" โ€” safer than just "write tests"

Test-First Workflow (Recommended)

A 3-step mini-recipe:

  1. Ask agent to list edge cases and failure modes
  2. Ask agent to write tests that would FAIL if those edge cases are mishandled
  3. Then implement โ€” agent uses test output as feedback loop

Example prompt:

List edge cases for the payment flow, then write tests that would fail if any edge case is mishandled. Use xUnit. Include: empty cart, duplicate items, out-of-stock, concurrent modification.

Security Testing

  • CodeQL (SAST): Enable in repo Settings โ†’ Code Security. Runs on every push and PR automatically.
  • Secret Scanning: Via GitHub MCP Server โ€” detects leaked credentials.
  • DAST: StackHawk and Aikido offer Copilot custom agents for dynamic security testing.
โš ๏ธ The Self-Rating Trap

The AI that wrote the code shouldn't be the only one validating it. Use physics (test runners, linters, type checkers) as your independent verification. Always run the tests โ€” don't just read them.

๐Ÿ‘€ Code Review with Copilot

Automated PR Review

How to enable:

  1. Open any Pull Request
  2. Go to Reviewers โ†’ Select "Copilot"
  3. Copilot analyzes the diff, leaves inline comments within minutes

Comments cover: bugs, performance, style, security concerns.

Important: Copilot reviews leave comments, never approvals. The human always has final say.

Coding Agent PRs

When the coding agent opens a PR:

  • Includes summary of changes and reasoning
  • Shows full reasoning trace via Copilot session link
  • Review like any other PR โ€” same standards apply

Custom Review Agents

Create .agent.md files for domain-specific review:

  • Accessibility: "Review all CSS changes for WCAG 2.1 AA compliance"
  • Performance: "Flag any N+1 query patterns in database calls"
  • Compliance: "Check all API endpoints have proper authorization attributes"

Example .agent.md:

# Security Review Agent Review all changes for: - SQL injection vulnerabilities - Missing input validation - Hardcoded credentials or secrets - Missing authorization checks on API endpoints

Self-Paced Resources

๐Ÿ”—
Copilot Code Review
Interactive GitHub Skills course on code review
๐Ÿ”—
Create Unit Tests with Copilot
Microsoft Learn module on test generation
๐Ÿ”—
Secure Code Game
Hands-on security vulnerability challenge
๐Ÿ”—
Introduction to CodeQL
Learn static analysis for security scanning

Part of the AI-SDLC workshop materials ยท See also: Agent Mode & Implementation ยท Maintenance & Refactoring ยท CI/CD & Actions