GitLab Code Review Guide: Best Practices, Merge Requests & Real Examples
AI CODE REVIEW
Aug 7, 2025
Why Code Reviews Still Matter (Even in 2025)
Great code isn’t just code that works.
It’s code someone else can read, build on, and trust.
And that doesn’t happen by accident.
Code reviews are where you slow down, zoom out, and make better decisions together. They catch bugs before they hit production. They teach new team members how the system works. They expose assumptions, highlight edge cases, and (let’s be honest) save everyone from writing something they’ll regret later.
GitLab gives us a clean, structured way to do all this through Merge Requests (MRs).
You’re not just checking code - you’re building shared understanding.
You’re turning a solo commit into a team conversation.
In this guide, we’ll walk you through the best way to do code reviews right in GitLab - and if you want to try it yourself, we’ve got a live public repo where you can follow along step by step.
What Are MRs in GitLab (And Why They’re More Than Just PRs)
In GitHub, you create a Pull Request (PR) to propose code changes.
In GitLab, the same thing is called a Merge Request (MR).
But GitLab doesn’t just rename it - it adds structure and context around the review process that helps teams move faster and smarter.
Inside every MR, you get:
A space to explain what your change does (Overview tab)
Linked issues, milestones, and reviewer assignments
A complete history of commits (Commits tab)
A full line-by-line diff view to leave comments and review code (Changes tab)
Built-in checks for CI status, approvals, and security flags
It’s everything you need to move from “Hey, I pushed a change” to “Let’s ship this confidently”.
Want to try it for yourself?
Fork our https://gitlab.com/neeeraj/learn-git-with-codeant and raise a test Merge Request - we’ve added a guide later in this blog to walk you through it, step by step.
Before You Even Open That MR: Self-Review Checklist
You’ve written the code. It works.
You’re ready to raise that Merge Request.
Pause.
Before anyone else sees your changes, give it a quick but honest review - just you and your editor.
Because good reviews start before the MR is even created.
The Self-Review Gut Check:
Re-read every line of your changes.
Not just for bugs. Look for clarity. Naming. Duplication. Would a teammate understand this?Run the code and test locally.
If you haven’t already - do it. Save your reviewer (and CI) the pain.Write or update tests.
If your change introduces logic or features, the tests should reflect that.Remove all TODOs, debug logs, and junk comments.
Keep the commit clean - noconsole.log('test')survivors.Split large changes if needed.
If your MR is touching a hundred files and you’re wondering “Is this too big?” - it probably is.
“Don’t send a half-baked MR and expect a gourmet review.”
The more thoughtful you are now, the faster your team can respond - and the better your own code becomes.
Creating the MR: Step-by-Step (Try It As You Read)
Alright, you’ve cleaned up your code. You’ve run the tests. You’re happy with your changes.
Now comes the moment of truth - raising the Merge Request (MR).
This is where your work goes from "my code" to "our code".
And the best part? You can actually do this alongside us using our practice GitLab repo.
Let’s walk you through the whole thing - like you're doing it live.
Step 1: Branch or Fork?
It depends on where you're working:
If you're working within your startup or company repo → create a new branch.
If you're contributing to a public repo you’re not a member of (like ours) → fork the repo first.
You can then either:
Clone the fork locally and make changes
Or use GitLab’s Web IDE to edit right from your browser
But either way - don’t push to main. Create a new branch for your changes.
Step 2: Push and Spot the Merge Request Prompt
Once you push your changes to your forked repo (on a new branch), GitLab usually helps you out.
You’ll see a prompt at the top of the repo like:
“You pushed to fix-login-bug. Create merge request?”
Click on that and boom - you’re in the MR creation screen.
If that prompt doesn’t appear, no worries:
Click “Merge requests” on the left sidebar
Then click “New merge request”
Select your source branch (your fork’s branch) and target branch (usually main of the upstream)
Tip: You can even compare two branches to double-check what code is changing before creating the MR.
Step 3: Write a Strong Title and Description
You know how we said code reviews are where teams align?
It starts here.
Write a clean, descriptive title (not just "Update" or "Fixes"). And in the description, cover:
What this MR does
Why the change was needed
What kind of review do you want (e.g., logic, design, accessibility)
Anything you want reviewers to know (linked issues, test info, screenshots)
Bonus: You can also mark your MR as a Draft if you’re not ready for full review yet.
This lets others see your work in progress without expecting an immediate merge.
Step 4: Fine-Tune Your MR Settings
Scroll down, and you’ll see these Merge Options:
Delete source branch when MR is accepted – keeps the repo tidy after merging.
Squash commits when MR is accepted – turns multiple commits into one clean commit, great for readability.
Allow commits from members who can merge – tick this to let maintainers help push changes or fix small things.
Always check that last box - it makes collaboration faster.
Once done, hit that “Create Merge Request” button.
Step 5: Add Context (Assignees, Labels, Milestones)
Now that your MR is live, you’ll see a sidebar on the right.
Use it wisely:
Assignees → Who’s driving this MR forward (usually the author)
Reviewers → Tag teammates who should review your code
Labels → Add tags like
~frontend,~bug, or~needs-design(These are pre-defined by project admins)Milestones → Link to a sprint or release, if you’re tracking one
Time tracking → Optional, but useful for planning efforts
Note: You can’t use these in our demo repo unless you’re a project member - but in a real team project, these help reviewers know what’s going on.
You can also:
Add a To-Do for yourself (e.g., “Add test for edge case before merging”)
And voila - that’s your Merge Request, created the right way.
You’ve just gone from “code done” to “ready for human eyes”.
Reviewing the MR: What to Look For (And How to Say It)
So someone raised a Merge Request, and now it’s your turn. Time to review it - not just skim through and click “Approve”, but actually give meaningful feedback.
This section is your reviewer’s checklist.
Navigate to the Merge Requests section
On the left sidebar of your repo, click Merge Requests. This is your review HQ.
Here, you can:
View open and closed MRs
Search and filter by author, label, reviewer
Bulk edit or raise a new MR
Edit sidebar items like assignees, milestones, labels
This view gives you the full picture of your repo’s activity.
Tip: create and use custom labels like needs-discussion, waiting-on-tests, or priority-high to help the whole team filter and focus.
Now, you can open the MR you want to review
Firstly, slow down and read the description
Every good MR begins with a clear description. That’s where you’ll understand:
What the change is about
Why it was made
What parts need your feedback
The author might even link to issues or explain edge cases - they’ve done the hard work. You just need to read it.
Now, take a look at the right sidebar - it's the same one you saw while creating the MR:
Assignees, Reviewers, Labels, Milestones, Time Tracking.
The difference?
This time, you can actually edit them.
Need to adjust the milestone? Add yourself as a reviewer? Drop a waiting-on-tests label? You can.
Creating and using custom labels helps your team quickly classify and filter MRs - especially helpful on busy repos.
Head to the "Changes" tab
Now move to the real stuff: the code.
In the Changes tab, you can scroll through all the updated files and lines. You don’t need to read every single line. Focus on:
Logic
Structure
Edge cases
Security
Design implications
GitLab lets you comment directly on any line of code. That’s where the conversation happens.
Use the right kind of comment
Want to be clear and helpful? Start your comments with a cue. A few examples your team can adopt:
suggestion: this might work better another way
question: I’m not sure what this does - can you explain?
issue: this needs to be fixed before merging
nitpick: not a blocker, but something to consider
This makes it easier for the author to act on feedback without second-guessing the tone or importance.
Want to group your comments?
Hit Shift + R to start a review. This way, all your comments are bundled and sent together - clean, not spammy.
Once you’re done, click “Submit review”. You can:
Approve it
Comment only
Or request changes
Remember, you can approve now and revoke it later if something changes. Nothing’s locked until merged.
Add context or files
If you need to explain something deeper, add comments outside the code or drag in screenshots or files. All of this helps the author (and the next reviewer) understand things faster.
Final merge steps
Once everything’s resolved and ready, scroll to the bottom of the MR. You’ll see two key options:
Squash commits: combine all commits into one before merging. (great for a clean git history)
Edit commit message: make the final commit message reflect what this MR actually does.
Click “Merge” to complete the process.
After that:
You can Revert the merge if needed.
Or Cherry-pick it into another branch.
The MR now moves to the Merged tab, where you can always go back and read through the full discussion and code history.
And that’s a real review - part code inspection, part collaboration. The best MRs don’t just ship code, they leave behind understanding.
Later in the blog, we’ll explore how CI/CD pipelines can automatically run tests, lint code, and enforce quality checks every time a Merge Request is created or updated.
How to Assign the Right Reviewers (Not Just @Everyone)
Once your Merge Request is up, don’t just tag whoever’s online. Be intentional.
Use the Reviewers panel on the right sidebar to assign people who understand that part of the codebase. If your project has a CODEOWNERS file set up, GitLab will even suggest reviewers automatically based on the files you’ve changed.
If not, do the next best thing: leave a comment and ask clearly.
“@Amartya – can you check the login logic?”
“@Rushabh – mind reviewing the UI and responsiveness?”
This saves time and helps reviewers know exactly what you’re looking for.
For big or sensitive changes, set approval rules to make sure the right people have to sign off before a merge.
And if you’ve updated the MR after feedback, use /request_review @username to re-request their input. It’s faster than a Slack ping and keeps everything inside GitLab.
Keep It Tight: Why Small MRs = Better MRs
The smaller your MR, the more likely it’ll be reviewed properly - and faster.
Try to stay under 200 lines of changes if possible. That might not sound like much, but small MRs are easier to understand, test, and review carefully.
Each MR should ideally handle one feature or one fix. Don’t bundle multiple unrelated changes into one MR. It makes reviewing harder and increases the chances of bugs slipping in.
Each commit inside the MR should also have a clear purpose. Clean commits make code history easier to read later.
Let your CI/CD pipeline handle the basics - linting, formatting, unit tests - so that reviewers can focus on what actually matters: the logic, the flow, and the design.
Advanced Code Review Setup: Make GitLab Do the Heavy Lifting
Code reviews don’t have to catch everything manually. GitLab can take care of a lot of the grunt work - formatting issues, test coverage, even security red flags - before a human reviewer ever looks at your code.
Here’s how to set that up.
1. CI/CD Pipelines: Your First Line of Defense
When you create or update a Merge Request, GitLab can automatically run checks on your code. This includes:
Linting
Check for style and formatting issues early. You can configure linters like ESLint, Prettier, Black, or whatever fits your stack.Unit & Integration Tests
Define test jobs in your.gitlab-ci.ymlfile. You can make sure your logic holds up before the review even begins. (More on this later)Security Scans
GitLab has built-in security scanning features like:SAST: Find bugs and vulnerabilities in your code
Dependency Scanning: Catch insecure packages in
package.json,requirements.txt, etc.Secret Detection: Stop you from accidentally committing API keys
These jobs can fail the pipeline if issues are found - so reviewers don’t need to worry about obvious vulnerabilities.
Pro tip: Make sure your Merge Requests only get reviewed once the pipeline passes. It saves everyone time.
2. Enforce Approvals Before Merge
Want to make sure at least one backend dev or security engineer reviews every MR? You can set up approval rules.
Go to:
Project → Settings → Merge Requests → Approval rules
You can set rules like:
Require at least 2 approvals before merging
Make approval from specific users or groups mandatory (like
@securityor@frontend)Prevent merging if certain CI jobs fail
🧠 Heads-up: Some of these approval features are part of GitLab’s paid plans, but you can start a free trial to test them out.
3. Bonus Tip: Use a .gitlab-ci.yml Template
If your team doesn’t already have one, you can use GitLab’s built-in CI templates or create a reusable .gitlab-ci.yml that covers:
Linting
Test coverage
Docker builds (if applicable)
Security scans
It takes a bit of effort to set up - but once it’s there, it’ll run every time, keeping your codebase clean and safe.
Here’s a sample GitLab pipeline file you can copy-paste and tweak for your own team:
This file does the following:
Lints JS/TS files using ESLint
Runs tests
Adds placeholders for security scans (replace with real tools or GitLab built-ins)
This setup means your reviewers can focus on what really matters - logic, structure, design - not missing semicolons or failing tests.
What CodeAnt Does That GitLab Alone Can’t
You’ve followed the guide, learned how to review like a pro - but what if you could automate the boring parts and catch deeper issues GitLab alone can’t?
That’s where CodeAnt AI comes in.
It plugs into GitLab and gives your Merge Requests superpowers:
🧠 AI-Powered Review Comments
CodeAnt reads your code and drops review comments like a senior engineer would - pointing out logic flaws, missed edge cases, or anti-patterns. Not just formatting errors.
🛡️ Security + Compliance, Built-In
It doesn’t just scan for secrets. It checks for real-world threats like SQL injection, insecure cloud configs, and outdated libraries - and blocks unsafe code before merge.
Bonus: You get one-click reports for SOC 2, HIPAA, etc.
🛠️ One-Click Fix Suggestions
Instead of just flagging problems, CodeAnt suggests or applies fixes. No back-and-forth over style or tests - just click "Apply Fix" in the MR.
📊 Team Insights That Actually Help
Get dashboards on review load, response time, and recurring issues. See which parts of your codebase keep breaking - and who’s constantly saving the day.
✍️ Custom Rules in Plain English
Want to enforce things like “all functions need docstrings”? Just write the rule - no need to write a linter plugin.
GitLab gives you the process. CodeAnt gives you an assistant.
Try it on your next MR and see how much time you save.
Before You Merge: Don’t Skip These Final Checks
So the code looks clean, the comments are in, and you’re ready to hit Merge?
Hold up. One last moment of mindfulness goes a long way in preventing rollbacks, broken builds, or “why did we merge this?” Slack threads.
Here’s what you want to check before merging a Merge Request:
All discussion threads are resolved - no open questions or requested changes.
All required reviewers have approved - make sure no one's input is still pending.
CI pipeline has passed - green across the board for tests, security, and linting.
Final look at the diff - what’s actually getting merged into
main? Be sure."Delete source branch" is selected - this keeps things tidy.
GitLab lets you enable auto-delete for source branches after merge. We recommend turning that on in project settings - less clutter, less confusion.
✅ Final Checklist for MR Authors
Use this right before you click that Merge button:
Print it. Paste it in your MR template. Tattoo it (okay, maybe not).
But use it - it saves time and builds trust.
Wrap-Up: Good Reviews Are Good Culture
Code reviews are not just a checklist. They're conversations.
They're not about nitpicking - they’re about progress.
Merge Requests are where developers connect ideas, challenge assumptions, and grow together. When done right, reviews improve the code and the coder.
Use MRs to teach, learn, and align.
Automate the boring stuff so you can focus on what matters.
Keep things structured, so feedback is thoughtful and reviews are fast.
Build a team where reviews feel like support - not scrutiny.
Start now: head to our demo repo, fork it, raise a Merge Request, and follow this guide step by step.
See what it feels like to do a code review the right way.
Because good reviews = better teams, stronger culture, and cleaner code.
And if you want your code reviews to be faster, safer, and a whole lot smarter - try CodeAnt. It plugs into GitLab in minutes and works like your team’s sharpest reviewer (who never sleeps).
