Building an MCP Server for AI-Powered Code Reviews
MCP & Copilot powered code reviews
This guide explains how to build a local Model Context Protocol (MCP) server that enables GitHub Copilot to perform automated code reviews using your project's technical rules and conventions.
Instead of relying on generic AI suggestions or static analysis tools, this approach allows teams to encode project-specific policies as structured data and allow the LLM to reason over them during code reviews.
Tools Required
Runtime & Platform
| Tool | Version | Purpose | ||
|---|---|---|---|---|
| Node.js | 18+ | Runtime for the MCP server | ||
| npm | 9+ | Package management | ||
| Git | 2.30+ | Detecting code changes (git diff, git grep) |
||
| VS Code | 1.96+ | IDE with MCP support | ||
| GitHub Copilot Extension | Latest | LLM client with agent mode |
MCP Server Dependencies
| Package | Purpose |
|---|---|
@modelcontextprotocol/sdk |
Official MCP SDK used to build the server |
zod |
Schema validation for tool inputs |
picomatch |
Fast glob matching for classifying files |
glob |
File system search |
tsx |
Run TypeScript without a build step |
vitest |
Testing policy logic and classifiers |
What You Don't Need
- No OpenAI or Anthropic API key (Copilot provides the model)
- No Docker
- No database
- No cloud infrastructure Everything runs locally on the developer machine.
Key Components
Copilot (LLM Client)
Handles reasoning and produces the review report.
MCP Server
Provides structured project context such as:
- changed files
- source code
- policy rules
- architectural conventions
Local Git Repository
The actual codebase being reviewed.
How the System Works
When a developer asks Copilot to review their code, the following workflow occurs.
1. Detect Code Changes
Copilot calls an MCP tool that runs:
git diff --name-only
This returns the list of modified files.
Example response:
{
"files": [
"src/App.Api/Controllers/OrderController.cs",
"src/App.Infrastructure/Repositories/OrderRepository.cs"
]
}
2. Classify Files and Load Policies
Each file is matched against policy rules using glob patterns.
Example policy rule:
{
"id": "api-1.1-auth",
"riskLevel": "critical",
"check": "All API endpoints must require authorization",
"applicableFilePatterns": [
"src/**/Controllers/**/*.cs",
"src/**/Endpoints/**/*.cs"
]
}
Only the rules relevant to the changed files are returned.
This prevents the AI from wasting tokens evaluating irrelevant policies.
3. Read Project Conventions
Copilot reads project conventions via an MCP resource such as:
conventions://project
This typically includes:
- architecture patterns
- authentication rules
- repository patterns
- testing conventions
This step helps avoid false positives during review.
4. Read the Source Files
Copilot then calls the MCP tool:
read_source_file
to retrieve the contents of the changed files.
5. Verify Cross-Cutting Concerns
Because the MCP server exposes a codebase search tool, the AI can verify things that traditional linters cannot.
Examples:
- Does a validator exist for this command?
- Is the event registered in the EventRegistry?
- Does the service have unit tests?
- Is
.AsNoTracking()used in read queries?
These checks are performed using:
git grep
6. Generate the Review Report
Copilot compiles findings and produces a structured report.
Example:
### Summary
Files reviewed: 2
Findings: 1 high, 2 medium
### High
[query-2.1-no-tracking]
OrderRepository.cs:45
Repository method returns read data but does not use `.AsNoTracking()`.
Recommendation:
Add `.AsNoTracking()` before `.FirstOrDefaultAsync()`.
### Medium
[test-1.1-coverage]
No test file exists for OrderService.
Recommendation:
Create `OrderServiceTests.cs`.
MCP Server Capabilities
The MCP server typically exposes a small set of tools.
| Tool | Purpose |
|---|---|
get_changed_files |
Detect modified files |
get_applicable_policies |
Identify policies for those files |
read_source_file |
Return file contents |
search_codebase |
Search for patterns across the repo |
get_project_conventions |
Return architectural rules |
It may also expose resources such as:
policies://allconventions://project
Policy Rules as Data
All review rules are stored as JSON, not code.
Each rule includes:
| Field | Purpose |
|---|---|
id |
Unique rule identifier |
riskLevel |
critical / high / medium / low |
check |
What the rule checks |
successCriteria |
Pass/fail conditions |
howToVerify |
Instructions for the AI |
applicableFilePatterns |
Glob patterns for matching files |
Adding a new rule is simply adding another JSON object.
No code changes required.
Developer Workflow
Once the MCP server is registered in:
.vscode/mcp.json
developers can interact with it naturally.
Review staged changes
Review my staged changes against technical requirements
Review a specific file
Review src/App.Api/Controllers/OrderController.cs
Review branch changes
Review all changes on this branch compared to main
Ask about project rules
What policies apply to repository files?
This makes the experience feel like pair-programming with an engineer who knows the entire technical requirements document.
Benefits
| Traditional Tools | MCP Approach | |
|---|---|---|
| Generic lint rules | Project-specific policies | |
| Requires infrastructure | Runs locally | |
| Language-specific | Policy rules are stack-agnostic | |
| Manual checklists | Automated evaluation | |
| Inconsistent reviews | Consistent AI reviews |
Key Advantages
Project-specific intelligence
Rules are tailored to your company or team's architecture and coding standards.
Declarative and extensible
Policies are JSON, making them easy to add or modify.
Platform-agnostic
Works with any MCP-compatible client.
Portable across Git platforms
Works with GitLab, Bitbucket, Azure DevOps, etc.
Consistent code reviews
Every developer receives the same review quality.
CI Integration (Optional)
The MCP review process can also be integrated into CI.
Example GitLab job:
code-review:
stage: review
image: node:22
script:
- npm ci
- npx tsx src/cli/review-mr.ts
Recommended layered approach:
| Layer | Purpose | |
|---|---|---|
| Developer review | Copilot + MCP in VS Code | |
| CI check | Automated policy verification | |
| Human review | Validate AI findings |
This reduces the human reviewer's workload to business logic validation.
Conclusion
By building an MCP server you can turn team knowledge into structured, reusable policies that AI can reason over during development.
Instead of relying on generic tools, your reviews become:
- context-aware
- consistent
- extensible
- portable across platforms
The idea is simple:
Encode team expertise as structured data, expose it through MCP, and let the LLM perform the reasoning.
How did you find this article?
