ShintTools

Automate code review for Unity and Unreal teams

How to automate code review across C++, Blueprints and C# with local AST + NLP analysis — catch smells before compile, gate every PR and keep IP inside your studio.

·10 min read

The real cost of a bug isn't fixing it. It's finding it in production, three weeks after a tester mis-labeled it, with a release in between and LiveOps half-shipped. Automating code review for Unity and Unreal isn't tooling fashion — it's the only way to stop reviews from depending on which senior had time that afternoon.

Classic linters aren't enough

  • C++ in Unreal: clang-tidy catches raw pointers and raw new, but it doesn't understand a mis-flagged UPROPERTY() or a Blueprint that references a destroyed actor.
  • Blueprints: outside the editor they are black boxes. No linter opens the node graph and detects a branch that Casts without checking the result.
  • C# in Unity: Roslyn analyzers help, but they don't know your internal APIs or the project's memory pattern (pooling, allocations in Update, etc.).

You need analysis that understands both the AST and the engine's context.

What the Deep Code Validator automates

The Deep Code Validator combines a Tree-sitter parser (C++, C#, and serialized Blueprint graphs) with local NLP over studio conventions. It runs on your machine — code never leaves the environment.

  • Detects smells before compile: unsafe pointers, hot-path allocations, unchecked casts, side effects in OnEnable.
  • Enforces studio rules: function naming, method size caps, ScriptableObject vs constants.
  • Emits a structured report with severity, line, suggested fix — consumable from CI.
  • Rules versioned in the repo — the linter evolves with the project.

CI integration as a deterministic gate

A CI gate that runs on every PR and fails the build when a high-severity smell shows up. The point is that it's deterministic: same commit → same result, always. Not "passes today, fails tomorrow". Devs trust deterministic gates; with flaky ones, they learn to re-run until it passes.

# .github/workflows/code-validator.yml (excerpt)
- name: Run Deep Code Validator
  run: shinttools validate --engine ue5 --config .shinttools/rules.json --format sarif > report.sarif
- uses: github/codeql-action/upload-sarif@v3
  with: { sarif_file: report.sarif }

The SARIF output paints inline annotations on the GitHub PR. Seniors review intent and architecture; the bot eats the noise.

Vs. Copilot and other cloud assistants

Copilot writes code; it doesn't review yours. It also ships context to the cloud, which most AA studios can't allow under publisher NDA. The Deep Code Validator is the opposite: it doesn't generate code, it reviews what you already have, and all analysis lives on-prem. Detailed comparison at Copilot vs ShintTools.

What to measure after integration

  • Bugs caught in PR vs bugs caught in QA (the ratio should tilt toward PR).
  • Average senior review time — when the bot eats the noise, it drops 30–60%.
  • Convention regressions (naming, forbidden patterns) — should trend to zero.

Automating review doesn't replace the senior. It gives back the time they lost flagging the obvious, so they can review what only a human can.