What happens when AI coding tools make submitting a pull request nearly effortless? Open source maintainers find out fast. Archestra.ai ran into this problem with their GitHub repo and published their solution: using Git's --author flag to detect and filter AI-generated bot commits before they burn reviewer time.
Git's --author flag filters commit history by author metadata - the name and email attached to each commit. When automated tools submit code at scale, they often leave identifiable patterns in that metadata: bot account names, programmatically generated email addresses, or author fields that don't match any real contributor profile. By checking author patterns as part of their review process, the Archestra team built a practical gate for flagging suspicious submissions before they land in the review queue.
The Cost Asymmetry Driving This Problem
The core issue is that code generation got cheap while code review didn't. AI coding assistants like Cursor, aider, and Cody make it trivial to produce plausible-looking code against any public codebase. A bad actor doesn't need to understand what a repo does - they describe a change, submit the output, and move on. A maintainer who used to handle 10 PRs a week can suddenly face 100, with no fast way to separate genuine contributions from automated noise.
The --author approach won't stop a determined actor - git commit metadata can be set to anything manually. It works against low-effort automation that doesn't bother faking human-looking commit configs, which covers most of the real-world problem.
Other defenses teams are testing include requiring signed commits (where contributors need a verified cryptographic key tied to a real identity), rate-limiting PRs from new accounts, and contributor reputation systems. Using AI detectors to flag AI-written code is also possible, but accuracy is poor enough to generate false positives on legitimate contributions.
Archestra's writeup is practical rather than theoretical - they solved a real problem in their own repo and documented it. If you maintain a public project and are seeing the same patterns, their technique is worth adding to your review process.