53 percent. That's the share of real bugs Sashiko caught when tested against 1,000 recent Linux kernel patches - every single one of which had already passed human code review.
Sashiko is a Rust-based tool built by Roman Gushchin, a Linux kernel engineer at Google, designed to analyze code patches submitted to the Linux Kernel Mailing List. It doesn't write code. It reads patches, runs them through a large language model, and flags potential problems for maintainers. Think of it as a second pair of eyes that never gets tired of reading C.
How It Actually Works
The tool ingests patches directly from the kernel mailing lists - the same unfiltered, real-world submissions that human reviewers process daily. It's currently configured to use Google's Gemini Pro 3.1 as its primary model, though it supports Claude and other LLMs as backends.
The workflow is straightforward: patch comes in, Sashiko analyzes it, feedback goes to maintainers. No automatic merges, no generated code, no autonomous commits. A human still makes every decision.
The false positive rate sits around 20%, according to the project's authors, though they acknowledge that number is hard to pin down precisely. For context, a 20% false positive rate means roughly one in five flagged issues isn't actually a bug - annoying but manageable when the alternative is letting real bugs slip into the kernel.
The Privacy Trade-Off
Here's the tension: Sashiko sends kernel code to external LLM providers for analysis. For a project as security-critical as the Linux kernel, piping code through third-party AI services raises obvious questions. Every patch potentially contains information about system internals, driver implementations, and security-sensitive subsystems.
The project now lives under Linux Foundation ownership, and Google currently covers the operational costs. That institutional backing suggests the privacy concerns have been weighed against the benefits, but it's a real trade-off that the kernel community will need to keep evaluating.
What This Means for Code Review Tools
Most AI coding tools today focus on writing code - autocomplete, generation, refactoring. Sashiko takes the opposite approach: it only reads. That constraint is what makes it interesting.
The Linux kernel is one of the most heavily reviewed codebases on the planet. Thousands of experienced developers scrutinize patches before they merge. If an AI reviewer can catch bugs that this level of human review misses, the implications for less rigorously reviewed codebases are significant. Your average startup's PR review process is nowhere near as thorough as the kernel's.
The 53% detection rate deserves some caution, though. That number comes from patches where bugs were already identified after the fact (via "Fixes:" tags in the git history). It tells us Sashiko can spot known bug patterns, not that it catches 53% of all bugs. Still, finding known-pattern bugs before they ship is exactly the kind of tedious, pattern-matching work AI does well.
For teams already using AI-assisted development tools like Cursor, GitHub Copilot, or Claude Code for writing code, Sashiko represents the other half of the equation: using AI to catch mistakes rather than create them.