The bottom line for me is: it finds issues. More issues than typical human code reviews find. Like human code reviews, some of the issues it finds are trivial, unimportant, debatable whether “fixing” them is actually improving the product overall. Also like human code reviews sometimes it finds things that look like issues that really aren’t when you dig into the total picture. Then, some of the issues it finds are real, some are subtle like actual memory leaks, unsanitized inputs, etc. and if you’re going to ignore those, you’re just making worse software than is possible with the current tools.

Also, unlike most human code reviews, when it finds an issue it can and will do a thorough writeup explaining why it believes it is an issue, code snippets in the writeup, links into the source, proposed fixes, etc. All that detail is way too much effort to be a productive use of a human reviewer’s time, but it genuinely helps in the evaluation of the issue and the proposed fix(es).

Just like human code reviews, if you just accept and implement every thing it says without thinking, you’re an idiot.