Automate Code Reviews with Claude Code
The Problem
Code reviews are a bottleneck. PRs sit for hours waiting for a reviewer. When reviews do happen, they focus on style nitpicks instead of logic errors, security issues, or architecture concerns. Junior developers struggle to give meaningful reviews, and senior developers spend too much time on repetitive feedback.
Quick Start
Ask Claude Code to review a PR:
Review the changes in the current branch compared to main.
Focus on:
1. Logic errors and edge cases
2. Security vulnerabilities
3. Performance issues
4. Missing error handling
5. Test coverage gaps
Skip: style/formatting issues (Prettier handles those).
Or use the built-in review skill:
/review
What’s Happening
Claude Code reads the full diff of your changes, understands the context by reading surrounding code, and provides feedback at the same level as an experienced reviewer. It catches issues that humans often miss: subtle null reference bugs, missing error handling paths, SQL injection vulnerabilities, and performance regressions.
The key advantage over manual review is consistency. Claude Code checks every file against the same criteria every time, while human reviewers have varying attention levels and expertise areas.
Step-by-Step Guide
Step 1: Create a code review subagent
Build a specialized review agent:
<!-- .claude/agents/code-reviewer.md -->
---
description: Reviews code changes for bugs, security issues, and best practices
tools:
- Read
- Grep
- Glob
- Bash
model: sonnet
---
# Code Reviewer
You are a thorough code reviewer. Analyze the provided changes and report:
## Review Criteria
### Critical (must fix before merge)
- Security vulnerabilities (XSS, SQL injection, auth bypass)
- Data loss risks (missing transactions, race conditions)
- Logic errors that cause incorrect behavior
### Important (should fix)
- Missing error handling
- Unbounded queries or loops
- Missing input validation
- Test coverage gaps for new code paths
### Suggestions (nice to have)
- Performance improvements
- Better naming or structure
- Documentation gaps
## Output Format
For each finding, provide:
1. File and line number
2. Severity (critical/important/suggestion)
3. Description of the issue
4. Suggested fix with code
Do not comment on formatting or style. Focus on logic and correctness.
Step 2: Review the current branch
Ask Claude Code to compare against main:
Use the code-reviewer agent to review all changes in this branch
compared to origin/main. Show the findings grouped by severity.
Claude Code runs:
git diff origin/main...HEAD
And analyzes every changed file.
Step 3: Set up automated PR reviews
Create a GitHub Actions workflow that runs Claude Code on every PR:
# .github/workflows/code-review.yml
name: AI Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
pull-requests: write
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed
run: |
echo "files=$(gh pr diff ${{ github.event.number }} --name-only | tr '\n' ' ')" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run Claude Code review
run: |
claude --print "Review these changed files for bugs, security issues, and missing error handling: ${{ steps.changed.outputs.files }}" > review.md
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
- name: Post review comment
run: |
gh pr comment ${{ github.event.number }} --body-file review.md
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Step 4: Create a review checklist
Ask Claude Code to generate a checklist specific to each PR:
Based on the changes in this PR, generate a review checklist.
Include items specific to the changed code, not generic items.
Format as markdown checkboxes.
Example output:
## Review Checklist for PR #47: Add payment processing
### Logic
- [ ] Verify idempotency key prevents duplicate charges
- [ ] Confirm webhook signature validation is constant-time
- [ ] Check that partial refund amounts cannot exceed original charge
### Security
- [ ] Stripe API key is loaded from env, not hardcoded
- [ ] Webhook endpoint validates Stripe signature before processing
- [ ] PCI-sensitive card data is never logged
### Error Handling
- [ ] Stripe API timeout is handled with retry
- [ ] Failed charges update order status to "payment_failed"
- [ ] Webhook processing failures are idempotent on retry
### Testing
- [ ] Unit tests for refund amount calculation
- [ ] Integration test for complete payment flow
- [ ] Test for duplicate webhook delivery
Step 5: Review security-sensitive changes
For PRs touching authentication, payments, or data access:
This PR modifies the authentication system. Do a security-focused review:
1. Check for authentication bypass vulnerabilities
2. Verify authorization checks on every protected endpoint
3. Look for timing attacks in comparison functions
4. Check JWT validation (expiry, signature, audience)
5. Verify secrets are not logged or exposed in errors
6. Check for insecure direct object references (IDOR)
Step 6: Review database migration PRs
This PR includes a Prisma migration. Review the migration for:
1. Will it lock tables for an extended period?
2. Are there data loss risks?
3. Is the migration reversible?
4. Does it handle existing data correctly?
5. Are new indexes needed for the changed schema?
6. Is the migration compatible with zero-downtime deployment?
Step 7: Track review patterns
Over time, ask Claude Code to analyze your review history:
Look at the last 20 PRs in this repo. What are the most common
issues found in reviews? Create a list of the top 10 recurring
problems so we can add them to our coding standards.
Review Templates by Change Type
Add these to your CLAUDE.md for consistent reviews:
## Code Review Instructions
### For API endpoint changes
Check: input validation, auth middleware, error responses, rate limiting, SQL injection
### For React component changes
Check: prop types, loading/error states, accessibility (aria labels, keyboard), memo/callback usage
### For database changes
Check: migration safety, index coverage, cascade behavior, data integrity constraints
### For dependency updates
Check: breaking changes in changelog, security advisories, bundle size impact
I'm a solo developer in Vietnam. 50K Chrome extension users. $500K+ on Upwork. 5 Claude Max subscriptions running agent fleets in parallel.
These are my actual CLAUDE.md templates, orchestration configs, and prompts. Not a course. Not theory. The files I copy into every project before I write a line of code.
**[See what's inside →](https://zovo.one/lifetime?utm_source=ccg&utm_medium=cta-default&utm_campaign=claude-code-code-review-automation-guide)**
$99 once. Free forever. 47/500 founding spots left.