Using Claude Code for code review: what it catches and what it misses

Claude is a decent first-pass reviewer. It catches real problems. It also has specific blind spots — things it will miss or get wrong consistently. Knowing both helps you use it usefully instead of either over-trusting it or dismissing it.

What Claude is good at catching

Error handling gaps. Claude notices when a function doesn't handle null returns, when an async function's rejection isn't caught, when a database call can fail silently. It reads through all paths in a way that's hard to do consistently when you're reviewing your own code.

Logic errors in small functions. If a function has an off-by-one error, a wrong comparison operator, or a condition that's inverted, Claude usually finds it.

Security patterns it knows. SQL injection, obvious XSS vectors, unvalidated user input going into shell commands — common patterns from its training data.

Missing test cases. Ask Claude to review tests and it will identify paths that aren't covered.

What Claude misses

Business logic correctness. Claude can't tell you if the algorithm is right for your problem. It can tell you if the implementation is consistent with itself, but not whether that's what you actually needed.

Performance at scale. Claude might flag obvious O(n²) loops, but it doesn't know your data characteristics, your traffic patterns, or which operations are actually bottlenecks.

Architecture fit. Whether this code belongs in this file, whether this abstraction is the right one for where the codebase is going — Claude doesn't have that context.

Security patterns it doesn't know. Anything not in its training data. Novel attack surfaces, internal security requirements, business-specific access control rules.

The prompt that works

Review this code for:
1. Error handling — are all failure paths handled?
2. Logic errors — any conditions, comparisons, or edge cases that look wrong?
3. Security — any obvious vulnerabilities?
4. Test coverage — what cases are not covered by the tests?

Do not give general style feedback. Flag only specific problems
with the file and line number.

Without the constraint at the end, Claude will fill the response with style comments and general observations. The constraint focuses it on actual problems.

How to weight the feedback

Error handling and logic errors: take these seriously and verify each one. Claude is right often enough that these are worth investigating.

Security: verify against your actual threat model. Don't just accept "this could be a security issue" — ask Claude to explain the specific attack vector.

Everything else: use judgment. Claude reviewing its own output is not reliable, and Claude reviewing code for fit with your system's patterns requires context it doesn't have.