PR review is one of the highest-leverage things a team does and one of the easiest to let slip. Reviewers are busy, context is hard to acquire, and "LGTM" is always tempting.
Claude Code as a PR reviewer doesn't replace human review. But it's a fast first pass that catches consistent categories of problems before a teammate has to.
The review prompt
Review this PR diff. You're looking for:
1. Logic errors — does the code do what it claims?
2. Missing error handling — what happens when things fail?
3. Security issues — unvalidated input, exposed secrets, auth gaps
4. Performance problems — N+1s, missing indexes, unnecessary work in hot paths
5. Test coverage — is the important logic tested?
Be direct. Flag problems, not style preferences.
Don't comment on things that are correct.
Here's the diff: [paste diff]The "don't comment on things that are correct" instruction cuts out the filler. Without it, Claude spends a third of the review saying things are good.
Adding codebase context
Claude reviews better when it knows your conventions. Before the diff, add:
Context for this codebase:
- Error handling pattern: throw custom AppError with code and message
- All API responses go through the formatResponse helper
- Auth is checked via requireAuth middleware, not in individual handlers
- Database queries use the query builder in lib/db.ts, not raw SQLThis lets Claude flag when a PR deviates from conventions. Without context, it can't know what "wrong" looks like for your codebase.
What Claude catches well
- Missing null checks on values that could be undefined
- Async functions where errors aren't caught
- SQL queries missing WHERE clauses that could affect all rows
- Hardcoded values that should be constants or env vars
- Functions doing too many things
- Test cases missing the error path
What Claude misses
- Business logic correctness — whether the feature does what the ticket asks
- Whether this is the right approach for the problem
- Product and UX implications
- Context-specific security risks (Claude knows general patterns, not your specific threat model)
- Performance at your actual scale (Claude can't know your query volumes)
Human review is still necessary for the second list. Claude is a first pass, not a replacement.
Self-review before submitting
I run the same prompt on my own PRs before pushing for review:
Review this before I submit it for human review.
Pretend you're a senior developer on this team seeing this diff cold.
What questions would you ask? What would you flag?This catches issues I'm too close to see — the ones that are obvious to someone reading with fresh eyes.
The reviewer fatigue problem
One underrated benefit: Claude reviews every PR with the same attention level. No fatigue, no "I've seen this pattern enough times, probably fine". The tenth PR of the week gets the same review as the first.
The Agent Prompt Playbook has a full code review section — prompts for self-review, security review, and reviewing other people's PRs. $29.