Automated Code Reviews

Your team’s code review backlog has 15 PRs waiting. Three have been open for four days. Your senior developers spend 30% of their time reviewing code, and half the comments are the same recurring issues: missing error handling, unvalidated inputs, tests that only cover the happy path. Claude Code can handle the mechanical part of review, freeing human reviewers for the judgment calls that actually need experience.

What You Will Walk Away With

A CLI-based review workflow that catches common issues before human review
Pre-commit and pre-push review hooks
Structured review prompts for security, performance, and correctness
A custom /review command your whole team can use

The Review Workflow

Quick Diff Review

The simplest review is analyzing the current diff:

git diff | claude -p "Review this diff. Focus on: error handling, type safety, and security. Skip style issues. For each finding, state the file, line, severity (CRITICAL/HIGH/MEDIUM/LOW), and a specific fix."

Staged Changes Review

Before committing, review only staged changes:

git diff --cached | claude -p "Review these staged changes for issues that should be fixed before committing. Only flag issues that are CRITICAL or HIGH severity."

Copy-paste review command for your team:

Create .claude/commands/review.md:

Review the current git diff (run git diff HEAD). For each file changed:

1. **Correctness**: Logic errors, off-by-one, null/undefined risks, race conditions
2. **Error Handling**: Missing try/catch, unhandled promise rejections, generic error messages
3. **Security**: Injection risks, auth bypasses, sensitive data exposure, input validation
4. **Performance**: N+1 queries, unnecessary iterations, missing memoization, large payloads
5. **Testing**: Are changes covered by tests? Are edge cases tested?

Output format:
- Start with verdict: APPROVE, REQUEST_CHANGES, or COMMENT
- Group findings by severity: CRITICAL > HIGH > MEDIUM > LOW
- For each finding: file:line, issue, and specific fix
- End with one thing the author did well

Every team member runs /project:review and gets consistent review quality.

PR-Level Review

For reviewing an entire PR with full context:

# Review PR changes against main branch
git diff main...HEAD | claude -p "Review this PR. The changes implement [feature description]. Check that the implementation is correct, complete, and does not introduce regressions."

Review Subagent

Create a dedicated review subagent for deeper analysis:

---
description: "Senior code reviewer. Use after code changes or when review is explicitly requested."
tools:
  - Read
  - Grep
  - Glob
  - Bash
model: sonnet
---

You are a senior code reviewer. When reviewing:

1. Start with git diff to understand the scope
2. Read each modified file in full (not just the diff) to understand context
3. Check the test files for adequate coverage
4. Run the linter and type checker to catch mechanical issues

Review criteria:
- Correctness over cleverness
- Error handling at every boundary
- Types that prevent bugs at compile time
- Tests that would catch regressions

Be specific. Reference exact file paths and line numbers.
Acknowledge good patterns alongside issues.

Copy-paste security review prompt:

Run a security-focused review of the current changes (git diff HEAD):

1. Input validation: Are all user inputs validated before use?
2. Authentication: Are auth checks present on all protected endpoints?
3. Authorization: Does the code verify permissions, not just authentication?
4. Data exposure: Could error messages leak sensitive information?
5. Dependencies: Do any new dependencies have known vulnerabilities?
6. Secrets: Are there any hardcoded tokens, keys, or credentials?
7. Injection: Are database queries parameterized? Is HTML output escaped?

For each finding, provide:
- Severity: CRITICAL / HIGH / MEDIUM / LOW
- CWE category if applicable
- Specific remediation with code example

Automated Quality Gates

Pre-Push Hook

#!/bin/bash
# Runs a quick review before pushing

DIFF=$(git diff origin/main...HEAD --no-color)

if [ -z "$DIFF" ]; then
  exit 0
fi

RESULT=$(echo "$DIFF" | claude -p "Quick review of changes about to be pushed. \
  Only flag CRITICAL issues that MUST be fixed before this code reaches the remote. \
  Output 'PASS' if safe to push. Output 'BLOCK: [reason]' if there are critical issues." \
  --max-turns 3 --output-format text 2>&1)

if echo "$RESULT" | grep -q "BLOCK:"; then
  echo "Push blocked by review:"
  echo "$RESULT"
  echo ""
  echo "Fix the issues or use 'git push --no-verify' to bypass."
  exit 1
fi

Dependency Review

# Review dependency changes in a PR
git diff main...HEAD -- package.json package-lock.json | \
  claude -p "Review these dependency changes: \
    1. Are any new dependencies unnecessary (could we use existing tools)? \
    2. Check bundle size impact of new dependencies \
    3. Are any dependencies deprecated or unmaintained? \
    4. Are version ranges appropriate (too broad = risk, too narrow = maintenance)?"

When This Breaks

Reviews are too noisy: If Claude flags too many low-severity issues, adjust the prompt to focus on CRITICAL and HIGH only. Add “Skip style issues, formatting, and naming conventions — our linter handles those” to reduce noise.

Reviews miss project-specific patterns: Claude does not know your project conventions unless you tell it. Add review criteria to your CLAUDE.md file so every review session has project context.

Review takes too long in pre-commit: Limit the review scope. Use --max-turns 3 and focus the prompt on critical issues only. A pre-commit review should take 10-15 seconds, not 2 minutes.

False positives on intentional patterns: If Claude keeps flagging patterns that are intentional in your codebase, add exceptions to your CLAUDE.md: “The any type in src/legacy/ is intentional and should not be flagged in reviews.”

What is Next

GitHub Actions — Run reviews automatically on every PR in CI
Deployment Patterns — Pre-deployment review checklists
Custom Commands — Build more sophisticated review commands