Claude Code can act as a first-pass code reviewer — catching logic errors, security issues, and style violations before code reaches human reviewers. Here are the workflows that work well.
Pre-commit review
# Review staged changes before committing:
git add -p # interactive staging
# Then in Claude Code:
/review
# Or ask specifically:
"Review the staged changes. Focus on:
- Logic errors and off-by-one bugs
- Missing error handling
- Any hardcoded values that should be config
- Test coverage — which cases are missing?"
# Claude reads git diff --cached and produces a structured checklist.
Review a GitHub PR
# Prerequisites: gh CLI installed (brew install gh), authenticated
# Review a PR by number:
gh pr diff 142 | claude --print "Review this pull request. For each issue found:
- State the file and line number
- Explain the problem
- Suggest the fix
Group by: Critical, Medium, Nit"
# Review your own branch before opening a PR:
git diff main...HEAD | claude --print "Review these changes as if you were a senior engineer doing code review"
CI automated review (GitHub Actions)
# .github/workflows/ai-review.yml
name: AI Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Claude CLI
run: npm install -g @anthropic-ai/claude-code
- name: Review PR
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
REVIEW=$(gh pr diff ${{ github.event.pull_request.number }} | claude --print "Review this PR diff. Be concise. Format as markdown." --allowedTools "")
gh pr comment ${{ github.event.pull_request.number }} --body "## AI Review (Claude Sonnet 4.6)
$REVIEW
---
*Automated review — verify all suggestions before merging.*"
Focus-area review
# Security-focused review:
"Review src/auth/ for security issues only.
Check for: SQL injection, JWT validation gaps, session fixation,
missing rate limiting, hardcoded secrets."
# Performance review:
"Review the changes in src/db/queries.py for performance issues.
Flag N+1 queries, missing indexes, and unbounded result sets."
# API contract review (before breaking change):
"Check if the changes to src/api/users.py break any existing API contracts.
Look at how the endpoints are called in tests/ and client-side code."
Add review checklist to CLAUDE.md
# CLAUDE.md — Review checklist section
## Review checklist
When reviewing code, always check:
- [ ] All database queries use parameterized statements (no string interpolation)
- [ ] New endpoints have rate limiting applied
- [ ] Migrations are reversible (have a down() method)
- [ ] Environment variables are read from config.py only
- [ ] Test files are in tests/{unit,integration}/ matching the module path
- [ ] No direct access to request.user outside of the router layer
# Claude Code reads this automatically before /review
Batch review: multiple files at once
# Review all changed Python files in a branch:
git diff main..HEAD --name-only | grep '.py$' | while read f; do
echo "### $f"
git diff main..HEAD -- "$f" | claude --print "Review this diff. Be concise. Flag only real issues, not style." --allowedTools ""
done > pr-review.md
cat pr-review.md
How do I use Claude Code to review a pull request?
Run /review in Claude Code for the current branch's uncommitted changes. For a GitHub PR, use: gh pr diff | claude --print 'Review this PR'. Claude reads the full diff and returns a structured review.
What does Claude Code check in a code review?
Claude checks for: logic errors, missing error handling, security issues (injection, hardcoded secrets), test coverage gaps, style inconsistencies, performance anti-patterns, and documentation gaps. You can customize focus areas in your prompt.
Can Claude Code automatically review PRs in CI?
Yes. Add a GitHub Actions step that pipes gh pr diff to claude --print. Store the review as a PR comment via gh pr comment. This adds an AI review alongside human reviews.
How accurate is Claude Code's code review?
Claude is strong on logic errors, security patterns, and style consistency. It misses runtime behavior (race conditions, memory leaks) and project-specific business rules unless you describe them in CLAUDE.md. Use it as a first-pass filter, not a replacement for human review.
How do I give Claude Code context about our coding standards for review?
Put your style guide and forbidden patterns in CLAUDE.md under a 'Review checklist' or 'Conventions' section. Claude reads CLAUDE.md before every session, so it uses your standards automatically in /review.