Code Review Workflow

Claude can run a structured code review covering security, correctness, style, and maintainability — faster than waiting for a human reviewer and without the social friction of critical feedback. This workflow covers what to ask for and how to integrate Claude review into your PR process.

What to Ask Claude to Look For

A broad "review this code" prompt produces generic feedback. Specific review scopes produce actionable findings:

Run reviews separately by scope — a combined "security + style + performance" prompt produces a long list that's harder to prioritise and act on.

Security Review in Depth

For security-sensitive code, provide Claude with the context it needs to give useful findings:

• Specify the runtime environment: "This runs as a web server accessible from the public internet."
• Identify trust boundaries: "The input comes from unauthenticated users. The output goes to a database shared with other tenants."
• State what already exists: "Authentication is handled at the API gateway — assume requests reaching this code are authenticated."

Common findings Claude reliably catches: unparameterised SQL queries, unsanitised HTML rendering (XSS), hardcoded credentials, missing rate limiting on sensitive endpoints, overly broad CORS settings, and insecure deserialization patterns.

Important: Claude's security review is a first-pass filter, not a security audit. For production code handling sensitive data, a human security review or automated SAST tooling is also needed.

Integrating Claude Review into a PR Workflow

Practical approaches for using Claude review alongside human review:

• Pre-PR self-review: Run a Claude review before opening the PR. Fix the easy wins (style, obvious logic errors, missing error handling) so human reviewers can focus on architecture and business logic.
• Claude Code in the editor: With Claude Code, you can run inline reviews in your editor as you write — ask Claude to review the current file or a selection before committing.
• Scoped diff review: Paste only the diff for the PR, not the entire file. Ask Claude to review the changes in context: "Here is the diff for this PR. What issues does this change introduce?"
• Post-human-review validation: After human review comments are addressed, ask Claude: "The reviewer flagged [issue]. Here is my fix. Does this correctly address the concern?"

When to Trust Claude's Review vs Verify Manually

Claude's review reliability varies by review type:

• High trust: Style and naming suggestions, missing error handling, obvious logic errors, hardcoded credentials, SQL injection in simple patterns. These are low-ambiguity findings — act on them directly.
• Medium trust: Performance suggestions, architectural recommendations. Claude may not understand your full system context — evaluate against what you know about the broader system.
• Lower trust: Complex security chains, race conditions, distributed system edge cases, business logic correctness. These require domain knowledge and system-level understanding that Claude may lack. Verify with a human expert.

A good signal: if Claude's finding surprises you and you can't immediately see why it would be an issue, investigate before acting on it — it may be a false positive based on incomplete context.

Checklist: Do You Understand This?

• Run focused reviews by scope (security / correctness / style / performance) rather than one broad "review everything" prompt
• For security review, provide trust boundaries and environment context — Claude gives better findings with this
• Use Claude pre-PR to clean up easy wins so human reviewers can focus on higher-level concerns
• Diff review (not full file review) is more efficient for PR changes
• High trust: style + obvious errors. Lower trust: complex security chains and business logic correctness — verify manually