Perform a Thorough Code Review on a Pull Request
Get a senior-engineer-style code review with categorized, file-referenced feedback.
This prompt turns a model into a senior staff engineer who reviews a raw diff and returns categorized, file-referenced feedback. Reach for it when you want a structured second pair of eyes before merging — especially on PRs where correctness or security matter more than style. The five-category structure forces the model to look past surface formatting and surface the issues that actually break things in production.
You are a senior staff engineer reviewing a pull request. Below is the diff. Identify: (1) correctness bugs, (2) performance issues, (3) security concerns, (4) code style or readability improvements, (5) missing test coverage. For each, cite the file:line and propose a specific fix. Prioritize critical issues first. Skip nitpicks unless they affect maintainability. DIFF: [PASTE DIFF HERE]
What you can expect back
Critical
- src/routes/user.ts:6 — SQL injection. `id` is interpolated directly into the query string. Use a parameterized query: `db.query('SELECT * FROM users WHERE id = ?', [id])`.
- src/auth/middleware.ts:2 — Crash on missing header. `req.headers.authorization` is undefined when no token is sent, so `.split()` throws and returns a 500 instead of 401. Guard it: `const header = req.headers.authorization; if (!header) return res.status(401).end();`
High
- src/auth/middleware.ts:3 — `jwt.verify` throws on an invalid/expired token; wrap in try/catch and return 401 rather than letting it bubble to a 500.
Missing test coverage
- No tests for requireAuth covering: valid token, missing header, malformed token, expired token. Add these before merging.
Style/maintainability
- src/auth/middleware.ts — add explicit types for req/res/next; the implicit `any` weakens the rest of the chain.Illustrative example — your results will vary by tool and inputs.
Get sharper results
- 01Include a few lines of surrounding context in the diff (use `git diff -U10`) so the model can reason about callers and types, not just the changed lines.
- 02Tell it the language, framework, and runtime up front (e.g. 'Node 20, Express, TypeScript') so security and performance advice is idiomatic rather than generic.
- 03If the PR is large, paste it in logical chunks by file and ask for a final consolidated priority list at the end, so nothing gets truncated mid-review.
- 04Add a line like 'Assume this ships to production handling untrusted user input' to push the model harder on the security category.
- 05Ask it to label each finding with a severity it would actually block the merge on, so you can triage rather than treating all feedback as equal.
Adapt it for your case
Drop categories 1-4 and ask only for security concerns, with an explicit checklist: injection, authz, secrets, input validation, and dependency risk.
Add 'Explain the why behind each issue as if mentoring a junior engineer' so the output doubles as a teaching review.
Ask for output as GitHub-style suggestions (```suggestion blocks) so you can paste fixes directly into the PR thread.
Common questions
Can it review a diff that spans dozens of files?
Yes, but very large diffs risk hitting context limits or shallow attention per file. Split by directory or feature and request a final merged priority list across the chunks.
Will it catch bugs that depend on code not in the diff?
Only if you give it that context. The model can't see your full codebase, so paste relevant called functions or type definitions when a bug would depend on them.
Should I trust its security findings without checking?
Treat them as leads, not verdicts. It's good at flagging classic patterns like injection and missing auth, but confirm each finding against your actual code paths before acting.
You may also need
Refactor Code for Readability and Maintainability
Refactor any code for readability and maintainability without changing its behavior.
Audit Code for Performance Bottlenecks
Identify performance bottlenecks in code and get ranked, impact-focused optimization suggestions.
Run a Security Review on Code
Get an OWASP-aligned security review with severity ratings and remediation snippets.
Design a Clean REST API for a New Resource
Get a complete REST endpoint design with shapes, errors, and idempotency notes.