← IndexEntry № 002·coding

Perform a Thorough Code Review on a Pull Request

Get a senior-engineer-style code review with categorized, file-referenced feedback.

Optimized for
ClaudeChatGPT
§ When to use this

This prompt turns a model into a senior staff engineer who reviews a raw diff and returns categorized, file-referenced feedback. Reach for it when you want a structured second pair of eyes before merging — especially on PRs where correctness or security matter more than style. The five-category structure forces the model to look past surface formatting and surface the issues that actually break things in production.

§ The Prompt— fill in the fields, then copy or open in a tool
§ Customize0/1 fields filled
your prompt — fill the fields above
You are a senior staff engineer reviewing a pull request. Below is the diff. Identify: (1) correctness bugs, (2) performance issues, (3) security concerns, (4) code style or readability improvements, (5) missing test coverage. For each, cite the file:line and propose a specific fix. Prioritize critical issues first. Skip nitpicks unless they affect maintainability.

DIFF:
[PASTE DIFF HERE]
Open with your prompt →ChatGPTClaudeSends your filled-in prompt straight into a new chat.
§ Example Output

What you can expect back

Critical
- src/routes/user.ts:6 — SQL injection. `id` is interpolated directly into the query string. Use a parameterized query: `db.query('SELECT * FROM users WHERE id = ?', [id])`.
- src/auth/middleware.ts:2 — Crash on missing header. `req.headers.authorization` is undefined when no token is sent, so `.split()` throws and returns a 500 instead of 401. Guard it: `const header = req.headers.authorization; if (!header) return res.status(401).end();`

High
- src/auth/middleware.ts:3 — `jwt.verify` throws on an invalid/expired token; wrap in try/catch and return 401 rather than letting it bubble to a 500.

Missing test coverage
- No tests for requireAuth covering: valid token, missing header, malformed token, expired token. Add these before merging.

Style/maintainability
- src/auth/middleware.ts — add explicit types for req/res/next; the implicit `any` weakens the rest of the chain.

Illustrative example — your results will vary by tool and inputs.

§ Pro Tips

Get sharper results

  • 01Include a few lines of surrounding context in the diff (use `git diff -U10`) so the model can reason about callers and types, not just the changed lines.
  • 02Tell it the language, framework, and runtime up front (e.g. 'Node 20, Express, TypeScript') so security and performance advice is idiomatic rather than generic.
  • 03If the PR is large, paste it in logical chunks by file and ask for a final consolidated priority list at the end, so nothing gets truncated mid-review.
  • 04Add a line like 'Assume this ships to production handling untrusted user input' to push the model harder on the security category.
  • 05Ask it to label each finding with a severity it would actually block the merge on, so you can triage rather than treating all feedback as equal.
§ Variations

Adapt it for your case

Security-only deep pass

Drop categories 1-4 and ask only for security concerns, with an explicit checklist: injection, authz, secrets, input validation, and dependency risk.

Junior-dev coaching mode

Add 'Explain the why behind each issue as if mentoring a junior engineer' so the output doubles as a teaching review.

Inline comment format

Ask for output as GitHub-style suggestions (```suggestion blocks) so you can paste fixes directly into the PR thread.

Best For — Roles
Use For — Tasks
Tags#code-review#pr#engineering
§ FAQ

Common questions

Can it review a diff that spans dozens of files?

Yes, but very large diffs risk hitting context limits or shallow attention per file. Split by directory or feature and request a final merged priority list across the chunks.

Will it catch bugs that depend on code not in the diff?

Only if you give it that context. The model can't see your full codebase, so paste relevant called functions or type definitions when a bug would depend on them.

Should I trust its security findings without checking?

Treat them as leads, not verdicts. It's good at flagging classic patterns like injection and missing auth, but confirm each finding against your actual code paths before acting.

§ Related Entries

You may also need