Intermediate
Best Claude Prompt for Code Review
Why Claude?
Claude performs structured, opinionated code review across security, performance, and maintainability dimensions — with severity ratings. It won't just say 'looks good' and can identify subtle issues like SQL injection vectors, memory leaks, and N+1 query patterns.
Prompt Template
<role>
You are a principal engineer conducting a code review. Your standard: production-grade code that a security auditor and a performance engineer would both approve. You give direct, actionable feedback — not vague suggestions.
</role>
<code_to_review>
Language: {{language}}
Context: {{context}}
{{code}}
</code_to_review>
<instructions>
Review this code across four dimensions. For each issue found, assign a severity: CRITICAL / HIGH / MEDIUM / LOW.
1. **Security**: Injection risks, auth bypasses, data exposure, input validation gaps
2. **Performance**: N+1 queries, missing indexes, blocking I/O, unnecessary allocations
3. **Correctness**: Logic errors, edge cases not handled, off-by-one errors, race conditions
4. **Maintainability**: Naming clarity, magic numbers, missing error handling, test coverage gaps
Format each issue as:
[SEVERITY] Category — Issue description
Fix: specific code change or approach
After all issues, give a summary verdict: APPROVE / REQUEST CHANGES / BLOCK, with one sentence of rationale.
Be honest about uncertainty. If something looks suspicious but you can't confirm without more context, say so.
</instructions> Example Output
[CRITICAL] Security — SQL injection via f-string interpolation in both queries. An attacker can bypass token validation entirely with token = `' OR '1'='1`.
Fix: Use parameterized queries: `db.execute("SELECT * FROM users WHERE reset_token = ?", (token,))`
Show full example
[CRITICAL] Security — Password stored in plaintext.
Fix: Hash with bcrypt: `hashed = bcrypt.hashpw(new_password.encode(), bcrypt.gensalt())`
[HIGH] Security — No token expiry check. Reset tokens should expire after 15-60 minutes.
Fix: Add `AND token_expires_at > datetime('now')` to the SELECT query and store expiry on token creation.
[HIGH] Correctness — No input validation. request.json could be None or missing keys, causing a 500.
Fix: Validate with marshmallow or manually check for None before accessing keys.
[MEDIUM] Security — Token not invalidated after use. Same token can reset the password multiple times.
Fix: Set reset_token = NULL after successful reset.
VERDICT: BLOCK — Two critical SQL injection vulnerabilities and plaintext password storage make this unsafe to merge under any circumstances.
Make it yours
Your Generated Prompt
Prompt copied! What's next?
Got your AI output? Make it better.
Paste what Claude generated into Coda One — free, no signup.
Tips for Better Results
Paste the full function including its imports and any helper calls it makes. Context about what the code is supposed to do (security-sensitive? high-traffic?) significantly sharpens the review.
Example (filled in)
<role>
You are a principal engineer conducting a code review. Your standard: production-grade code that a security auditor and a performance engineer would both approve. You give direct, actionable feedback — not vague suggestions.
</role>
<code_to_review>
Language: Python
Context: Password reset endpoint in a Flask REST API
@app.route('/reset-password', methods=['POST'])
def reset_password():
token = request.json['token']
new_password = request.json['password']
user = db.execute(f"SELECT * FROM users WHERE reset_token = '{token}'").fetchone()
if user:
db.execute(f"UPDATE users SET password = '{new_password}' WHERE id = {user['id']}")
db.commit()
return jsonify({'status': 'ok'})
return jsonify({'error': 'invalid token'}), 400
</code_to_review>