How to Use AI for Code Review: A Developer's Workflow

The Code Review Problem Every Developer Knows

If you ship code for a living, you know the rhythm. You push a PR. It sits for a day. The reviewer is busy. They finally glance at it, leave three nitpicks, and approve. You merge. A week later, a bug surfaces that a careful reviewer would have caught in 30 seconds. The problem is not lazy reviewers. The problem is that human reviewers get tired, skim long diffs, and miss edge cases that do not jump off the page. A solid ai code review workflow fills exactly this gap. It is not a replacement for human review. It is a pre-human pass that catches the boring stuff: obvious bugs, missing null checks, security smells, inconsistent patterns. I have been running this workflow on every PR I ship for the last year, and it has cut the number of post-merge bugs I introduce by roughly 70%. Here is how to set it up.

What You Need

• Claude Code, Cursor, or GitHub Copilot Chat for the heavy-lift reviews
• A terminal with git diff access to pipe changes to the AI
• Your project's style guide (or the patterns you want enforced) written down once
• 15 minutes of setup and about 3 to 5 minutes per review thereafter

If you are choosing tools, our Claude Code vs GitHub Copilot breakdown compares the two head-to-head for code review specifically.

Step 1: Build Your Project Context Document

The single biggest mistake developers make with AI code review is skipping context. They paste a 500-line diff and ask "review this." The AI responds with generic feedback: "consider adding error handling," "variable names could be clearer." Useless. The fix is a short context document the AI reads before every review.

The Prompt (run once, save the output)

Why This Is the Unlock

Your CONTEXT.md becomes the first block of every review prompt. The AI stops giving generic advice and starts giving your team's specific advice. Structure your CONTEXT.md using the TAG framework if you want a clean Task, Action, Goal format that keeps the AI focused.

Step 2: Run a Style and Consistency Review

The first pass is the easiest. You want the AI to catch style drift: naming, formatting, the places where your diff breaks from the patterns you have established elsewhere. This catches roughly 80% of what a junior reviewer would flag, in about 15 seconds.

The Prompt

How to Feed the Diff

In your terminal, run git diff main...HEAD | pbcopy on macOS or git diff main...HEAD | xclip -selection clipboard on Linux. Paste directly. For very large diffs over 2000 lines, split by file or review the diff in chunks.

What You Should Expect

A clean list of 5 to 15 findings. Most will be nits. Fix the blockers, consider the suggestions, and ignore the preferences you disagree with. The goal is not perfection. The goal is no brain cycles spent on whitespace.

Step 3: Run a Bug and Logic Review

This is where AI earns its keep. Human reviewers miss logic bugs because they match patterns visually rather than mentally executing the code. AI is shockingly good at walking through branches and catching off-by-one errors, null dereferences, and state mutations you did not intend.

The Prompt

The Three-Input Trick

Asking the AI to trace three specific input types is the single prompt technique that changed my review quality. Without it, AI tends to say "this looks okay" for anything that compiles. With it, you get actual bug reports with reproducing inputs.

For PRs that modify security-sensitive code, layer the RACE framework on top: define Role (senior security engineer), Action (audit), Context (threat model), Expectation (CWE-tagged findings).

Step 4: Run a Security Pass

Security issues are the ones that hurt most. Missing input validation, leaked secrets, SQL injection, unsafe deserialization. A security-focused pass takes 2 minutes and has caught a handful of issues in my own PRs that would have been ugly in production.

The Prompt

A Word of Caution

AI catches the common stuff. It is not a substitute for a real security review on sensitive systems. Treat this pass as a triage layer: it catches 80% of the low-hanging fruit, freeing your security team to focus on the architectural issues AI will miss. For reference on common issues, the OWASP Top 10 is still the authoritative list.

Step 5: Run a Performance Review

Not every PR needs a performance review. But when you are touching hot paths, loops over large collections, or database queries, a quick AI review catches the obvious performance smells before they hit production.

The Prompt

When to Skip This Pass

If your diff is pure refactor inside a single function or it only touches configuration, skip performance review. Use it on any change that modifies data access, background jobs, request handlers, or anything inside a loop. For quick one-pass checks, the APE framework is clean: Action (review), Purpose (flag perf smells), Expectation (numbered list with line numbers).

Step 6: Generate the PR Description From the Reviews

You already have four passes of review notes. Why write the PR description by hand? Let the AI summarize the change based on the diff and the review findings.

The Prompt

Why This Matters

Most PR descriptions are garbage because the author is tired by the time they write them. AI handles the boring summarization so you can write the one or two sentences that really need human judgment: why you chose this approach, what you rejected, what you are unsure about. For more on improving code review output generally, see our guide to AI prompts for code review.

Real Example: Before and After

Here is a recent PR I shipped, reviewed with and without the workflow above.

Before (No AI Review)

I worked on a caching layer for an API endpoint. Shipped a 320-line PR. My reviewer skimmed it in 10 minutes, left two nits, approved. Three days later we noticed a memory leak under load: my LRU cache was keyed on the request body, which occasionally contained large attachments. The cache grew unbounded. Rollback, hotfix, apology in #incidents. Total cost: about 4 engineer-hours plus the pager noise.

After (Same PR, With AI Workflow)

Same code, ran through the workflow. Style pass: 4 nits, all fixed in 2 minutes. Bug pass: flagged "cache key can grow arbitrarily if request bodies are large, no size limit on the LRU." Security pass: flagged that the cache key could reveal request bodies if cache inspection tooling was enabled. Performance pass: confirmed the cache keys should be hashed. Human reviewer: "Ship it."

Total AI review time: 8 minutes. Total human review time: under 10 minutes because the PR came with clean commits and a pre-written description. Memory leak caught before merge. This one review more than paid for the time I have spent learning the workflow.

Tips and Common Mistakes

Things I have learned the hard way running this on every PR:

Run the passes in order. Style first, then bugs, then security, then performance. Each pass builds on the cleaner code from the previous pass. Mixing them in one prompt produces mushy output.

Update your CONTEXT.md quarterly. Your patterns drift. New conventions emerge. If your context doc is 6 months old, the AI is enforcing the old rules.

Do not blindly accept AI suggestions. AI is confidently wrong maybe 10 to 15% of the time. When it suggests a "fix," trace through the code yourself before committing. The confidence field I include in prompts helps, but it is not infallible.

Don't do this: feed proprietary code into untrusted tools. If your employer has a data policy, follow it. Use Claude Code or Copilot in the tier your company has approved. Do not paste production code into free-tier chat interfaces.

Chain with your CI pipeline when you can. Tools like Claude Code support programmatic reviews. Wire up your review prompts to run on every PR as a bot comment. For a comparison of tools that support this, the AI coding assistants comparison has the current landscape.

What to Do Next

You now have a complete AI code review workflow: context, style, bugs, security, performance, and PR descriptions. Running this on every PR takes about 10 minutes of your time and catches issues you would otherwise miss.

For tool selection, the best AI code editors of 2026 guide ranks the editors that support this workflow natively. If you want more prompt templates for coding tasks, browse our prompt packs library.

And if you want to sharpen the prompting skills that make reviews like this possible, the free prompt engineering mastery course walks through the patterns that matter most for technical work.

The bottom line: your future self will thank you for every bug this workflow catches before it ships. Ten minutes of review time is a lot cheaper than a production rollback.