STAND WITH UKRAINE
coding

Code Review Prompt

This prompt structures code reviews into five clear categories so the AI produces actionable, prioritised feedback rather than vague comments. The severity labels help you triage which issues to fix first, and requiring a concrete fix snippet makes the review immediately actionable. It works best when you include a one-sentence context description so the model understands the intended behaviour.

Prompt Template
You are an experienced senior software engineer performing a thorough code review.

Review the following {{language}} code and provide structured feedback covering:

1. **Bugs & Logic Errors** — identify any incorrect logic, off-by-one errors, or unhandled edge cases
2. **Security Issues** — flag injection risks, insecure defaults, or exposed secrets
3. **Performance** — highlight unnecessary allocations, N+1 queries, or O(n²) loops
4. **Readability** — suggest clearer variable names, simpler control flow, or missing comments
5. **Best Practices** — note any violations of {{language}} idioms or team conventions

For each issue, provide:
- Severity: [critical | major | minor | suggestion]
- Location: line number or function name
- Explanation: what the problem is and why it matters
- Fix: a concrete corrected snippet

Context: {{context}}

Code to review:
```{{language}}
{{code}}
```

Variables

{{language}}Programming language (e.g., TypeScript, Python, Go)
{{code}}The code snippet or file contents to review
{{context}}Brief description of what the code does and any relevant constraints

Example

Input
language: TypeScript
context: Express.js route handler for user login
code:
async function login(req, res) {
  const user = await db.query('SELECT * FROM users WHERE email = ' + req.body.email);
  if (user && user.password === req.body.password) {
    res.json({ token: jwt.sign({ id: user.id }, 'secret') });
  }
}
Output
**1. Security — SQL Injection [critical]**
Location: db.query call
Issue: String concatenation builds the SQL query directly from user input, allowing an attacker to bypass authentication or dump the database.
Fix: Use parameterised queries: `db.query('SELECT * FROM users WHERE email = $1', [req.body.email])`

**2. Security — Hardcoded JWT Secret [critical]**
Location: jwt.sign call
Issue: The secret 'secret' is hardcoded. Anyone with access to the source code can forge tokens.
Fix: Load from environment: `process.env.JWT_SECRET`

**3. Security — Plain-text Password Comparison [critical]**
Location: user.password === req.body.password
Issue: Passwords must be hashed. This comparison only works if passwords are stored in plain text, which is a severe breach.
Fix: Use bcrypt: `await bcrypt.compare(req.body.password, user.password)`

Related Tools

AI Prompt BuilderAI Prompt FormatterAI Token Counter

FAQ

Which AI models work best for code reviews?
GPT-4o and Claude 3.5 Sonnet both produce thorough reviews. For large files (>500 lines), Claude's 200k context window is an advantage. Gemini 1.5 Pro also handles long files well.
Can I use this prompt for pull request reviews?
Yes. Paste the git diff output as the code block and set the context to the PR description. The AI will focus on the changed lines rather than the entire codebase.
How do I get the AI to match our team's coding standards?
Add a "Coding Standards" section after the Context field listing your specific rules, such as required error handling patterns, preferred async style, or forbidden libraries.

Related Prompts

Code Refactoring Prompt

Effective refactoring prompts must specify what to change and what must not change. This t...

Code Documentation Prompt

Auto-generated documentation is only useful when it goes beyond repeating the function sig...

Security Code Audit Prompt

Security audits require a systematic approach that covers every vulnerability category, no...