PR Review Prompts: 14 Templates for AI-Assisted Code Review

14 copy-ready AI PR review prompts that find real issues — diff-scoped, blast-radius aware, severity-ranked. Plus the 2026 tool landscape (Copilot, Claude Code, CodeRabbit, Bugbot).

“Review this PR” hands you the same generic checklist no matter what changed. A useful PR review prompt is diff-scoped (only the changed lines), aware of blast radius (does it touch auth, schema, or a public API?), and it returns actions with file:line evidence — not paragraphs. The 14 templates below are tuned for exactly that, and they paste straight into Claude Code, Cursor, ChatGPT, or a GitHub Action.

TL;DR

  • Run diff-scoped review first (template 1). Whole-file review is a different, noisier job.
  • Always demand a severity scale (Critical / High / Med / Low) and file:line evidence — no evidence means it’s likely hallucinated.
  • For risky PRs (auth, payments, migrations), stack the security, blast-radius, and migration prompts.
  • Frontier models in mid-2026 review a diff well, but a human still signs off. Opus 4.7 hits 87.6% on SWE-bench Verified and GPT-5.5 leads Terminal-Bench 2.0 at 82.7% — strong, not infallible.
  • If you’d rather not paste prompts by hand, automated reviewers (Copilot, Claude Code Action, CodeRabbit, Cursor Bugbot) wrap similar logic; see the tool table below.

Who this is for

Tech leads using AI as a first-pass reviewer, indie developers doing solo PRs, and staff engineers building review automation around Claude Code or Codex. If you want AI feedback that’s actually merge-blocking rather than nitpick spam, these are the prompts.

Don’t run them on a PR you haven’t skimmed yourself. With no human framing, the model tends to nitpick formatting and miss the structural change.

The 2026 AI code-review tool landscape

You can paste the prompts below into any chat, or let an automated reviewer apply similar logic on every PR. Pricing and limits as of June 2026:

ToolModel(s)Billing (June 2026)Notes
Claude Code GitHub ActionOpus 4.7 / Sonnet 4.6Anthropic API tokens (Pro $20 / Max $100–$200 bundles Claude Code)pull_request trigger posts inline comments; runs on open + synchronize. Anthropic models only.
GitHub Copilot code reviewGPT-5.5, othersUsage-based as of June 1, 2026: PRUs retired for GitHub AI Credits (1 credit = $0.01); a review costs ~13× a request and consumes Actions minutesInline comments in the GitHub UI; Pro $10, Pro+ $39.
CodeRabbitMulti-modelPro $24/dev/mo annual ($30 monthly), Pro Plus $48Charges only developers who open PRs; free tier for open source.
Cursor BugbotSonnet 4.6 / GPT-5.5Usage-based since ~June 8, 2026 (dropped the old $40/seat): ~$1.00–$1.50 per run, default-effort ~$1.20, no published capDefault effort resolves ~80% of bugs; high-effort finds ~35% more. /review (Cursor 3.7) runs it as a local pre-commit gate.

A common 2026 setup: an automated bot for the boring sweep (forgotten env, missing tests) plus a hand-pasted prompt from this page for the high-stakes diff. Pair these with a guide on driving the agent — see Claude Code execution prompts.

Prompt anatomy

Every PR review prompt should carry six elements:

  • Role: who the AI plays (release captain, QA lead, SRE, staff engineer).
  • Context: repo, framework, runtime, branch, diff, failing logs.
  • Goal: one concrete deliverable — checklist, plan, test file, review notes, root cause, ticket list.
  • Constraints: what the model MUST NOT do (don’t auto-fix, don’t silently rewrite, don’t guess versions).
  • Output format: numbered findings, markdown table, JSON schema, unified diff, or runnable code.
  • Signal: 1-2 examples of “good” output, or what bad output looks like.

14 copy-ready prompt templates

1. Diff-scoped first-pass review

You are a senior engineer reviewing this PR. Read ONLY the diff (not the whole files). Surface the top 5 issues by impact, not the first 5 you see. For each: (a) file:line, (b) severity (Critical / High / Med / Low), (c) one-line description, (d) suggested fix in <= 30 words. Skip cosmetics — no whitespace / import-order comments.

2. Blast-radius assessment

Assess BLAST RADIUS of this PR. Answer: (1) Does this touch auth / payments / schema / public API? (2) Is the change reversible in < 5 minutes? (3) Which other teams' code depends on the modified surfaces? List the dependency, file:line of import. (4) Should this be feature-flagged?

3. Test coverage gap on the diff

For the new / changed code in this diff, list the test gaps: (1) New branches without a test, (2) Modified branches whose existing test still passes against both old and new behaviour (i.e., the test doesn't prove anything), (3) Error paths added without tests. Don't propose tests for unchanged code.

4. PR description draft

Generate a PR description from this diff. Sections: (1) WHY (the problem in 2-3 sentences), (2) WHAT (bullet list of changes, <= 6 bullets), (3) RISK (one paragraph: what could break), (4) ROLLBACK (one sentence). Skip "How" — the diff shows that. Keep title <= 70 chars.

5. Security pass on the diff

Audit ONLY this diff for security issues: (1) New user input that reaches DB / shell / template / fetch without validation, (2) Secrets introduced, (3) Auth checks removed or weakened, (4) Logging that now leaks PII / tokens. Severity each. Ignore the rest of the codebase in this pass.

6. Performance regression check

Look at this diff for performance regressions: (1) New synchronous I/O in hot paths, (2) N+1 patterns introduced (loop + DB call inside), (3) New lodash / heavy import imported eagerly, (4) React: new context provider that wraps too much / unstable deps in useMemo. File:line + reason.

7. Forgotten-update detector

For this diff, list FORGOTTEN updates: (1) Changed an env var? Update .env.example and docs, (2) Changed an API route? Update OpenAPI / client SDK, (3) New migration? Update rollback / seed, (4) New feature? Update changelog / readme, (5) Changed a type? Update consumers. Return a checklist with each item marked resolved / missing.

8. “Is this PR too big?” splitter

Assess whether this PR should be split. Criteria: >= 500 LOC OR >= 3 unrelated concerns. If yes, propose a split plan: PR-A (foundation, no behaviour change), PR-B (the actual feature), PR-C (cleanup). For each, list which files belong. Don't propose a split if not needed.

9. Backwards-compat check

Check this diff for backwards-compatibility breaks: (1) Renamed / removed public exports, (2) Changed function signatures still imported elsewhere, (3) Changed JSON / DB column names, (4) Bumped major version of a published package. For each: list callers / consumers that need to update.

10. Reviewer-prompt for a humans-only pass

You're writing a Slack-length message to a human reviewer. Summarize this PR in 4-5 sentences so they know what to focus on. Highlight: the one decision that needs a second opinion, the one risky line, and what is "fine to skim". Tone: peer to peer, no emojis.

11. Migration / DB-change red flags

Audit DB / migration changes in this diff: (1) DROP / RENAME without backfill, (2) NOT NULL added to a large table without default, (3) Index missing on a new FK, (4) Migration not idempotent on retry. File:line + severity + safe-deploy strategy.

12. Accessibility on the diff

For UI changes in this diff, check accessibility: (1) New interactive element without a keyboard handler, (2) Missing aria-label / accessible name, (3) Colour contrast change worsened on the modified components, (4) Loss of focus order. Skip unchanged UI.

13. AI-disclosed PR template

Useful when AI wrote most of the code — it keeps reviewers informed.

Generate a PR description that discloses AI assistance honestly: (1) Which parts were AI-written / AI-reviewed / human-written, (2) Where the human verified outputs, (3) Any tests the human wrote vs AI generated. Keep it short and factual. No marketing language.

14. Re-review after fixes

Swap [oldSha] for the commit SHA of the previous review.

Re-review this PR. Focus ONLY on diffs that changed since the last review at SHA [oldSha]. Confirm each previously-raised issue is resolved (or explicitly punted with a ticket link). Don't re-raise unchanged code — that was already discussed.

Common mistakes

  • Letting AI review the entire repo instead of the diff — you drown in noise.
  • Accepting nitpicks (whitespace, import order) — it desensitises your human reviewers.
  • No severity scale — every comment looks equally urgent.
  • Not asking for blast radius — you miss the auth and schema landmines.
  • Auto-applying suggestions — they often carry subtle bugs.
  • Reviewing AI-generated tests as if a human wrote them — they frequently pass against both old and new code (template 3 catches this).
  • Skipping the forgotten-updates pass — changelogs and .env.example always rot.

How to push results further

  • Run the forgotten-update detector (template 7) on every PR. It catches the boring stuff humans miss.
  • Demand file:line evidence on every finding. No evidence means it’s a hallucination.
  • For risky PRs (auth, payments, migrations), run the security, blast-radius, and migration prompts together.
  • Disclose AI authorship in the PR body (template 13) so reviewers calibrate. GitHub Copilot code review began counting against Actions minutes on June 1, 2026, so being explicit about what already had a bot pass avoids double-billing a redundant run.
  • Save your favourite review prompt as .claude-code/review.md (or a Cursor rule) so it travels with the repo. Anthropic’s own Claude Code review docs cover wiring the same logic into a pull_request GitHub Action.

FAQ

  • Can AI replace a human reviewer? No. AI catches the boring stuff (forgotten env vars, missed tests, naming) so humans can focus on design and intent. Even the top models in June 2026 (Opus 4.7 at 87.6% on SWE-bench Verified) miss semantic bugs.
  • Does AI miss real bugs? Yes, especially semantic ones where the code runs but does the wrong thing. Use it as a first pass, never as the gate.
  • How do I avoid nitpick spam? Tell the prompt to “skip cosmetics” and cap it at <= 5 issues sorted by impact (template 1 already does this).
  • Should I let the bot post inline comments? Only with a confidence filter — Cursor Bugbot and the Claude Code Action both attach severity, so gate on severity >= High. Otherwise the comment stream becomes noise.
  • How big a PR can AI review reliably? Roughly 600 LOC. After Cursor moved Bugbot to usage-based billing (effective at your next renewal after June 8, 2026), per-run cost rises with diff size: a default-effort review averages ~$1.20, high-effort multi-file runs cost more, and there is no published cap. Split large PRs by file or concern (template 8) to keep both cost and noise down.
  • Which tool should I start with? If you already pay for Claude (Pro bundles Claude Code), wire up the GitHub Action. For pure PR review with a free open-source tier, CodeRabbit is the cheapest on-ramp.

Tags: #Prompt #Coding #Code review #PR review