“Review this PR” hands you the same generic checklist no matter what changed. A useful PR review prompt is diff-scoped (only the changed lines), aware of blast radius (does it touch auth, schema, or a public API?), and it returns actions with file:line evidence — not paragraphs. The 14 templates below are tuned for exactly that, and they paste straight into Claude Code, Cursor, ChatGPT, or a GitHub Action.
TL;DR
- Run diff-scoped review first (template 1). Whole-file review is a different, noisier job.
- Always demand a severity scale (Critical / High / Med / Low) and
file:lineevidence — no evidence means it’s likely hallucinated. - For risky PRs (auth, payments, migrations), stack the security, blast-radius, and migration prompts.
- Frontier models in mid-2026 review a diff well, but a human still signs off. Opus 4.7 hits 87.6% on SWE-bench Verified and GPT-5.5 leads Terminal-Bench 2.0 at 82.7% — strong, not infallible.
- If you’d rather not paste prompts by hand, automated reviewers (Copilot, Claude Code Action, CodeRabbit, Cursor Bugbot) wrap similar logic; see the tool table below.
Who this is for
Tech leads using AI as a first-pass reviewer, indie developers doing solo PRs, and staff engineers building review automation around Claude Code or Codex. If you want AI feedback that’s actually merge-blocking rather than nitpick spam, these are the prompts.
Don’t run them on a PR you haven’t skimmed yourself. With no human framing, the model tends to nitpick formatting and miss the structural change.
The 2026 AI code-review tool landscape
You can paste the prompts below into any chat, or let an automated reviewer apply similar logic on every PR. Pricing and limits as of June 2026:
| Tool | Model(s) | Billing (June 2026) | Notes |
|---|---|---|---|
| Claude Code GitHub Action | Opus 4.7 / Sonnet 4.6 | Anthropic API tokens (Pro $20 / Max $100–$200 bundles Claude Code) | pull_request trigger posts inline comments; runs on open + synchronize. Anthropic models only. |
| GitHub Copilot code review | GPT-5.5, others | Usage-based as of June 1, 2026: PRUs retired for GitHub AI Credits (1 credit = $0.01); a review costs ~13× a request and consumes Actions minutes | Inline comments in the GitHub UI; Pro $10, Pro+ $39. |
| CodeRabbit | Multi-model | Pro $24/dev/mo annual ($30 monthly), Pro Plus $48 | Charges only developers who open PRs; free tier for open source. |
| Cursor Bugbot | Sonnet 4.6 / GPT-5.5 | Usage-based since ~June 8, 2026 (dropped the old $40/seat): ~$1.00–$1.50 per run, default-effort ~$1.20, no published cap | Default effort resolves ~80% of bugs; high-effort finds ~35% more. /review (Cursor 3.7) runs it as a local pre-commit gate. |
A common 2026 setup: an automated bot for the boring sweep (forgotten env, missing tests) plus a hand-pasted prompt from this page for the high-stakes diff. Pair these with a guide on driving the agent — see Claude Code execution prompts.
Prompt anatomy
Every PR review prompt should carry six elements:
- Role: who the AI plays (release captain, QA lead, SRE, staff engineer).
- Context: repo, framework, runtime, branch, diff, failing logs.
- Goal: one concrete deliverable — checklist, plan, test file, review notes, root cause, ticket list.
- Constraints: what the model MUST NOT do (don’t auto-fix, don’t silently rewrite, don’t guess versions).
- Output format: numbered findings, markdown table, JSON schema, unified diff, or runnable code.
- Signal: 1-2 examples of “good” output, or what bad output looks like.
14 copy-ready prompt templates
1. Diff-scoped first-pass review
You are a senior engineer reviewing this PR. Read ONLY the diff (not the whole files). Surface the top 5 issues by impact, not the first 5 you see. For each: (a) file:line, (b) severity (Critical / High / Med / Low), (c) one-line description, (d) suggested fix in <= 30 words. Skip cosmetics — no whitespace / import-order comments.
2. Blast-radius assessment
Assess BLAST RADIUS of this PR. Answer: (1) Does this touch auth / payments / schema / public API? (2) Is the change reversible in < 5 minutes? (3) Which other teams' code depends on the modified surfaces? List the dependency, file:line of import. (4) Should this be feature-flagged?
3. Test coverage gap on the diff
For the new / changed code in this diff, list the test gaps: (1) New branches without a test, (2) Modified branches whose existing test still passes against both old and new behaviour (i.e., the test doesn't prove anything), (3) Error paths added without tests. Don't propose tests for unchanged code.
4. PR description draft
Generate a PR description from this diff. Sections: (1) WHY (the problem in 2-3 sentences), (2) WHAT (bullet list of changes, <= 6 bullets), (3) RISK (one paragraph: what could break), (4) ROLLBACK (one sentence). Skip "How" — the diff shows that. Keep title <= 70 chars.
5. Security pass on the diff
Audit ONLY this diff for security issues: (1) New user input that reaches DB / shell / template / fetch without validation, (2) Secrets introduced, (3) Auth checks removed or weakened, (4) Logging that now leaks PII / tokens. Severity each. Ignore the rest of the codebase in this pass.
6. Performance regression check
Look at this diff for performance regressions: (1) New synchronous I/O in hot paths, (2) N+1 patterns introduced (loop + DB call inside), (3) New lodash / heavy import imported eagerly, (4) React: new context provider that wraps too much / unstable deps in useMemo. File:line + reason.
7. Forgotten-update detector
For this diff, list FORGOTTEN updates: (1) Changed an env var? Update .env.example and docs, (2) Changed an API route? Update OpenAPI / client SDK, (3) New migration? Update rollback / seed, (4) New feature? Update changelog / readme, (5) Changed a type? Update consumers. Return a checklist with each item marked resolved / missing.
8. “Is this PR too big?” splitter
Assess whether this PR should be split. Criteria: >= 500 LOC OR >= 3 unrelated concerns. If yes, propose a split plan: PR-A (foundation, no behaviour change), PR-B (the actual feature), PR-C (cleanup). For each, list which files belong. Don't propose a split if not needed.
9. Backwards-compat check
Check this diff for backwards-compatibility breaks: (1) Renamed / removed public exports, (2) Changed function signatures still imported elsewhere, (3) Changed JSON / DB column names, (4) Bumped major version of a published package. For each: list callers / consumers that need to update.
10. Reviewer-prompt for a humans-only pass
You're writing a Slack-length message to a human reviewer. Summarize this PR in 4-5 sentences so they know what to focus on. Highlight: the one decision that needs a second opinion, the one risky line, and what is "fine to skim". Tone: peer to peer, no emojis.
11. Migration / DB-change red flags
Audit DB / migration changes in this diff: (1) DROP / RENAME without backfill, (2) NOT NULL added to a large table without default, (3) Index missing on a new FK, (4) Migration not idempotent on retry. File:line + severity + safe-deploy strategy.
12. Accessibility on the diff
For UI changes in this diff, check accessibility: (1) New interactive element without a keyboard handler, (2) Missing aria-label / accessible name, (3) Colour contrast change worsened on the modified components, (4) Loss of focus order. Skip unchanged UI.
13. AI-disclosed PR template
Useful when AI wrote most of the code — it keeps reviewers informed.
Generate a PR description that discloses AI assistance honestly: (1) Which parts were AI-written / AI-reviewed / human-written, (2) Where the human verified outputs, (3) Any tests the human wrote vs AI generated. Keep it short and factual. No marketing language.
14. Re-review after fixes
Swap [oldSha] for the commit SHA of the previous review.
Re-review this PR. Focus ONLY on diffs that changed since the last review at SHA [oldSha]. Confirm each previously-raised issue is resolved (or explicitly punted with a ticket link). Don't re-raise unchanged code — that was already discussed.
Common mistakes
- Letting AI review the entire repo instead of the diff — you drown in noise.
- Accepting nitpicks (whitespace, import order) — it desensitises your human reviewers.
- No severity scale — every comment looks equally urgent.
- Not asking for blast radius — you miss the auth and schema landmines.
- Auto-applying suggestions — they often carry subtle bugs.
- Reviewing AI-generated tests as if a human wrote them — they frequently pass against both old and new code (template 3 catches this).
- Skipping the forgotten-updates pass — changelogs and
.env.examplealways rot.
How to push results further
- Run the forgotten-update detector (template 7) on every PR. It catches the boring stuff humans miss.
- Demand
file:lineevidence on every finding. No evidence means it’s a hallucination. - For risky PRs (auth, payments, migrations), run the security, blast-radius, and migration prompts together.
- Disclose AI authorship in the PR body (template 13) so reviewers calibrate. GitHub Copilot code review began counting against Actions minutes on June 1, 2026, so being explicit about what already had a bot pass avoids double-billing a redundant run.
- Save your favourite review prompt as
.claude-code/review.md(or a Cursor rule) so it travels with the repo. Anthropic’s own Claude Code review docs cover wiring the same logic into apull_requestGitHub Action.
FAQ
- Can AI replace a human reviewer? No. AI catches the boring stuff (forgotten env vars, missed tests, naming) so humans can focus on design and intent. Even the top models in June 2026 (Opus 4.7 at 87.6% on SWE-bench Verified) miss semantic bugs.
- Does AI miss real bugs? Yes, especially semantic ones where the code runs but does the wrong thing. Use it as a first pass, never as the gate.
- How do I avoid nitpick spam? Tell the prompt to “skip cosmetics” and cap it at <= 5 issues sorted by impact (template 1 already does this).
- Should I let the bot post inline comments? Only with a confidence filter — Cursor Bugbot and the Claude Code Action both attach severity, so gate on severity >= High. Otherwise the comment stream becomes noise.
- How big a PR can AI review reliably? Roughly 600 LOC. After Cursor moved Bugbot to usage-based billing (effective at your next renewal after June 8, 2026), per-run cost rises with diff size: a default-effort review averages ~$1.20, high-effort multi-file runs cost more, and there is no published cap. Split large PRs by file or concern (template 8) to keep both cost and noise down.
- Which tool should I start with? If you already pay for Claude (Pro bundles Claude Code), wire up the GitHub Action. For pure PR review with a free open-source tier, CodeRabbit is the cheapest on-ramp.
Related
- Code review prompts
- Bug audit prompts
- Security audit prompts
- Full repository audit prompts
- Architecture Review Prompts for Layer and Dependency Audits
- Codebase Convention Detection Prompts: 12 Templates to Read a New Repo
- Database Migration Review Prompts for Safe Schema Changes
- Feature Rollout Risk Review Prompts: 12 Templates for Safe Launches
- Next.js App Router Review Prompts for Server Components
- Supabase RLS Policy Review Prompts for Auth and Roles
- Coding & Developer Prompts hub
Tags: #Prompt #Coding #Code review #PR review