Thorough Code Review
Category development
Subcategory code-quality
Difficulty intermediate
Target models: claude, gpt-4o
Variables:
{{language}} {{focus_area}} code-review quality security best-practices
Updated February 8, 2026
The Prompt
Review the following {{language}} code with focus on {{focus_area}}.
[paste code here]
Please analyze for:
1. Correctness — logic errors, edge cases, off-by-one mistakes
2. Security — injection vulnerabilities, unsafe data handling, OWASP top 10
3. Performance — unnecessary allocations, O(n²) where O(n) is possible, missing memoization
4. Readability — naming, structure, comments where non-obvious
5. Maintainability — coupling, single responsibility, testability
For each issue found:
- State the severity (critical / warning / suggestion)
- Quote the relevant code
- Explain why it's a problem
- Provide a concrete fix
End with a summary of the code's overall quality and top 3 priorities to address.When to Use
This prompt works best when you have a complete function, module, or PR diff that you want reviewed thoroughly. It’s designed to catch the same categories of issues a senior engineer would flag in a pull request.
Good for:
- Self-reviewing your own code before opening a PR
- Getting a second opinion on tricky logic
- Checking unfamiliar code (e.g., from a dependency or legacy codebase)
- Security-focused review of user-facing code
Variables
| Variable | Description | Examples |
|---|---|---|
language | The programming language of the code | TypeScript, Python, Rust, Go |
focus_area | What matters most for this review | security, performance, readability, correctness |
Tips & Variations
- Narrow the focus — if you only care about security, remove the other analysis points. Focused prompts get deeper results.
- Add context — prepend “This code handles user authentication for a web app” to get more relevant security analysis.
- Diff mode — paste a git diff instead of full code and add “Review this diff for a pull request” for PR-style feedback.
- Follow up — after the initial review, ask “Now refactor the code addressing all critical and warning issues” for an immediate fix.
Example Output
When given a TypeScript function with an unvalidated user input:
Critical — SQL Injection via string concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`;The
userIdparameter is interpolated directly into the SQL query without sanitization. An attacker could pass1; DROP TABLE usersas the ID.Fix: Use parameterized queries:
const query = `SELECT * FROM users WHERE id = $1`; const result = await db.query(query, [userId]);