Code Review
Claude Code can automatically review every GitHub pull request your team opens — posting inline comments on the exact lines where problems live, tagged by severity, without blocking your existing merge workflows.
How it works
When a pull request opens (or a push lands, depending on your settings), specialised agents analyse the diff in the context of your full codebase — not just the changed lines. Each agent looks for a different class of problem: logic errors, security gaps, broken edge cases, subtle regressions. A verification step cross-checks each candidate finding against the actual code to filter out false positives before anything is posted.
Results land as inline PR comments on the exact diff lines where the issue was found, plus a summary in the review body. If no issues are found, Claude leaves a brief confirmation comment instead of staying silent.
Severity levels
Every finding is tagged with one of three severity levels so you can triage quickly.
| Level | Meaning |
|---|---|
| Important | A real bug that should be fixed before merging. Claude verified it against the actual code — not an inference from naming or style. |
| Nit | A minor issue worth cleaning up, but not blocking. Dead code, an unused parameter, an edge case with low impact. |
| Pre-existing | A bug that exists in the codebase but was not introduced by this PR. Surfaced so the team is aware, without blocking the current change. |
Each inline comment also includes a collapsible Extended reasoning section. Expand it to see exactly how Claude verified the issue — which file and line it traced, what code path it followed.
What it looks like on a real PR
Below is an example review on a pull request that adds payment retry logic. Claude found one Important bug (potential double-charge on network timeout) and one Nit (unused parameter).
mainRetry loop may charge a customer multiple times. If the first payment attempt succeeds but the network times out before the response arrives, retryPayment will re-submit the same charge. Consider checking for an existing successful transaction with this orderId before each attempt.
Extended reasoning →
Verified at src/payments/gateway.ts:34: the gateway does not use an idempotency key by default. Re-submission on timeout will create a new charge record, confirmed by reviewing the Stripe API call on line 67.
attempts is passed to retryPayment but never used inside the function (see retry.ts:12). Either wire it up or remove the parameter to avoid confusion.Use thumbs up on comments that are useful and thumbs down on ones that are wrong or noisy. Anthropic uses these reactions to tune the reviewer after the PR merges.
Set up Code Review
An admin enables Code Review once for the whole organisation, then picks which repositories to include and how each one triggers.
Open Claude Code admin settings
Go to claude.ai/admin-settings/claude-code and scroll to the Code Review section. You need admin access to your Claude organisation and permission to install GitHub Apps.
Install the Claude GitHub App
Click Setup to start the GitHub App installation flow. Grant the app these repository permissions:
Select repositories and set trigger mode
Choose which repositories to enable. For each one, pick a Review Behavior from the dropdown:
| Mode | Description | Cost |
|---|---|---|
| Once after PR creation | One review per PR when it opens or is marked ready for review. | Lowest |
| After every push | Re-reviews on every push, catching new issues and auto-resolving fixed threads. | Highest |
| Manual | Reviews only when someone comments @claude review on the PR. | Pay as you go |
Code Review Research Preview
| Repository | Review Behavior | Status |
|---|---|---|
| acme/api-service | After every push | Enabled |
| acme/frontend | Once after PR creation | Enabled |
| acme/infra | Manual | Disabled |
Trigger a review by comment
Two comment commands let anyone request a review on demand, regardless of the repository's configured trigger. Post them as top-level PR comments — not as replies to inline diff threads.
| Command | Behaviour |
|---|---|
| @claude review | Starts a review immediately and subscribes this PR to future push-triggered reviews. Use when you want ongoing review coverage. |
| @claude review once | Starts a single review without changing the PR's trigger behaviour. Use for a second opinion or to re-review after a major rebase. |
Customise with REVIEW.md
Add a REVIEW.md file to your repository root to tune how Code Review behaves on that repo. Its contents are injected as the highest-priority instruction for every agent in the review pipeline — overriding the default guidance.
| Use case | What to add |
|---|---|
| Redefine severity | Change what "Important" means for your repo. A docs repo might only flag broken links; a payment service might escalate any PII leak. |
| Cap nit volume | Limit how many Nit comments appear per review so the author is not overwhelmed by style suggestions. |
| Skip paths | Tell Claude to ignore generated files, lockfiles, migration scripts, or any path your CI already covers. |
| Always-check rules | Add repo-specific checks that apply to every PR, like "new API routes must have an integration test". |
Here is an original example for a backend API service:
# REVIEW.md — Backend API Service
## What counts as Important here
Only flag findings that would break production behaviour, expose PII, or block
a rollback: incorrect logic, unscoped DB queries, passwords or user IDs in logs,
and migrations that are not backward-compatible.
Style and naming suggestions are Nit at most.
## Cap the nits
Report at most four Nit comments per review. If you found more, summarise the
extras as "plus N similar items" in the review body. If every finding is a Nit,
open the summary with "No blocking issues found."
## Skip these paths
- src/generated/ (auto-generated from schema)
- **/*.lock (dependency lockfiles)
- migrations/ (reviewed separately by the DBA team)
- Anything that only changes comments or whitespace
## Always check
- New /api routes have an integration test in tests/integration/
- Log statements do not include req.body, user.email, or user.id
- Database queries filter by tenant_id when tenant data is involvedREVIEW.md short and focused. A long file dilutes the rules that matter most. Use CLAUDE.md for general project context and reserve REVIEW.md for instructions that specifically change review behaviour.Pricing
Code Review is billed by token usage, separately from your plan's included usage. Cost scales with PR size and codebase complexity. Check the admin usage page for current pricing in your organisation.
| Trigger | Billing pattern |
|---|---|
| Once after PR | Runs once when the PR is opened |
| After every push | Cost increases with each new push |
| Manual only | You control exactly when it runs via @claude |
Troubleshooting
- Confirm the repository is listed in admin settings and Code Review is enabled.
- Confirm the Claude GitHub App has access to that repository.
- If Review Behavior is Manual, comment @claude review on the PR to start.
- To verify setup quickly, open a test PR and watch the Checks tab.
- Comment @claude review once to start a fresh one-off review without subscribing to future pushes.
- Do not use the GitHub Re-run button — it does not retrigger Code Review.
- If the PR is already subscribed, pushing a new commit also starts a new review.
- Click Details next to the Claude Code Review check — the severity table lists every finding even if inline comments were rejected by GitHub.
- Open the Files changed tab to see findings as diff annotations.
- If you pushed while a review was running, comments on moved lines appear under Additional findings in the review body.
- Your organisation has hit its monthly Code Review spend cap.
- Reviews resume automatically at the start of the next billing period.
- An admin can raise the cap immediately at claude.ai/admin-settings/usage.
Quick reference
| Task | How |
|---|---|
| Enable for your organisation | claude.ai/admin-settings/claude-code → Code Review → Setup |
| Trigger a review manually | @claude review (top-level PR comment) |
| Get a one-off review | @claude review once |
| Retrigger a failed review | @claude review once or push a new commit |
| Customise what gets flagged | Add REVIEW.md to your repository root |
| Set a monthly spend cap | claude.ai/admin-settings/usage |
| View per-repo costs | claude.ai/analytics/code-review |
| See findings when comments are missing | Checks tab → Details link or Files changed annotations |
Before you continue
- Code Review posts inline PR comments tagged Important, Nit, or Pre-existing.
- Admins enable it once, then choose repos and trigger modes per repository.
- Use @claude review or @claude review once for on-demand reviews.
- Tune behaviour per repo with REVIEW.md; use CLAUDE.md for general project context.
- Next lesson: techniques for getting consistently better results from Claude Code.
What's Next
Code review is part of your workflow. Next: techniques for getting consistently better results from Claude Code on any task.