GuideTemplateintermediate15 min read

Code Review Prompt Guide

Get AI to catch what linters miss

Build your review promptBrowse review types

Linters catch syntax errors. Type systems catch type mismatches. But who catches the logic error that will wake you up at 3am? Who spots the subtle race condition or the SQL injection hiding in plain sight?

AI can be that second pair of eyes - if you know how to ask. This guide shows you how to write prompts that catch what automated tools miss.

Before
Review this code for issues.
After
Review this TypeScript authentication middleware for security vulnerabilities.

CONTEXT:
- This handles JWT validation for a financial API
- Runs on Node.js 20, Express 4
- We have had issues with token expiration edge cases

CODE:
[paste code here]

SPECIFICALLY CHECK FOR:
1. JWT validation bypass vulnerabilities
2. Timing attacks on token comparison
3. Proper error handling that doesn't leak information
4. Edge cases with malformed tokens

FORMAT:
For each issue found, provide:
- Severity (Critical/High/Medium/Low)
- Line number and code snippet
- Explanation of the vulnerability
- Suggested fix with code example

Types of Code Review

Different reviews catch different problems. Use the right prompt for what you need to find.

1

Set the Context

Tell AI what the code does, what language/framework it uses, and what aspect you want reviewed (security, performance, etc.).
2

Provide the Code

Share the relevant code with enough context. Include related functions if dependencies matter for understanding.
3

Ask Specific Questions

Generic "review this" gets generic answers. Ask about specific concerns: race conditions, memory leaks, SQL injection.
4

Request Actionable Feedback

Ask for concrete suggestions, not just problem identification. "Show me how to fix it" beats "tell me what is wrong."

Security Review

Security bugs are the most expensive to fix after deployment. Catch them early.

Security Review Prompt
Perform a security-focused code review on this [LANGUAGE] code.

CONTEXT:
- Application type: [web app, API, CLI tool, etc.]
- Handles sensitive data: [yes/no, what kind]
- Authentication method: [JWT, session, API key, etc.]
- Database: [PostgreSQL, MongoDB, etc.]

CODE TO REVIEW:
[paste code]

CHECK FOR THESE VULNERABILITIES:
1. Injection attacks (SQL, NoSQL, command, LDAP)
2. Authentication/authorization bypasses
3. Sensitive data exposure (logs, errors, responses)
4. Insecure cryptographic practices
5. Race conditions and TOCTOU bugs
6. Input validation gaps
7. Hardcoded secrets or credentials

OUTPUT FORMAT:
For each finding:
- SEVERITY: [Critical/High/Medium/Low]
- LOCATION: [file:line or function name]
- ISSUE: [clear description]
- EXPLOIT SCENARIO: [how an attacker could use this]
- FIX: [code example of the fix]

Warning

AI catches known vulnerability patterns but cannot guarantee security. Use this as one layer of defense, not the only one.

Performance Review

Find the bottlenecks before your users do.

Performance Review Prompt
Analyze this [LANGUAGE] code for performance issues.

CONTEXT:
- Expected load: [requests/sec, data volume, concurrent users]
- Current performance: [if known, e.g., "p99 latency is 2s, should be 200ms"]
- Runtime environment: [Node.js, Python, Go, browser, etc.]
- Database: [if applicable]

CODE TO REVIEW:
[paste code]

ANALYZE FOR:
1. Algorithm complexity (O(n) improvements)
2. Unnecessary loops or repeated operations
3. N+1 query patterns
4. Memory allocation inefficiencies
5. Blocking operations in async contexts
6. Missing caching opportunities
7. Inefficient data structures

FOR EACH ISSUE:
- IMPACT: [High/Medium/Low impact on performance]
- LOCATION: [where in the code]
- CURRENT COMPLEXITY: [O(n^2), etc.]
- PROBLEM: [why this hurts performance]
- OPTIMIZED VERSION: [show the faster code]
- EXPECTED IMPROVEMENT: [rough estimate]

Architecture Review

Code that works today but becomes unmaintainable tomorrow. Catch structural issues early.

Architecture Review Prompt
Review this code for architectural and design issues.

CONTEXT:
- Project type: [monolith, microservice, library, etc.]
- Team size: [solo, small team, large org]
- Expected lifetime: [prototype, long-term product]
- Architecture pattern: [MVC, Clean Architecture, etc.]

CODE TO REVIEW:
[paste code]

EVALUATE AGAINST:
1. Single Responsibility Principle violations
2. Tight coupling between components
3. Missing abstractions or over-abstraction
4. Inconsistent patterns across codebase
5. Hard-to-test code (dependencies, side effects)
6. Missing error boundaries
7. Scalability concerns

FOR EACH FINDING:
- PRINCIPLE VIOLATED: [which design principle]
- LOCATION: [where in the code]
- CURRENT STATE: [what the code does now]
- PROBLEM: [why this will cause pain]
- REFACTORED VERSION: [show better structure]
- TRADEOFFS: [when NOT to make this change]

Logic & Edge Cases

The bugs that pass all tests but fail in production. Edge cases, off-by-one errors, and business logic gaps.

Logic Review Prompt
Review this code for logic errors and edge cases.

CONTEXT:
- Business domain: [e-commerce, finance, healthcare, etc.]
- Critical requirement: [what MUST work correctly]
- Known constraints: [max values, valid ranges, etc.]

CODE TO REVIEW:
[paste code]

LOOK FOR:
1. Off-by-one errors in loops/ranges
2. Null/undefined handling gaps
3. Integer overflow possibilities
4. Floating point precision issues
5. Time zone / date handling bugs
6. Race conditions in async code
7. Boundary conditions (empty, max, negative)
8. Business logic inconsistencies

FOR EACH FINDING:
- EDGE CASE: [describe the scenario]
- INPUT THAT BREAKS IT: [concrete example]
- EXPECTED BEHAVIOR: [what should happen]
- ACTUAL BEHAVIOR: [what currently happens]
- FIX: [code that handles the edge case]

Pro Tip

After getting AI feedback, turn each edge case into a test. Your test suite should grow with every review.

Providing Context

AI cannot read your mind. The more context you provide, the better the review.

What the code does

“This function processes payment webhooks from Stripe and updates user subscription status.”

The tech stack

“TypeScript 5.3, Node.js 20, PostgreSQL 15, running on AWS Lambda.”

What worries you

“I am worried about race conditions when the same webhook is delivered twice.”

The constraints

“Must complete in under 10 seconds due to webhook timeout. Cannot add new dependencies.”

Team-Wide Standards

Create a shared prompt template your whole team can use for consistent reviews.

# [Team Name] Code Review Template

## Our Standards
- We follow [style guide link]
- Security requirements: [SOC2, HIPAA, etc.]
- Performance SLA: [p99 < 200ms]

## Review Checklist
Before requesting AI review, confirm:
[ ] Tests pass locally
[ ] No secrets in code
[ ] Logging added for debugging

## Prompt Template
[Paste the relevant prompt from above]

## After AI Review
[ ] Address all Critical/High findings
[ ] Create tickets for Medium findings
[ ] Document Low findings as tech debt

Next Steps

You have the templates. AskSmarter.ai can help you build context-rich review prompts by asking the right questions about your code and concerns.

Build your review prompt

Answer questions about your code, tech stack, and concerns. Get a customized review prompt that catches what matters.

Start building free