These prompts handle the documentation, feedback, and communication parts of code review so you can focus on the actual analysis. Each prompt produces ready-to-send comments, reports, or messages you can use immediately.
These prompts pair well with Jasper AI for Developers-specific tone control, or Copy.ai for fast iteration.
Pull Request Feedback Comments
You are a senior developer reviewing a pull request that needs constructive feedback.
PR title: {pull_request_title} Developer: {developer_name}, {experience_level} developer Main issues found: {three_to_five_issues_in_bullets} Code files affected: {file_names} Severity: {blocking / needs_changes / minor_suggestions} Team tone: {direct / collaborative / mentoring}
Write a 200 to 300 word pull request comment that opens with one positive observation about the code. Address each issue with specific line references where possible. End with clear next steps. Use a {team_tone} approach that encourages learning.
When to use it: When you’ve spotted issues in a PR but need to package your feedback professionally instead of just dropping “LGTM” or raw criticism.
Pro tip: Always lead with something positive, even if it’s just “good variable naming” or “clean function structure” - it makes developers more receptive to the critique that follows.
You are reviewing a pull request from a junior developer that shows promise but has fundamental architectural issues.
Developer: {developer_name} PR scope: {what_the_pr_does} Main architectural concern: {primary_design_issue} Secondary issues: {two_to_three_smaller_issues} Suggested approach: {better_architectural_pattern} Timeline pressure: {tight / normal / flexible}
Write a 250 to 350 word review comment that explains why the current approach won’t scale without being condescending. Suggest the {suggested_approach} with one concrete example. Balance education with {timeline_pressure} delivery needs.
When to use it: When a junior dev has written working code that solves the immediate problem but creates technical debt or maintenance issues.
Pro tip: Include a quick sketch of the better pattern in code comments, not just prose - junior devs learn faster from examples than explanations.
You are conducting a final review before merging a critical feature to production.
Feature: {feature_description} Developer: {developer_name} Files changed: {number_of_files} Test coverage: {coverage_percentage} Performance impact: {performance_notes} Security considerations: {security_items_checked} Deployment risk: {low / medium / high}
Write a 150 to 200 word final review comment that confirms readiness for production. Acknowledge the thoroughness of testing and highlight one aspect that gives you confidence. Include a brief deployment recommendation based on {deployment_risk} level.
When to use it: When you’re the final approver on a feature that’s about to ship and need to document your sign-off clearly.
Pro tip: Explicitly mention what you checked beyond the code itself - tests, performance, security - so other team members know the review depth.
You are reviewing a pull request that fixes a critical bug but introduces potential side effects.
Bug fixed: {original_bug_description} Fix approach: {how_developer_solved_it} Potential side effects: {two_to_three_concerns} Files modified: {affected_files} Testing done: {what_developer_tested} Production urgency: {emergency / high / normal}
Write a 200 to 250 word review that acknowledges the fix quality while raising concerns about side effects. Suggest specific additional tests for the {potential_side_effects}. Recommend merge timing based on {production_urgency}.
When to use it: When someone has fixed a critical issue but you’re worried about unintended consequences in related functionality.
Pro tip: Be specific about which edge cases worry you - “what happens if this runs during high traffic?” beats “I’m concerned about performance.”
You are reviewing a refactoring pull request that improves code quality but doesn’t add new features.
Code area refactored: {module_or_component} Main improvements: {what_got_better} Lines changed: {rough_line_count} Breaking changes: {yes_or_no} Test updates needed: {test_changes_required} Developer: {developer_name}
Write a 150 to 200 word review comment that emphasizes the value of this refactoring work. Highlight how the improvements in {main_improvements} will help future development. Confirm that {test_changes_required} adequately cover the refactored code.
When to use it: When reviewing pure refactoring PRs where it’s important to recognize the developer’s effort even though there are no visible feature changes.
Pro tip: Connect the refactoring to specific future work - “this will make the Q4 performance improvements much easier” - to justify the time investment.
Security and Compliance Reviews
You are conducting a security review of code that handles user authentication and sensitive data.
Feature: {feature_name} Data types handled: {sensitive_data_types} Security issues found: {security_vulnerabilities} Compliance requirements: {regulatory_standards} Risk level: {low / medium / high / critical} Developer experience: {junior / mid / senior}
Write a 300 to 400 word security review that explains each vulnerability in {security_issues_found} with specific remediation steps. Reference relevant {compliance_requirements} standards. Set clear expectations about what must be fixed before merge based on {risk_level}.
When to use it: When you’ve found security issues in code that handles authentication, payments, or personal data and need to document them formally.
Pro tip: Always include links to your company’s security guidelines or OWASP resources - developers fix issues faster when they can read the full context.
You are reviewing code that integrates with a third-party API and has potential data exposure risks.
API integration: {third_party_service} Data being sent: {data_types_transmitted} Security concerns: {privacy_or_exposure_risks} Error handling: {how_errors_are_handled} Logging practices: {what_gets_logged} Compliance impact: {gdpr_hipaa_or_other}
Write a 250 to 350 word review focusing on data privacy and third-party integration security. Address the {privacy_or_exposure_risks} with specific code changes needed. Evaluate whether {logging_practices} meets {compliance_impact} requirements.
When to use it: When reviewing integrations with external services where data privacy and compliance are critical considerations.
Pro tip: Check what’s being logged in error messages - API keys, user data, and tokens often leak into logs during error conditions.
You are reviewing infrastructure-as-code that sets up production environments and security policies.
Infrastructure: {cloud_provider_and_services} Security policies: {iam_networking_encryption} Environment: {staging_production_or_both} Compliance requirements: {security_standards} Access controls: {who_gets_what_access} Monitoring setup: {logging_and_alerting}
Write a 300 to 400 word infrastructure security review. Evaluate {security_policies} against {compliance_requirements}. Verify that {access_controls} follow principle of least privilege. Confirm {monitoring_setup} will catch security incidents.
When to use it: When reviewing Terraform, CloudFormation, or other infrastructure code that defines security boundaries and access controls.
Pro tip: Pay special attention to default security group rules and IAM wildcard permissions - they’re the most common sources of production security issues.
You are reviewing a database migration that affects production data and requires security validation.
Migration type: {schema_change_data_migration_or_both} Tables affected: {database_tables} Data sensitivity: {pii_financial_public_or_internal} Rollback plan: {how_to_reverse_changes} Downtime required: {none_maintenance_window_or_extended} Security validations: {encryption_access_auditing}
Write a 200 to 300 word security-focused migration review. Verify that {data_sensitivity} is properly protected during migration. Confirm {rollback_plan} doesn’t create security gaps. Address any concerns about {security_validations}.
When to use it: When reviewing database changes that could expose sensitive data during migration or create security vulnerabilities.
Pro tip: Always verify that backups taken before migration are encrypted and access-controlled - rollback procedures often forget about backup security.
You are reviewing API endpoint code that needs security hardening before production deployment.
API endpoints: {endpoint_paths} Authentication method: {jwt_oauth_apikey_or_session} Input validation: {what_gets_validated} Rate limiting: {current_rate_limits} Error responses: {what_errors_expose} Authorization logic: {rbac_or_permission_model}
Write a 250 to 350 word API security review. Evaluate {input_validation} for injection attacks and data validation. Check if {rate_limiting} prevents abuse. Ensure {error_responses} don’t leak sensitive information about system internals.
When to use it: When reviewing new API endpoints or changes to existing APIs that handle external requests.
Pro tip: Test error conditions manually - APIs often expose database errors, file paths, or internal service names in error messages that shouldn’t reach external users.
Performance and Architecture Analysis
You are analyzing code performance issues in a feature that’s causing production slowdowns.
Performance problem: {slow_api_memory_leak_or_cpu_spike} Code area: {specific_function_or_module} Current metrics: {response_time_memory_usage_or_cpu} User impact: {how_users_experience_slowdown} Profiling data: {what_profiler_revealed} Quick wins identified: {immediate_improvements}
Write a 300 to 400 word performance analysis that explains why {performance_problem} occurs in {code_area}. Prioritize {quick_wins_identified} by implementation effort versus impact. Include specific code changes needed to improve {current_metrics}.
When to use it: When production monitoring has flagged performance issues and you need to document your analysis and recommendations.
Pro tip: Always include before/after metrics in your recommendations - “reduce API response time from 800ms to under 200ms” is more actionable than “improve performance.”
You are conducting an architectural review of a new microservice that needs to integrate with existing systems.
Service purpose: {what_the_service_does} Integration points: {apis_databases_queues_it_connects_to} Scalability requirements: {expected_load_and_growth} Data consistency needs: {eventual_or_strong_consistency} Failure scenarios: {what_happens_when_dependencies_fail} Technology choices: {languages_frameworks_databases}
Write a 350 to 450 word architectural review. Evaluate whether {technology_choices} support {scalability_requirements}. Analyze {integration_points} for potential bottlenecks. Address how {failure_scenarios} are handled and whether {data_consistency_needs} are met.
When to use it: When reviewing the design and implementation of new services that will become part of your production architecture.
Pro tip: Focus on the failure modes - most architectural problems show up when dependencies are slow, unavailable, or returning errors.
You are reviewing database query optimization in code that handles high-volume data operations.
Database operations: {queries_inserts_updates_or_deletes} Data volume: {records_per_day_or_table_size} Current performance: {query_execution_times} Index usage: {existing_indexes_being_used} Query patterns: {select_join_aggregate_patterns} Business criticality: {user_facing_or_background_job}
Write a 250 to 350 word database performance review. Analyze {query_patterns} for optimization opportunities. Recommend specific index changes to improve {current_performance}. Consider the impact of {data_volume} growth on current {database_operations}.
When to use it: When reviewing code that interacts heavily with databases and you’re concerned about query performance or scalability.
Pro tip: Check the query execution plans, not just the code - the same SQL can perform very differently depending on data distribution and available indexes.
You are analyzing caching strategy in a high-traffic feature that’s experiencing cache misses and performance degradation.
Caching system: {redis_memcached_or_application_cache} Cache miss rate: {percentage_of_requests_missing_cache} Data being cached: {user_data_api_responses_or_computed_results} Cache invalidation: {how_stale_data_gets_removed} Performance impact: {response_time_with_without_cache} Traffic patterns: {peak_usage_times_and_volumes}
Write a 300 to 400 word caching analysis. Explain why {cache_miss_rate} is high and how it affects {performance_impact}. Evaluate {cache_invalidation} strategy for correctness and efficiency. Recommend changes to handle {traffic_patterns} better.
When to use it: When investigating performance issues related to caching systems or reviewing changes to caching logic.
Pro tip: Look for cache keys that are too specific or invalidation that’s too aggressive - both cause unnecessarily high miss rates.
You are reviewing memory management in code that processes large datasets or handles long-running operations.
Memory usage pattern: {steady_growth_spikes_or_gradual_leak} Data processing: {file_uploads_batch_jobs_or_stream_processing} Current memory consumption: {peak_memory_usage} Garbage collection impact: {gc_pause_times} Memory optimization attempts: {what_developer_already_tried} Production constraints: {available_memory_limits}
Write a 250 to 350 word memory usage analysis. Identify root causes of {memory_usage_pattern} in {data_processing}. Evaluate whether {memory_optimization_attempts} address the core issues. Recommend specific changes to stay within {production_constraints}.
When to use it: When analyzing memory-related performance issues or reviewing code that processes large amounts of data.
Pro tip: Check for collections that grow without bounds and streaming operations that buffer more data than necessary - they’re the most common causes of memory issues.
Team Communication and Documentation
You are writing a code review summary for a team standup meeting about a complex feature that multiple developers are working on.
Feature name: {feature_being_developed} Developers involved: {team_member_names} Review completion: {percentage_of_prs_reviewed} Major issues found: {blocking_issues_discovered} Timeline impact: {ahead_behind_or_on_schedule} Next review priorities: {what_needs_attention_next}
Write a 150 to 200 word standup update that summarizes code review progress on {feature_being_developed}. Highlight {major_issues_found} that affect the team. Communicate {timeline_impact} clearly and identify {next_review_priorities} for the coming sprint.
When to use it: When you need to update your team on code review progress during standups or sprint planning meetings.
Pro tip: Focus on blockers and dependencies that affect other team members - save detailed technical issues for separate conversations.
You are documenting a significant technical decision made during code review that will affect future development.
Decision: {technical_choice_or_pattern_decided} Alternative approaches: {other_options_considered} Reasoning: {why_this_choice_was_made} Impact on codebase: {how_this_affects_other_code} Team members involved: {who_participated_in_decision} Implementation timeline: {when_this_gets_rolled_out}
Write a 300 to 400 word technical decision record. Explain {decision} and document why {alternative_approaches} were rejected. Describe {impact_on_codebase} so future developers understand the reasoning. Set expectations for {implementation_timeline}.
When to use it: When code review discussions lead to important architectural or technical standard decisions that should be documented for the team.
Pro tip: Include the trade-offs that influenced the decision - future developers will thank you when they understand why you chose simplicity over performance, or vice versa.
You are escalating a code review disagreement to your engineering manager for resolution.
Disagreement topic: {what_the_conflict_is_about} Your position: {your_technical_recommendation} Other developer: {colleague_name} Their position: {alternative_technical_approach} Project deadline: {timeline_pressure} Business impact: {user_facing_or_internal_system} Previous attempts to resolve: {what_discussion_happened}
Write a 200 to 300 word escalation email that presents both {your_position} and {their_position} fairly. Focus on technical merits rather than personalities. Explain why resolution is needed given {project_deadline} and {business_impact}.
When to use it: When you and another developer can’t agree on a technical approach and need management input to move forward.
Pro tip: Present the other person’s position as strongly as your own - managers make better decisions when they understand both sides clearly.
You are writing handoff documentation for a code review process that you’re transferring to another team member.
Review responsibilities: {what_types_of_reviews_youve_been_doing} Key areas to focus on: {security_performance_or_architecture} Common issues: {frequent_problems_you_catch} Team dynamics: {how_different_developers_prefer_feedback} Review tools: {github_gitlab_or_other_platforms} Escalation process: {when_and_how_to_escalate}
Write a 350 to 450 word handoff document that explains {review_responsibilities} and {key_areas_to_focus_on}. Share insights about {common_issues} and {team_dynamics} that will help them be effective. Document {review_tools} workflows and {escalation_process}.
When to use it: When transitioning code review responsibilities to another team member or training someone to take over part of your review workload.
Pro tip: Include examples of good and bad feedback you’ve given - concrete examples teach review skills faster than abstract principles.
You are writing a retrospective summary about code review effectiveness and improvements needed for the team.
Time period: {sprint_quarter_or_month_reviewed} Review metrics: {average_review_time_pr_size_defect_rate} Team feedback: {what_developers_said_about_process} Process changes made: {improvements_implemented} Remaining challenges: {ongoing_issues_to_solve} Success stories: {examples_where_reviews_caught_major_issues}
Write a 300 to 400 word retrospective that analyzes {review_metrics} and connects them to {team_feedback}. Celebrate {success_stories} where reviews prevented production issues. Identify specific next steps to address {remaining_challenges}.
When to use it: When preparing retrospective materials or quarterly reviews of your team’s code review process and effectiveness.
Pro tip: Include both quantitative metrics (review time, PR size) and qualitative feedback (developer satisfaction, learning outcomes) for a complete picture.
Frequently Asked Questions
How do I adapt these ChatGPT prompts for different code review tools like GitLab or Azure DevOps in 2026?
The prompts work with any review platform since they focus on the content and communication, not the tool interface. Just adjust the output format - for example, mention “merge request” instead of “pull request” for GitLab, or reference work item numbers for Azure DevOps integration.
What’s the best way to use AI prompts for security-focused code reviews without missing critical vulnerabilities?
Use the security prompts as documentation and communication tools, not as replacements for actual security analysis. Run your own security scans first, then use the prompts to explain findings clearly and ensure consistent security review documentation across your team.
How can I customize these code review prompts for junior developers versus senior developers?
Adjust the tone and detail level in the variables. For junior developers, use more mentoring language and include more explanation of the “why” behind suggestions. For senior developers, focus on architectural concerns and trade-offs rather than basic coding practices.