Claude Code’s code review dispatches parallel agents that each look for different types of issues. A REVIEW.md file lets you tune what they care about.
Setup
Create REVIEW.md in your project root:
# Review Guidelines
## Always Flag
- Security vulnerabilities (injection, auth bypass, data exposure)
- API contract changes without migration plan
- Missing tests for new public functions
- Hard-coded secrets or credentials
## Ignore
- Code style / formatting (handled by CI linters)
- TODO comments (tracked separately)
- Minor naming preferences
## Context
- We use Zod for runtime validation, flag raw type assertions
- All database queries must go through the ORM, never raw SQL
- Feature flags are required for user-facing changesHow Review Works
Code review runs multiple agents in parallel, each checking for different issue types. They:
- Identify potential issues
- Verify each issue to filter false positives
- Rank by severity
- Post a single summary comment plus inline annotations
Tuning False Positives
If reviews are too noisy, increase the confidence threshold in your review command or add explicit “Ignore” sections. If reviews miss real issues, add “Always Flag” examples with good/bad patterns.
Tip
Reviews found issues in 54% of PRs in Anthropic’s internal testing, up from 16% with human-only review. For PRs over 1000 lines, the hit rate is 84%.