I've reviewed thousands of pull requests over 10 years. The patterns are remarkably consistent — the same types of issues come up again and again, regardless of the language, framework, or developer's experience level.
What I Actually Look For
Forget the textbook code review checklists with 50 items. In practice, I focus on five things that catch 90% of real problems:
1. Error Handling
The #1 source of production incidents. Questions I ask: What happens when this API call fails? What if the database is down? What if the input is null? If the answer is "it crashes," that's a problem.
2. Edge Cases
Empty arrays, zero values, very large inputs, Unicode characters, concurrent requests. The happy path always works. The edge cases are where bugs live.
3. Security
User input going directly into SQL queries, HTML, or shell commands. Authentication checks missing on endpoints. Secrets hardcoded in source code. According to Google's code review guidelines, security issues should block any PR.
4. Readability
Can someone who didn't write this code understand it in 30 seconds? Variable names that explain what they contain. Functions that do one thing. Comments that explain why, not what.
5. Performance (When It Matters)
N+1 database queries, unnecessary re-renders, O(n²) algorithms on large datasets. I don't optimize prematurely, but I flag obvious performance issues.
The Review Process
The AI Code Reviewer automates the mechanical parts of code review — checking for common patterns, security issues, and style violations. But it doesn't replace human review for architecture decisions and business logic.
My process: AI review first (catches the obvious stuff) → human review (catches the subtle stuff) → discussion (resolves disagreements).
How to Give Good Feedback
- Be specific. "This could be better" is useless. "This SQL query is vulnerable to injection — use parameterized queries instead" is actionable.
- Explain why. Don't just say "change this." Explain the reasoning so the developer learns.
- Distinguish blockers from suggestions. "Must fix: security issue" vs. "Nit: I'd rename this variable for clarity."
- Praise good code. "Nice error handling here" reinforces good practices.
Related Tools
As software engineering research shows, code review catches 60-90% of defects before they reach production. It's the highest-ROI quality practice in software development.
Get automated code review feedback instantly.
Try the Code Reviewer →