AI Code Review Checklist

A systematic 7-step framework for reviewing AI-generated code before it merges.

steps

Understand the intent

Ask the author to explain what problem this solves. Red flag: they can't without looking at the code.

Check for hallucinated APIs

Verify every external function call exists in the actual library documentation.

Verify error handling

AI code often has happy-path coverage only. Check every external call for proper error handling.

Security scan

Run SonarQube, Semgrep, or CodeQL. Watch for SQL injection, unvalidated input, exposed secrets.

Test coverage check

AI tests often confirm the implementation rather than validate business logic.

Maintainability review

Could any senior dev understand and change this in 30 minutes without the original author?

Final sign-off

You own what ships. Document known limitations in the PR description.

Checklist

Intent documented
APIs verified
Error handling complete
Static analysis clean
Tests validate business logic
Code readable by team
Limitations documented in PR

Prompts

Explain this code

Orient quickly before reviewing

Explain what this code does, what assumptions it makes, and what could go wrong in production.

Security review

Security-focused pass

Act as a senior security engineer. Review for SQL injection, unvalidated input, error handling gaps, race conditions. List each with file and line number.

Write the tests

Generate missing coverage

Write integration tests: happy path, all documented error cases, 2 non-obvious edge cases.