DEV Community

myougaTheAxo
myougaTheAxo

Posted on

Automate Code Reviews on Every PR with Claude Code + GitHub Actions

#claudecode #githubactions #cicd #security

Every pull request is a potential quality gate. The problem: code reviews take time, reviewers get fatigued, and security checks are often skipped under deadline pressure.

With Claude Code integrated into GitHub Actions, every PR gets:

  • A 5-axis code review (design, readability, performance, security, testability)
  • A secret scan (leaked API keys, tokens)
  • A dependency CVE check

All automatically, before a human reviewer even opens the PR.

The Workflow 

# .github/workflows/claude-review.yml
name: Claude Code Review

on:
  pull_request:
    types: [opened, synchronize]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Claude Code
        run: npm install -g @anthropic-ai/claude-code

      - name: Run AI Code Review
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # Get the diff
          git diff origin/${{ github.base_ref }}...HEAD > /tmp/diff.txt

          # Run /code-review on changed files
          claude --print "Review the following git diff for code quality issues.
          Check design, readability, performance, security (OWASP), and testability.
          Format findings as GitHub PR review comments with file:line references.

          $(cat /tmp/diff.txt)" > /tmp/review.md

          # Post review as PR comment
          gh pr comment ${{ github.event.pull_request.number }} \
            --body "$(cat /tmp/review.md)"
Enter fullscreen mode Exit fullscreen mode

Add Secret Scanning 

      - name: Secret Scan
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          claude --print "Scan these files for leaked credentials:
          - AWS keys (AKIA...)
          - GitHub tokens (ghp_...)
          - Anthropic keys (sk-ant-api...)
          - Stripe keys (sk_live_, sk_test_)

          Only report real findings, not test fixtures or placeholders.
          If clean, say 'No secrets detected.'

          Files changed:
          $(git diff --name-only origin/${{ github.base_ref }}...HEAD | head -20)" > /tmp/secrets.txt

          if grep -q "CRITICAL\|FOUND\|DETECTED" /tmp/secrets.txt; then
            gh pr comment ${{ github.event.pull_request.number }}               --body "⚠️ **Secret Scanner Alert**

$(cat /tmp/secrets.txt)"
          fi
Enter fullscreen mode Exit fullscreen mode

Dependency CVE Check on package.json Changes 

      - name: Dependency CVE Check
        if: contains(github.event.pull_request.changed_files, 'package.json')
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
        run: |
          claude --print "Check these dependencies for known CVEs.
          Cross-reference against the NVD (National Vulnerability Database).
          List CRITICAL and HIGH severity findings only.

          $(cat package.json)" > /tmp/cve_report.txt

          gh pr comment ${{ github.event.pull_request.number }}             --body "**Dependency Security Report**

$(cat /tmp/cve_report.txt)"
Enter fullscreen mode Exit fullscreen mode

Sample PR Comment Output 

## Claude Code Review — PR #47

### Summary
**Score: B** (3 issues found)

---

### [HIGH] Security: Hardcoded credential
**File**: `src/config.py:15`
**Issue**: `API_KEY = "sk-ant-api03-xxxx"` — hardcoded secret visible in git history
**Fix**: Use `os.environ["ANTHROPIC_API_KEY"]` instead

---

### [MEDIUM] Performance: N+1 Query
**File**: `src/api/orders.py:42`
**Issue**: DB query inside a loop — scales as O(n)
**Fix**: Use a JOIN or batch fetch with `WHERE id IN (...)`

---

### [LOW] Readability: Magic number
**File**: `src/utils/time.py:8`
**Issue**: `86400` appears without explanation
**Fix**: Extract as `SECONDS_PER_DAY = 86400`
Enter fullscreen mode Exit fullscreen mode

Cost Estimation

At claude-sonnet-4-5 pricing (~$3/M input tokens, $15/M output tokens):

PR Size Approx Cost
Small (< 200 lines changed) $0.01-0.03
Medium (200-1000 lines) $0.05-0.15
Large (1000+ lines) $0.20-0.50

For teams running 50 PRs/month, the total cost is typically under $5 — far less than the engineering time saved on manual reviews.

Pre-Built Skills for Deeper Analysis

The workflow above uses simple prompts. For more structured, consistent output, the Security Pack and Code Review Pack provide purpose-built skills:

  • /security-audit — OWASP Top 10 with severity classification
  • /secret-scanner — Regex + entropy-based detection with false-positive filtering
  • /deps-check — CVE cross-reference with fix recommendations
  • /code-review — 5-axis review with standardized output format
  • /refactor-suggest — Technical debt quantification
  • /test-gen — Automatic test generation for changed files

Available on PromptWorks — Security Pack ¥1,480 / Code Review Pack ¥980.

Myouga (@myougatheaxo) — Security-focused Claude Code engineer.

Top comments (0)