Automate Code Reviews on Every PR with Claude Code + GitHub Actions
Mar 11, 2026
569 views
Every pull request is a potential quality gate. The problem: code reviews take time, reviewers get fatigued, and security checks are often skipped under deadline pressure.
With Claude Code integrated into GitHub Actions, every PR gets:
- A 5-axis code review (design, readability, performance, security, testability)
- A secret scan (leaked API keys, tokens)
- A dependency CVE check
All automatically, before a human reviewer even opens the PR.
The Workflow
# .github/workflows/claude-review.yml
name: Claude Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Claude Code
run: npm install -g @anthropic-ai/claude-code
- name: Run AI Code Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Get the diff
git diff origin/${{ github.base_ref }}...HEAD > /tmp/diff.txt
# Run /code-review on changed files
claude --print "Review the following git diff for code quality issues.
Check design, readability, performance, security (OWASP), and testability.
Format findings as GitHub PR review comments with file:line references.
$(cat /tmp/diff.txt)" > /tmp/review.md
# Post review as PR comment
gh pr comment ${{ github.event.pull_request.number }} \
--body "$(cat /tmp/review.md)"
Add Secret Scanning
- name: Secret Scan
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
claude --print "Scan these files for leaked credentials:
- AWS keys (AKIA...)
- GitHub tokens (ghp_...)
- Anthropic keys (sk-ant-api...)
- Stripe keys (sk_live_, sk_test_)
Only report real findings, not test fixtures or placeholders.
If clean, say 'No secrets detected.'
Files changed:
$(git diff --name-only origin/${{ github.base_ref }}...HEAD | head -20)" > /tmp/secrets.txt
if grep -q "CRITICAL\|FOUND\|DETECTED" /tmp/secrets.txt; then
gh pr comment ${{ github.event.pull_request.number }} --body "⚠️ **Secret Scanner Alert**
$(cat /tmp/secrets.txt)"
fi
Dependency CVE Check on package.json Changes
- name: Dependency CVE Check
if: contains(github.event.pull_request.changed_files, 'package.json')
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
claude --print "Check these dependencies for known CVEs.
Cross-reference against the NVD (National Vulnerability Database).
List CRITICAL and HIGH severity findings only.
$(cat package.json)" > /tmp/cve_report.txt
gh pr comment ${{ github.event.pull_request.number }} --body "**Dependency Security Report**
$(cat /tmp/cve_report.txt)"
Sample PR Comment Output
## Claude Code Review — PR #47
### Summary
**Score: B** (3 issues found)
---
### [HIGH] Security: Hardcoded credential
**File**: `src/config.py:15`
**Issue**: `API_KEY = "sk-ant-api03-xxxx"` — hardcoded secret visible in git history
**Fix**: Use `os.environ["ANTHROPIC_API_KEY"]` instead
---
### [MEDIUM] Performance: N+1 Query
**File**: `src/api/orders.py:42`
**Issue**: DB query inside a loop — scales as O(n)
**Fix**: Use a JOIN or batch fetch with `WHERE id IN (...)`
---
### [LOW] Readability: Magic number
**File**: `src/utils/time.py:8`
**Issue**: `86400` appears without explanation
**Fix**: Extract as `SECONDS_PER_DAY = 86400`
Cost Estimation
At claude-sonnet-4-5 pricing (~$3/M input tokens, $15/M output tokens):
| PR Size | Approx Cost |
|---|---|
| Small (< 200 lines changed) | $0.01-0.03 |
| Medium (200-1000 lines) | $0.05-0.15 |
| Large (1000+ lines) | $0.20-0.50 |
For teams running 50 PRs/month, the total cost is typically under $5 — far less than the engineering time saved on manual reviews.
Pre-Built Skills for Deeper Analysis
The workflow above uses simple prompts. For more structured, consistent output, the Security Pack and Code Review Pack provide purpose-built skills:
-
/security-audit— OWASP Top 10 with severity classification -
/secret-scanner— Regex + entropy-based detection with false-positive filtering -
/deps-check— CVE cross-reference with fix recommendations -
/code-review— 5-axis review with standardized output format -
/refactor-suggest— Technical debt quantification -
/test-gen— Automatic test generation for changed files
Available on PromptWorks — Security Pack ¥1,480 / Code Review Pack ¥980.
Myouga (@myougatheaxo) — Security-focused Claude Code engineer.