Workflow: Code Review
Overview
This workflow covers using Cursor AI for code review, including reviewing your own code before committing, reviewing team PRs, and setting up automated review with Bugbot.
When to Use: Before committing, reviewing PRs, quality assurance
Prerequisites
- Git repository with changes
- Familiarity with Agent Chat
- GitHub/GitLab integration (for PR review)
Workflow Diagram
| Stage | Description | Tool |
|---|---|---|
| Self-Review | Before committing your changes | Agent + Ask Mode |
| PR Review | Reviewing team member's PR | Agent + CLI |
| Automated Review | Continuous review on PRs | Bugbot |
Self-Review Before Committing
Step 1: Review Your Changes
Open Agent and ask for a review:
Review my current changes for:
- Potential bugs or errors
- Security vulnerabilities
- Performance issues
- Code style and best practices
Focus on the changes I've made (staged and unstaged).Agent will run git diff and provide feedback.
Step 2: Targeted Security Review
For security-sensitive code:
Review @src/auth/ for security vulnerabilities:
- SQL injection
- XSS vulnerabilities
- Authentication bypasses
- Insecure data handling
- Hardcoded secretsStep 3: Ask Questions
Use Ask mode for specific concerns:
Is the password hashing in @AuthService.ts secure?
What's the best practice for storing JWT secrets?
Could this query be vulnerable to injection?PR Review with Agent
Review Local Branch
Review all changes on this branch compared to main.
Summarize what was changed and identify any issues.
Consider:
- Breaking changes
- Missing tests
- Documentation updates needed
- Potential regressionsReview Specific Commits
Review the last 3 commits on this branch.
What was the intent of each change?
Are there any concerns?Review with GitHub CLI
bash
# Get PR diff and review
gh pr diff 123 | cursor-agent -p "Review this PR for issues"Review Checklist
Ask Agent to check specific criteria:
Review this code against our checklist:
□ No console.log statements
□ Error handling for all async operations
□ Input validation on API endpoints
□ TypeScript types for all parameters
□ Unit tests for new functions
□ Documentation for public APIs
□ No hardcoded configuration
□ Database migrations are reversibleSetting Up Bugbot
Create Bugbot Rules
Create .cursor/bugbot.md in your repository:
markdown
# Bugbot Review Rules
## Security
- Flag any hardcoded API keys or secrets
- Check for SQL injection in database queries
- Verify input validation on all endpoints
- Ensure authentication is required where expected
## Database
- All migrations must have down/rollback methods
- New foreign keys must have indexes
- Flag any DROP TABLE or destructive operations
## Code Quality
- No TODO comments without linked issues
- Console.log statements should not be in production code
- All async functions must have error handling
## Testing
- New features require unit tests
- Bug fixes require regression tests
- Test file names must match source files
## Documentation
- Public API changes require documentation updates
- Breaking changes must be noted in PR descriptionEnable Bugbot
- Install Bugbot from GitHub Marketplace
- Configure in repository settings
- Bugbot comments on new PRs automatically
Using Ask Mode for Review
For learning without making changes:
Understand Code Intent
[Switch to Ask Mode]
What is the purpose of the changes in this PR?
Are there any design patterns being used?
What are the potential edge cases not covered?Explore Trade-offs
What are the trade-offs of this approach?
Are there alternative implementations?
What would break if this code fails?Review Response Templates
Providing Feedback
Generate review feedback for these changes.
Format as:
MUST FIX (blocking issues):
- Issue 1
- Issue 2
SHOULD FIX (non-blocking but recommended):
- Issue 1
- Issue 2
NICE TO HAVE (suggestions):
- Suggestion 1
QUESTIONS:
- Clarification needed on XRequest Changes
Summarize issues found and generate a "Request Changes" comment
for GitHub PR review format.Best Practices
Self-Review
- Review your own code before submitting PR
- Run tests locally first
- Use AI to catch what you might miss
PR Review
- Understand the context before reviewing
- Focus on logic and design, not just style
- Ask questions to understand intent
- Provide actionable feedback
Automated Review
- Set up Bugbot for consistent checks
- Configure rules based on team standards
- Keep rules up to date