Skip to content

Workflow: Code Review

Overview

This workflow covers using Cursor AI for code review, including reviewing your own code before committing, reviewing team PRs, and setting up automated review with Bugbot.

When to Use: Before committing, reviewing PRs, quality assurance


Prerequisites

  • Git repository with changes
  • Familiarity with Agent Chat
  • GitHub/GitLab integration (for PR review)

Workflow Diagram

StageDescriptionTool
Self-ReviewBefore committing your changesAgent + Ask Mode
PR ReviewReviewing team member's PRAgent + CLI
Automated ReviewContinuous review on PRsBugbot

Self-Review Before Committing

Step 1: Review Your Changes

Open Agent and ask for a review:

Review my current changes for:
- Potential bugs or errors
- Security vulnerabilities
- Performance issues
- Code style and best practices

Focus on the changes I've made (staged and unstaged).

Agent will run git diff and provide feedback.

Step 2: Targeted Security Review

For security-sensitive code:

Review @src/auth/ for security vulnerabilities:
- SQL injection
- XSS vulnerabilities
- Authentication bypasses
- Insecure data handling
- Hardcoded secrets

Step 3: Ask Questions

Use Ask mode for specific concerns:

Is the password hashing in @AuthService.ts secure?
What's the best practice for storing JWT secrets?
Could this query be vulnerable to injection?

PR Review with Agent

Review Local Branch

Review all changes on this branch compared to main.
Summarize what was changed and identify any issues.

Consider:
- Breaking changes
- Missing tests
- Documentation updates needed
- Potential regressions

Review Specific Commits

Review the last 3 commits on this branch.
What was the intent of each change?
Are there any concerns?

Review with GitHub CLI

bash
# Get PR diff and review
gh pr diff 123 | cursor-agent -p "Review this PR for issues"

Review Checklist

Ask Agent to check specific criteria:

Review this code against our checklist:

□ No console.log statements
□ Error handling for all async operations
□ Input validation on API endpoints
□ TypeScript types for all parameters
□ Unit tests for new functions
□ Documentation for public APIs
□ No hardcoded configuration
□ Database migrations are reversible

Setting Up Bugbot

Create Bugbot Rules

Create .cursor/bugbot.md in your repository:

markdown
# Bugbot Review Rules

## Security
- Flag any hardcoded API keys or secrets
- Check for SQL injection in database queries
- Verify input validation on all endpoints
- Ensure authentication is required where expected

## Database
- All migrations must have down/rollback methods
- New foreign keys must have indexes
- Flag any DROP TABLE or destructive operations

## Code Quality
- No TODO comments without linked issues
- Console.log statements should not be in production code
- All async functions must have error handling

## Testing
- New features require unit tests
- Bug fixes require regression tests
- Test file names must match source files

## Documentation
- Public API changes require documentation updates
- Breaking changes must be noted in PR description

Enable Bugbot

  1. Install Bugbot from GitHub Marketplace
  2. Configure in repository settings
  3. Bugbot comments on new PRs automatically

Using Ask Mode for Review

For learning without making changes:

Understand Code Intent

[Switch to Ask Mode]

What is the purpose of the changes in this PR?
Are there any design patterns being used?
What are the potential edge cases not covered?

Explore Trade-offs

What are the trade-offs of this approach?
Are there alternative implementations?
What would break if this code fails?

Review Response Templates

Providing Feedback

Generate review feedback for these changes.
Format as:

MUST FIX (blocking issues):
- Issue 1
- Issue 2

SHOULD FIX (non-blocking but recommended):
- Issue 1
- Issue 2

NICE TO HAVE (suggestions):
- Suggestion 1

QUESTIONS:
- Clarification needed on X

Request Changes

Summarize issues found and generate a "Request Changes" comment
for GitHub PR review format.

Best Practices

Self-Review

  • Review your own code before submitting PR
  • Run tests locally first
  • Use AI to catch what you might miss

PR Review

  • Understand the context before reviewing
  • Focus on logic and design, not just style
  • Ask questions to understand intent
  • Provide actionable feedback

Automated Review

  • Set up Bugbot for consistent checks
  • Configure rules based on team standards
  • Keep rules up to date

Built with VitePress | Powered by Claude AI