# Code review with severity levels — Claude XML example

> Review a diff and produce structured findings (bug, perf, style) with severities.
>
> Source: https://claudexml.com/examples/code-review/ · Last updated 2026-05-25

Home / Examples / Code review with severity levels
    Reasoning · advanced

# Code review with severity levels

    Review a diff and produce structured findings (bug, perf, style) with severities.

    Pre-merge automated review: a deterministic list of findings the human reviewer can scan and accept/dismiss.


## The prompt

    Copy this verbatim. Replace the `{{ … }}` placeholders with your values.


```xml
<instructions>
Review the diff in <diff>. Produce a JSON array of findings inside <result> tags.

Each finding:
{
  "line": 42,                       // best-effort line in the new file
  "category": "bug | perf | security | style | docs",
  "severity": "info | low | medium | high | critical",
  "summary": "string, max 100 chars",
  "explanation": "string, 1–3 sentences",
  "suggested_fix": "string or null"
}

Rules:
- Only flag issues actually present in the diff. Do not speculate about the rest of the file.
- Severity "critical" is reserved for security issues or data corruption.
- Skip findings with severity "info" unless asked.
- If the diff is clean, return [].
</instructions>

<diff>{{ unified_diff }}</diff>

Return inside <result> tags.
```


## Sample input


```xml
A diff that adds a function using string concatenation for SQL and ignores the return value of a write call.
```


## Expected output


```xml
<result>
[
  {"line": 12, "category": "security", "severity": "critical",
   "summary": "SQL built via string concatenation — injection risk",
   "explanation": "User input is concatenated directly into the SQL query. Switch to parameterized queries.",
   "suggested_fix": "db.execute('SELECT * FROM users WHERE id = %s', (user_id,))"},
  {"line": 24, "category": "bug", "severity": "medium",
   "summary": "Write call result discarded",
   "explanation": "The return value of f.write() is not checked; on partial writes this silently truncates output.",
   "suggested_fix": null}
]
</result>
```


## Notes & tuning tips


- Force JSON output; nothing else parses reliably from a code-review prompt.
- Cap the diff size — large diffs (>1000 lines) yield shallow reviews; chunk by file.
- Pair with a confidence threshold and post only severity ≥ medium to PR comments.


## What this example uses

    Tags: <instructions> <format>

    Patterns: structured output


## More like this


      reasoning
### Chain-of-thought math word problem
Reason step-by-step inside <thinking>, isolate the final number in <answer>.

      reasoning
### Constraint-satisfaction logic puzzle
Solve a puzzle by enumerating constraints inside <thinking> and concluding in <answer>.

      reasoning
### Natural language → SQL with a schema
Translate plain-English questions into SQL against a provided schema. Few-shot.




Cite this page

`Code review with severity levels. claudexml.com. https://claudexml.com/examples/code-review/`