Skip to content
minimachine.
← The path
Step 24 · Working well Intermediate · 13 min

🔎Review, audit, secure

The agent writes fast, your job becomes checking its work. Best practices for reviewing a diff, auditing quality, and putting security through the wringer, with Claude Code or any agent.

An agent produces code at a dizzying speed. That’s its strength, and it’s precisely what shifts your role. You’re no longer the one typing every line; you’re the one who checks. And code generated fast, abundantly, and confidently deserves exactly the same care in review as code written by hand. Maybe more, because the agent never doubts itself.

Good news: the agent is also an excellent verification tool. You turn it against its own work. Here are the three passes to make a reflex.

1. Systematic diff review

The golden rule, already met everywhere on this site: you read the diff before accepting it. git diff shows you exactly what changed. You only approve what you understand; for the rest, you ask “why this choice?”

But you can also hand the first pass to a dedicated agent, a reviewer that hunts down what a tired eye lets slip through:

Claude Code offers a built-in diff review, and you can turn it into a command of your own (a /review skill, see Skills):

/review

Or ask for it in plain language: “review the current diff against the base branch, list bugs and regressions by file:line, don’t fix anything without my approval.”

2. The quality audit

Beyond bugs, there’s the health of the code: is it readable, maintainable, tested? Ask for a regular quality audit, the agent is very good at spotting what’s slowly rotting:

  • Duplication and dead code : copy-paste to factor out, functions that no longer serve a purpose.
  • Complexity : sprawling functions, unreadable nesting, anything that would benefit from being broken up.
  • Naming and consistency : misleading names, conventions going in every direction.
  • Test coverage : what isn’t tested and should be.

3. The security audit

This is the pass that gets skipped too often, and the one that hurts most when you neglect it, especially on a machine reachable from the outside. Before putting anything online, explicitly ask for a security review:

Run a targeted audit

“Do a security review of this code. Look for: injections (SQL, commands), secrets in plain text, vulnerable dependencies, unvalidated inputs, overly broad permissions, and anything exposed without authentication. Rank by severity.”

Check the sensitive spots by hand

The agent’s audit does the rough work, but cross-check what matters yourself: no secret in the code (see Securing access), user inputs escaped, and nothing publicly exposed that shouldn’t be.

Watch the dependencies

Half the vulnerabilities come from third-party libraries. Ask the agent to check the versions and flag known vulnerabilities, and keep your dependencies up to date.

Make it a routine, not a chore

The secret is that these three passes cost you almost nothing if you automate them. Turn them into skills that you trigger with a single command (/review, /audit, /security), or into systematic steps before every deployment. Many agents already offer ready-made review commands, use them.