Code Review and Security Audit Workflows

Multi-pass code review using Plan Mode, subagent-based parallel review, /ultrareview for pre-merge quality gates, and Claude Code Security for semantic vulnerability scanning.

Quick Reference

→Plan Mode for review: pure read-only analysis — no files change, focused output
→Multi-pass review: coordinate from main session, spawn specialized subagents per concern
→/ultrareview (April 2026): cloud-based parallel multi-agent review from multiple angles
→Claude Code Security (February 2026): semantic cross-file vulnerability analysis, <5% false positive rate
→OWASP-focused review: SQL injection, XSS, auth bypass, IDOR, secrets, dependency vulns
→Automated review catches pattern violations; human review catches business logic errors
→Output format: Critical (block merge), Warning (should fix), Suggestion (optional)
→/ultrareview is broader quality; Claude Code Security is specifically for vulnerability gates

Review Modes

Claude Code supports several review modes, each suited to different review objectives. Understanding which tool to use — and when — prevents both under-reviewing (missing real issues) and over-reviewing (wasting time on automated checks that should be automated).

Mode	When to use	Scope	Duration
Plan Mode review	Quick analysis before implementation or review	Current session context	1–3 min
Subagent multi-pass	Complex changes with multiple concern dimensions	Specified files/PR	5–10 min
/ultrareview	Pre-merge gates on large features or refactors	Full PR or specified scope	10–20 min
Claude Code Security	Security gates, compliance audits, CVE triage	Full codebase or PR	5–15 min

Plan Mode is the fastest option for ad-hoc review during implementation. You're asking Claude to analyze without modifying — useful for 'does this approach have any obvious security issues?' before committing to it. The other modes are for structured pre-merge review workflows.

Plan Mode review prompt — focused scope, no file modifications

Subagent-Based Multi-Pass Review

A single review pass from a single perspective misses things. A security reviewer thinks differently than a performance reviewer. Subagent-based multi-pass review runs specialized reviewers in parallel and synthesizes findings.

/ultrareview

/ultrareview (released April 2026) is a cloud-based parallel multi-agent review that runs multiple specialized agents against your PR simultaneously. Unlike local subagent review — which runs in your current session's context window — /ultrareview agents run in the cloud with fresh full-repo context, then synthesize findings into a single structured report.

Sign in to read this article

This is a premium article. Sign in with your Google account to continue.