Which Claude code review tool should I actually use?

Three Claude reviewers ship today: a fast local /review, a cloud-sandbox multi-agent /ultrareview, and a GitHub App that runs on every PR. Pick the wrong one and you either spend $20 on a one-line typo fix or get a thirty-second eyeball-pass on a database migration.

1. /review — local, single-pass, fast

The cheapest reviewer. Runs in your current Claude Code session, against either a PR or the current diff:

/review

/review 482

No-argument form reviews your current branch’s diff against the default branch (working tree included). With a number, it pulls the PR via gh and reviews that. Output is a single pass through the diff in your session — usually seconds, sometimes a minute or two on a big diff. It costs whatever your normal session usage costs.

Use it as you iterate. The cost is low, the latency is low, the output is right there in the conversation so you can ask follow-ups (why is that line a problem?, fix the first three).

Two related siblings worth knowing about, both in the same commands reference:

• /security-review — narrows the lens to security risks (injection, auth, data exposure) on the branch diff. Same engine, tighter prompt.
• /simplify [focus] — a bundled skill that spawns three review agents in parallel on recently changed files and applies fixes, not just reports them. Useful when you want the reviewer to do the rewrite.

2. /ultrareview — cloud sandbox, multi-agent, verified

A different beast. /ultrareview runs a fleet of reviewer agents in Claude Code’s web infrastructure (a remote sandbox), each looking for a different class of issue, with a verification step that reproduces findings against the actual code before reporting them. Requires Claude Code v2.1.86+.

Two invocations:

/ultrareview

/ultrareview 1234

No-argument form bundles your local working tree (uncommitted changes included) and uploads it to the sandbox. PR mode (/ultrareview <PR#>) clones from github.com directly and requires the repo to have a GitHub remote.

Before launching, Claude shows a confirmation dialog with scope, remaining free runs, and estimated cost. After you confirm, the review continues as a background task — you can keep using your session, kick off other commands, or close the terminal. Track it via:

/tasks

A review takes 5 to 10 minutes. Findings come back as a notification with file location + explanation per bug.

For CI and scripting, the same machinery has a non-interactive form:

claude ultrareview                # current branch vs default
claude ultrareview 1234           # PR mode
claude ultrareview origin/main    # diff against an explicit base

Add --json for the raw bugs.json or --timeout 45 to extend the default 30-minute wait. Stdout stays parseable; progress + the live session URL go to stderr.

Pricing matters: /ultrareview bills against extra usage, not your plan’s included usage. Pro and Max accounts received a one-time allotment of 3 free runs that ran through May 5, 2026 — that window has closed; every run now bills as extra usage. Team and Enterprise never had free runs. Each review is roughly $5–$20 depending on the size of the change. Extra usage must be enabled on the account before a paid run will launch; the launcher links you to billing settings if it isn’t.

Use /ultrareview when you’re about to merge a substantial change and want pre-merge confidence — a deeper pass than a single-shot review, with verified findings instead of a wall of speculative comments.

3. Code Review GitHub App — managed, runs on every PR

A different surface entirely. Code Review is a Claude-managed GitHub App that an admin installs on your GitHub org. Once enabled per repo, it runs the same multi-agent + verification pattern as /ultrareview, but tied to GitHub’s PR lifecycle: it triggers on PR open, on every push, or only on demand (admin’s choice per repo). Findings post as inline comments on the diff lines where the issues live, with a severity tag:

• 🔴 Important — bug to fix before merge
• 🟡 Nit — minor, worth fixing but not blocking
• 🟣 Pre-existing — bug found in surrounding code, not introduced by this PR

It’s research preview, Team and Enterprise plans only, and unavailable to orgs with Zero Data Retention. Setup is at claude.ai/admin-settings/claude-code → Code Review → install the GitHub App → pick repos → set per-repo trigger. Costs $15–$25 per review on average, billed as extra usage, scaling with PR size.

Two manual triggers work in any mode (Important: post as a top-level PR comment, not an inline reply):

@claude review        <!-- subscribes the PR to push-triggered reviews going forward -->
@claude review once   <!-- one-shot; no subscription -->

The check run never blocks merges (it always reports neutral). If you want to gate merging on findings, parse the severity table from the check-run output:

REPO="$(gh repo view --json nameWithOwner -q .nameWithOwner)"
CHECK_RUN_ID="$(gh api "repos/${REPO}/commits/HEAD/check-runs" \
  --jq '.check_runs[] | select(.name=="Claude Code Review") | .id' | head -1)"

gh api "repos/${REPO}/check-runs/${CHECK_RUN_ID}" \
  --jq '.output.text | split("bughunter-severity: ")[1] | split(" -->")[0] | fromjson'

Returns something like {"normal": 2, "nit": 1, "pre_existing": 0} — the normal key is the count of 🔴 Important findings. Fail your CI step when normal > 0.

Customize what gets flagged by adding REVIEW.md at the repo root. Its contents are pasted verbatim into every reviewer agent’s system prompt as the highest-priority instruction block — so a rule there is more reliable than the same rule buried in a long CLAUDE.md. Use it to define what “Important” means for your repo, cap nit volume, list paths to skip, and add repo-specific checks.

4. The picking guide

The decision is mostly about cadence and depth: are you iterating (/review), about to merge a substantial change (/ultrareview), or trying to make every PR get reviewed without anyone remembering to run the command (Code Review App)?

Footguns

/ultrareview charges the moment the remote session starts. A run counts the second the cloud sandbox boots, not when it produces findings. If you confirm the dialog and then realize you wanted a different scope and stop the task, the run is gone — billed to extra usage either way. Confirm the scope in the dialog before clicking through — it shows file and line counts on branch reviews, and the PR number on PR mode.

Code Review on “every push” multiplies cost fast. Default per-repo trigger options are Once after PR creation, After every push, and Manual. “Every push” is great for catching new issues as the PR evolves and auto-resolving threads when you fix flagged ones — and it’s also the option that quietly turns three force-pushes into three $20 reviews. For high-traffic repos, set the trigger to Once after PR creation or Manual, and use @claude review once when you want an immediate re-review without subscribing the PR to push-triggered runs.

@claude review (without once) silently subscribes the PR. A drive-by @claude review comment doesn’t just trigger one review — it opts that PR into push-triggered reviews from then on. If your team uses Manual mode specifically to control cost, an enthusiastic reviewer can flip the bill on a single PR by typing the wrong command. The one-shot form is @claude review once. Pin that distinction in your team’s review playbook.

/ultrareview is unavailable on Bedrock, Vertex, and Foundry. It runs on Claude.ai web infrastructure and requires a Claude.ai login. The Code Review App is different — it works regardless of which cloud provider your other Claude Code traffic uses, but it always bills via Anthropic, not the cloud provider. If you’re on a cloud-provider backend specifically to keep traffic off Anthropic-managed infrastructure, the Code Review App breaks that boundary. Plan accordingly: local /review is the only one of the three that strictly stays on your chosen backend.

Inline review comments can silently drop on diff hunk movement. If you push to a PR while a Code Review run is in progress, findings that referenced lines that no longer exist in the current diff get dumped under an Additional findings heading in the review body text — not on the diff. The check-run Details still has them in the severity table, and the Files changed annotations also remain, but a developer skimming inline comments will miss them. If a teammate says “the review found nothing,” check the review body and the check-run Details before believing it.

When NOT to use these

• You want a code review the build can fail on. None of these block by default — Code Review’s check run always reports neutral, /ultrareview is async and produces text findings, /review is conversational. To gate merges on findings, parse the Code Review check-run severity table in your own CI step and fail when normal > 0. The reviewers themselves are signal, not enforcement.
• You want one of them to actually fix the code, not just report. Use /simplify instead — it’s the bundled skill that spawns review agents in parallel and applies fixes. The three tools above report; /simplify rewrites.
• You’re on Bedrock, Vertex, or Foundry and want a cloud-grade pass. /ultrareview requires Claude.ai authentication and isn’t available to those backends. The Code Review App works regardless of the backend, but it bills via Anthropic — read the previous footgun before opting in. If neither fits, self-host Claude in GitHub Actions or GitLab CI for a custom workflow.
• Your repo cannot leave your machine. /ultrareview (in either mode) and the Code Review App both run reviews in a managed cloud sandbox — the no-argument form uploads your local working tree, PR mode clones from GitHub into the same sandbox, and the GitHub App reads the GitHub-side clone. If IP, secrets, or compliance constraints forbid sending the code anywhere, local /review is the only option from this list. Reach for self-hosted CI for anything heavier.