Claude Code · Azure DevOps · Developer Productivity

I Review Pull Requests With AI From My Terminal — Here's How to Set It Up in 15 Minutes

A step-by-step guide to installing Claude Code and using it to review Azure DevOps PRs — for developers who've never touched an AI coding tool.

June 4, 2026 · Also on Medium

A colleague stopped by my desk last month, watched me paste a PR URL into my terminal, and said: "what the hell was that?" I'd just given a 40-file diff a thorough first pass in under three minutes. He'd been staring at the same PR for twenty.

I'm a technical architect. I review pull requests on Azure DevOps every day. For the past few months I've been using Claude Code — Anthropic's terminal-based AI coding tool — to do the first pass automatically. It fetches the diff via the Azure DevOps API, reads every changed file, spots issues I'd be likely to miss at 4pm on a Friday, and posts review comments directly to the PR thread. Not a summary. Actual inline comments, on specific files and lines.

There's no beginner guide for this specific workflow. Most AI-in-coding articles assume you're building something new. This one assumes you want to review code faster. Here's the full setup, from zero to posting review comments on Azure DevOps, in roughly 15 minutes.

What is Claude Code?

Claude Code is a command-line tool made by Anthropic — the company behind the Claude family of AI models. You install it once, run it in your terminal, and talk to it in plain English.

It's not an IDE plugin. It's not a chat window you copy-paste code into. It's an agent: it has read access to your filesystem, can run shell commands, call external APIs, and write files. You describe what you want done, and it decides how to approach it.

For PR reviews, that means: you give it a pull request URL, it calls the Azure DevOps REST API to fetch the diff, reads through every changed file, applies its judgement to identify issues, and then calls the same API to post its findings as comments.

The current models available through Claude Code are Sonnet 4.6 and Opus 4.6. For most PR reviews, Sonnet handles diffs well. Opus is worth the token cost on large or complex PRs where you need deeper reasoning.

Pricing. As of June 2026 — verify at claude.ai/pricing before committing, as Anthropic adjusts plans regularly:

• Pro: $20/month with usage limits. Fine for light use.
• Max 5x: $100/month — 5× the Pro token budget. The practical starting point for a developer running reviews daily.
• Max 20x: $200/month — 20× the Pro budget. For all-day use or teams running heavy review workflows.
• API key: Pay-per-use. Worth considering if your company has an enterprise arrangement or you want per-call billing visibility.

Prerequisites — what you need before starting

A few things need to be in place before the install.

Node.js 18 or later. Claude Code is distributed as an npm package. Check your version with node --version. If you're on 16 or below, update first.

An Anthropic account with a subscription or API key. Pro works for getting started. Max is more comfortable for sustained daily use.

An Azure DevOps Personal Access Token. This is the key piece. It's how Claude Code will read PR diffs and post review comments on your behalf, via the Azure DevOps REST API. You need two scopes: Code (Read & Write) and Pull Request Threads (Read & Write). Step 2 walks through creating one.

Git installed and configured. Claude Code should be run from inside a git repository — it uses git context to understand your codebase structure.

A terminal. Bash, Zsh, and PowerShell all work.

Step 1 — Install Claude Code

npm install -g @anthropic-ai/claude-code

One note on permissions: don't use sudo here. If you see a "permission denied" error, the correct fix is to configure npm to install global packages into a user-writable directory — typically ~/.npm-global — and add that to your PATH. The npm docs cover this under "resolving EACCES errors."

Check your Node version if the install fails:

node --version
# should output v18.0.0 or higher

If you're on a corporate network with a proxy, you may need to configure npm's proxy settings before the install reaches npm's registry. Ask your IT team for the proxy address, or try on a VPN first.

Once installed, launch Claude Code from your project directory:

cd /path/to/your/repo
claude

On first run, Claude Code opens your browser to an Anthropic login page. Sign in, authorise the app, and the terminal resumes automatically. You'll land at a prompt like:

Claude Code 1.x.x
Type / for commands, or just start typing.

>

That's the whole install. If you're using an API key instead of a subscription, set it before running claude:

export ANTHROPIC_API_KEY="sk-ant-..."

Step 2 — Set up Azure DevOps access

This is the step most AI-tooling tutorials skip because they assume you're working with local files. For this workflow, you need an Azure DevOps Personal Access Token (PAT) so Claude Code can call the REST API to fetch PR diffs and post comments.

Create the token:

1. Go to dev.azure.com and sign in to your organisation
2. Click your profile picture in the top right → Personal access tokens
3. Click + New Token
4. Give it a name and set an expiry (90 days is a reasonable default; set a calendar reminder to rotate it)
5. Under Scopes, select: Code — Read & Write; Pull Request Threads — Read & Write
6. Click Create, then copy the token immediately — Azure DevOps won't show it again

Set the environment variables:

export AZURE_DEVOPS_PAT="your-token-here"
export AZURE_DEVOPS_ORG="https://dev.azure.com/your-organisation"

Add these to your ~/.zshrc or ~/.bashrc so they persist across terminal sessions:

echo 'export AZURE_DEVOPS_PAT="your-token-here"' >> ~/.zshrc
echo 'export AZURE_DEVOPS_ORG="https://dev.azure.com/your-org"' >> ~/.zshrc
source ~/.zshrc

Why this works. Claude Code doesn't have built-in Azure DevOps integration. What it has is the ability to make HTTP requests using any credentials available in its environment. When you instruct it to review a PR and post comments, it constructs REST calls to the Azure DevOps API — using your PAT as the Bearer token in the Authorization header — the same calls you'd make with curl or the az devops CLI. The key endpoints it uses:

• GET .../pullRequests/{id} — fetch PR metadata and description
• GET .../pullRequests/{id}/iterations — fetch the diff
• POST .../pullRequests/{id}/threads — create a new review thread with file and line position
• POST .../pullRequests/{id}/threads/{threadId}/comments — add a reply to a thread

Claude Code constructs these calls itself. You just provide the PR URL.

Step 3 — Your first PR review

Open a terminal in your repository directory and run claude. Then paste something like this:

Review this PR: https://dev.azure.com/myorg/myproject/_git/myrepo/pullrequest/12345

Focus on:
- Logic errors and edge cases
- Security issues (SQL injection, auth bypasses, exposed secrets)
- Missing error handling
- Code that contradicts the PR description
- Naming and readability issues

Post your review comments directly to the PR using the Azure DevOps REST API.
Use my PAT from the AZURE_DEVOPS_PAT environment variable.
For each issue, post an inline comment on the specific file and line.
At the end, post a summary comment on the PR thread.

Here's what happens over the next two to three minutes:

Claude Code calls the Azure DevOps API, fetches the PR diff, and starts reading. For a 40-file PR — the kind that would take a senior developer 20–30 minutes to review carefully — it takes roughly two to three minutes. It reads everything. It doesn't skim the smaller files and slow down on the larger ones the way a tired human reviewer does.

Then it starts posting. Each finding becomes an inline thread comment on the relevant file and line. A realistic comment on a backend service might look like this:

UserService.ts, line 147 — getUserById builds the query with string interpolation: `SELECT * FROM users WHERE id = '${userId}'`. If userId is not validated before this call — and the validation at line 89 only checks for empty string — this is a SQL injection risk. Replace with a parameterised query or use the ORM's query builder method instead.

That's a specific issue, on a specific line, with context about the upstream call. Not a generic "check your SQL queries" note.

After the inline comments, Claude Code posts a summary to the PR thread covering what it reviewed, what it found, and what it deliberately skipped (generated files, migrations, lock files — if you told it to).

A 40-file PR that used to take me 25 minutes to review now gets a thorough first pass in about three minutes. The pass isn't perfect — I'll come back to what it misses — but it catches the mechanical layer reliably.

What I've learned after months of AI PR reviews

The honest assessment, not the sales pitch.

What it catches reliably. Null checks and missing defensive guards. Unhandled promise rejections and async errors swallowed in empty catch blocks. String-interpolated SQL queries. Hardcoded credentials or API keys committed to configuration files. Mismatches between what the PR description says it does and what the code actually does — a particularly useful check when a PR description hasn't been updated after a scope change.

On large PRs, the fatigue resistance is the underrated benefit. A human reviewer reads the first 15 files carefully and the last 10 quickly. Claude Code reads file 35 with the same attention as file 1.

What it gets wrong. It doesn't know your architecture. It can't tell whether using a singleton here is an intentional design trade-off your team made two years ago or a careless choice. It doesn't know that LegacyReportingService.cs is a read-only compatibility layer that hasn't been touched in three years and shouldn't be touched now either.

Tone is also variable. Some comments are well-calibrated. Others are too formal or too pedantic in a way that would annoy the PR author rather than help them.

My rule. Claude Code does the first pass. I do the second. It handles the mechanical layer so I can focus on the design questions — the ones that require understanding why the code is the way it is. I still approve or request changes. The AI doesn't have merge authority, and it shouldn't.

Tips to get better reviews

Be specific in your prompt. "Focus on security and error handling in the authentication module" gets better results than "review this PR." The more precisely you describe what matters, the more the review focuses on what's actually risky in this specific change.

Include domain context. "This is a payment processing service that handles PCI-scoped card data" isn't overhead — it changes what Claude Code treats as high-severity. A hardcoded test key in a utility library is a Low finding. The same key anywhere near a payment flow is Critical.

Use a CLAUDE.md file. This is a persistent instruction file that Claude Code reads automatically when it starts a session in a directory. Put your team's coding conventions, architectural decisions, and known patterns there. For a .NET team that prohibits synchronous I/O in the service layer, putting that rule in CLAUDE.md means every PR gets reviewed against it automatically — without you mentioning it each time.

Skip generated files on large PRs. For PRs with 50 or more files, tell Claude Code explicitly: "focus on the business logic files, skip EF migrations, package-lock files, auto-generated API clients, and resource files." Otherwise it will read every file — which is thorough, but review time increases and findings on generated files are rarely useful.

Iterate within the session. If the review misses something you spotted, say so directly: "you missed the race condition in OrderProcessor.cs — there's no lock around the _activeOrders dictionary in the ProcessBatch method." Claude Code will pick it up and post the additional comment. The session retains context, so follow-up prompts are fast.

The setup is 15 minutes. The workflow shift takes longer.

This isn't about replacing human reviewers. The decisions that actually require engineering judgement — trade-offs between approaches, code that encodes six months of production incident learning, choices that are technically wrong but correct for your specific system — those still need a human who understands the context.

What the setup does is remove the mechanical layer from my plate. The null checks, the error handling gaps, the security antipatterns — I stopped finding those at 4pm on a Friday. Claude Code finds them at 9am, before anyone's eyes are glazing over.

The quality of our actual review discussions has gone up, because they're not about "you forgot to handle the null case." They're about whether the approach is right.

I've written about other Claude Code setups on Medium and here on nakrosis.com — including an Azure cost investigator and a pre-merge spec-review skill. If you try this setup, I'd like to hear how it goes. Find me on LinkedIn.

Written with Claude Code. The code is the artefact; the article is the receipt.