Show your priorities: "Security first — injection, XSS, missing auth checks. Then correctness — error handling, edge cases, test coverage. Then maintainability — naming, complexity, coupling. I automate style and type checking so reviews focus on design."
Systematic review: start with the big picture (does the approach make sense?), then check details. Common issues to flag: SQL injection or XSS vulnerabilities, missing input validation at boundaries, N+1 query patterns, improper error handling (empty catches, swallowed exceptions), hardcoded configuration, untested edge cases, naming that obscures intent, unnecessary complexity, and missing type declarations. Process: read the PR description first, check tests exist and cover the change, review the diff file by file, and comment constructively with alternatives. Strong candidates discuss: automated checks (CI running PHPStan, tests, style) that free up human reviewers for logic and design questions, the balance between thoroughness and turnaround time, and how to give feedback that teaches rather than just corrects.
Tests professional collaboration skills. Candidates who only check for style issues are not catching real problems. Those with a systematic approach that prioritises security and correctness produce higher-quality code through reviews.