Code Review Checklist

Overview

Provide a systematic checklist for conducting thorough code reviews. This skill helps reviewers ensure code quality, catch bugs, identify security issues, and maintain consistency across the codebase.

When to Use This Skill

Use when reviewing pull requests
Use when conducting code audits
Use when establishing code review standards for a team
Use when training new developers on code review practices
Use when you want to ensure nothing is missed in reviews
Use when creating code review documentation

How It Works

Step 1: Understand the Context

Before reviewing code, I'll help you understand:

What problem does this code solve?
What are the requirements?
What files were changed and why?
Are there related issues or tickets?
What's the testing strategy?

Step 2: Review Functionality

Check if the code works correctly:

Does it solve the stated problem?
Are edge cases handled?
Is error handling appropriate?
Are there any logical errors?
Does it match the requirements?

Step 3: Review Code Quality

Assess code maintainability:

Is the code readable and clear?
Are names descriptive?
Is it properly structured?
Are functions/methods focused?
Is there unnecessary complexity?

Step 4: Review Security

Check for security issues:

Are inputs validated?
Is sensitive data protected?
Are there SQL injection risks?
Is authentication/authorization correct?
Are dependencies secure?

Step 5: Review Performance

Look for performance issues:

Are there unnecessary loops?
Is database access optimized?
Are there memory leaks?
Is caching used appropriately?
Are there N+1 query problems?

Step 6: Review Tests

Verify test coverage:

Are there tests for new code?
Do tests cover edge cases?
Are tests meaningful?
Do all tests pass?
Is test coverage adequate?

Examples

Example 1: Functionality Review Checklist

## Functionality Review

### Requirements
- [ ] Code solves the stated problem
- [ ] All acceptance criteria are met
- [ ] Edge cases are handled
- [ ] Error cases are handled
- [ ] User input is validated

### Logic
- [ ] No logical errors or bugs
- [ ] Conditions are correct (no off-by-one errors)
- [ ] Loops terminate correctly
- [ ] Recursion has proper base cases
- [ ] State management is correct

### Error Handling
- [ ] Errors are caught appropriately
- [ ] Error messages are clear and helpful
- [ ] Errors don't expose sensitive information
- [ ] Failed operations are rolled back
- [ ] Logging is appropriate

### Example Issues to Catch:

**❌ Bad - Missing validation:**
\`\`\`javascript
function createUser(email, password) {
  // No validation!
  return db.users.create({ email, password });
}
\`\`\`

**✅ Good - Proper validation:**
\`\`\`javascript
function createUser(email, password) {
  if (!email || !isValidEmail(email)) {
    throw new Error('Invalid email address');
  }
  if (!password || password.length < 8) {
    throw new Error('Password must be at least 8 characters');
  }
  return db.users.create({ email, password });
}
\`\`\`

Example 2: Security Review Checklist

## Security Review

### Input Validation
- [ ] All user inputs are validated
- [ ] SQL injection is prevented (use parameterized queries)
- [ ] XSS is prevented (escape output)
- [ ] CSRF protection is in place
- [ ] File uploads are validated (type, size, content)

### Authentication & Authorization
- [ ] Authentication is required where needed
- [ ] Authorization checks are present
- [ ] Passwords are hashed (never stored plain text)
- [ ] Sessions are managed securely
- [ ] Tokens expire appropriately

### Data Protection
- [ ] Sensitive data is encrypted
- [ ] API keys are not hardcoded
- [ ] Environment variables are used for secrets
- [ ] Personal data follows privacy regulations
- [ ] Database credentials are secure

### Dependencies
- [ ] No known vulnerable dependencies
- [ ] Dependencies are up to date
- [ ] Unnecessary dependencies are removed
- [ ] Dependency versions are pinned

### Example Issues to Catch:

**❌ Bad - SQL injection risk:**
\`\`\`javascript
const query = \`SELECT * FROM users WHERE email = '\${email}'\`;
db.query(query);
\`\`\`

**✅ Good - Parameterized query:**
\`\`\`javascript
const query = 'SELECT * FROM users WHERE email = $1';
db.query(query, [email]);
\`\`\`

**❌ Bad - Hardcoded secret:**
\`\`\`javascript
const API_KEY = 'sk_live_abc123xyz';
\`\`\`

**✅ Good - Environment variable:**
\`\`\`javascript
const API_KEY = process.env.API_KEY;
if (!API_KEY) {
  throw new Error('API_KEY environment variable is required');
}
\`\`\`

Example 3: Code Quality Review Checklist

## Code Quality Review

### Readability
- [ ] Code is easy to understand
- [ ] Variable names are descriptive
- [ ] Function names explain what they do
- [ ] Complex logic has comments
- [ ] Magic numbers are replaced with constants

### Structure
- [ ] Functions

code-review-checklist

Documentation

Code Review Checklist

Overview

When to Use This Skill

How It Works

Step 1: Understand the Context

Step 2: Review Functionality

Step 3: Review Code Quality

Step 4: Review Security

Step 5: Review Performance

Step 6: Review Tests

Examples

Example 1: Functionality Review Checklist

Example 2: Security Review Checklist

Example 3: Code Quality Review Checklist

Use Cases

Quick Info

Tags

Related Skills

ab-test-setup

airflow-dag-patterns

algorithmic-art