Code Review Skill

You now have expertise in conducting comprehensive code reviews. Follow this structured approach:

Review Checklist

1. Security (Critical)

Check for:

• Injection vulnerabilities: SQL, command, XSS, template injection
• Authentication issues: Hardcoded credentials, weak auth
• Authorization flaws: Missing access controls, IDOR
• Data exposure: Sensitive data in logs, error messages
• Cryptography: Weak algorithms, improper key management
• Dependencies: Known vulnerabilities (check with npm audit, pip-audit)

1# Quick security scans
2npm audit                    # Node.js
3pip-audit                    # Python
4cargo audit                  # Rust
5grep -r "password\|secret\|api_key" --include="*.py" --include="*.js"

2. Correctness

Check for:

• Logic errors: Off-by-one, null handling, edge cases
• Race conditions: Concurrent access without synchronization
• Resource leaks: Unclosed files, connections, memory
• Error handling: Swallowed exceptions, missing error paths
• Type safety: Implicit conversions, any types

3. Performance

Check for:

• N+1 queries: Database calls in loops
• Memory issues: Large allocations, retained references
• Blocking operations: Sync I/O in async code
• Inefficient algorithms: O(n^2) when O(n) possible
• Missing caching: Repeated expensive computations

4. Maintainability

Check for:

• Naming: Clear, consistent, descriptive
• Complexity: Functions > 50 lines, deep nesting > 3 levels
• Duplication: Copy-pasted code blocks
• Dead code: Unused imports, unreachable branches
• Comments: Outdated, redundant, or missing where needed

5. Testing

Check for:

• Coverage: Critical paths tested
• Edge cases: Null, empty, boundary values
• Mocking: External dependencies isolated
• Assertions: Meaningful, specific checks

Review Output Format

 1## Code Review: [file/component name]
 2
 3### Summary
 4[1-2 sentence overview]
 5
 6### Critical Issues
 71. **[Issue]** (line X): [Description]
 8   - Impact: [What could go wrong]
 9   - Fix: [Suggested solution]
10
11### Improvements
121. **[Suggestion]** (line X): [Description]
13
14### Positive Notes
15- [What was done well]
16
17### Verdict
18[ ] Ready to merge
19[ ] Needs minor changes
20[ ] Needs major revision

Common Patterns to Flag

Python

 1# Bad: SQL injection
 2cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
 3# Good:
 4cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
 5
 6# Bad: Command injection
 7os.system(f"ls {user_input}")
 8# Good:
 9subprocess.run(["ls", user_input], check=True)
10
11# Bad: Mutable default argument
12def append(item, lst=[]):  # Bug: shared mutable default
13# Good:
14def append(item, lst=None):
15    lst = lst or []

JavaScript/TypeScript

 1// Bad: Prototype pollution
 2Object.assign(target, userInput)
 3// Good:
 4Object.assign(target, sanitize(userInput))
 5
 6// Bad: eval usage
 7eval(userCode)
 8// Good: Never use eval with user input
 9
10// Bad: Callback hell
11getData(x => process(x, y => save(y, z => done(z))))
12// Good:
13const data = await getData();
14const processed = await process(data);
15await save(processed);

Review Commands

 1# Show recent changes
 2git diff HEAD~5 --stat
 3git log --oneline -10
 4
 5# Find potential issues
 6grep -rn "TODO\|FIXME\|HACK\|XXX" .
 7grep -rn "password\|secret\|token" . --include="*.py"
 8
 9# Check complexity (Python)
10pip install radon && radon cc . -a
11
12# Check dependencies
13npm outdated  # Node
14pip list --outdated  # Python

Review Workflow

1. Understand context: Read PR description, linked issues
2. Run the code: Build, test, run locally if possible
3. Read top-down: Start with main entry points
4. Check tests: Are changes tested? Do tests pass?
5. Security scan: Run automated tools
6. Manual review: Use checklist above
7. Write feedback: Be specific, suggest fixes, be kind