code-review

ServiceNow Code Review Checklist

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "code-review" with this command: npx skills add groeimetai/snow-flow/groeimetai-snow-flow-code-review

ServiceNow Code Review Checklist

Use this checklist when reviewing ServiceNow server-side code (Business Rules, Script Includes, Scheduled Jobs, etc.).

  1. ES5 Compliance (CRITICAL)

// CHECK FOR THESE ES6+ VIOLATIONS: const x = 5; // ❌ Use var let items = []; // ❌ Use var () => {} // ❌ Use function() template ${var} // ❌ Use 'string ' + var for (x of arr) // ❌ Use traditional for loop {a, b} = obj // ❌ Use obj.a, obj.b

Action: Flag ALL ES6+ syntax as CRITICAL errors.

  1. Security Issues

2.1 SQL/GlideRecord Injection

// ❌ DANGEROUS - User input directly in query gr.addEncodedQuery(userInput) gr.addQuery("field", userInput) // OK if validated

// ✅ SAFE - Validate and sanitize var safeInput = new GlideSysAttachment().cleanFileName(userInput) gr.addQuery("field", safeInput)

2.2 Cross-Site Scripting (XSS)

// ❌ DANGEROUS - Unescaped output gs.addInfoMessage(userInput)

// ✅ SAFE - Escape HTML gs.addInfoMessage(GlideStringUtil.escapeHTML(userInput))

2.3 Access Control

// ❌ MISSING - No ACL check var gr = new GlideRecord("sys_user") gr.get(userProvidedSysId)

// ✅ SAFE - Check permissions var gr = new GlideRecord("sys_user") if (gr.get(userProvidedSysId) && gr.canRead()) { // Process record }

2.4 Sensitive Data Exposure

// ❌ DANGEROUS - Logging sensitive data gs.info("Password: " + password) gs.info("API Key: " + apiKey)

// ✅ SAFE - Never log credentials gs.info("Authentication attempt for user: " + username)

  1. Performance Issues

3.1 Queries in Loops

// ❌ SLOW - N+1 query problem for (var i = 0; i < userIds.length; i++) { var gr = new GlideRecord("sys_user") gr.get(userIds[i]) // Query for each user! }

// ✅ FAST - Single query var gr = new GlideRecord("sys_user") gr.addQuery("sys_id", "IN", userIds.join(",")) gr.query() while (gr.next()) {}

3.2 Missing setLimit()

// ❌ SLOW - Could return millions of records var gr = new GlideRecord("incident") gr.query()

// ✅ FAST - Limit results var gr = new GlideRecord("incident") gr.setLimit(1000) gr.query()

3.3 Unnecessary Queries

// ❌ WASTEFUL - Query just to check existence var gr = new GlideRecord("incident") gr.addQuery("number", incNumber) gr.query() if (gr.getRowCount() > 0) { }

// ✅ EFFICIENT - Use get() for single record var gr = new GlideRecord("incident") if (gr.get("number", incNumber)) { }

3.4 GlideRecord vs GlideAggregate

// ❌ SLOW - Counting with loop var count = 0 var gr = new GlideRecord("incident") gr.addQuery("active", true) gr.query() while (gr.next()) count++

// ✅ FAST - Use GlideAggregate var ga = new GlideAggregate("incident") ga.addQuery("active", true) ga.addAggregate("COUNT") ga.query() var count = ga.next() ? ga.getAggregate("COUNT") : 0

  1. Code Quality Issues

4.1 Hard-coded sys_ids

// ❌ BAD - Hard-coded sys_id (breaks across instances) var assignmentGroup = "681ccaf9c0a8016400b98a06818d57c7"

// ✅ GOOD - Use property or lookup var assignmentGroup = gs.getProperty("my.default.assignment.group") // OR var gr = new GlideRecord("sys_user_group") if (gr.get("name", "Service Desk")) { var assignmentGroup = gr.getUniqueValue() }

4.2 Magic Numbers/Strings

// ❌ BAD - Magic numbers if (current.state == 6) { } if (current.priority == 1) { }

// ✅ GOOD - Named constants or comments var STATE_RESOLVED = 6 var PRIORITY_CRITICAL = 1 if (current.state == STATE_RESOLVED) { }

4.3 Missing Error Handling

// ❌ BAD - No error handling var response = request.execute() var data = JSON.parse(response.getBody())

// ✅ GOOD - Proper error handling try { var response = request.execute() var status = response.getStatusCode() if (status != 200) { gs.error("API call failed: " + status) return null } var data = JSON.parse(response.getBody()) } catch (e) { gs.error("Exception: " + e.message) return null }

4.4 Proper Logging

// ❌ BAD - No context in logs gs.info("Error occurred")

// ✅ GOOD - Contextual logging gs.info("[MyScriptInclude.process] Processing incident: " + current.number + ", user: " + gs.getUserName())

  1. Business Rule Specific

5.1 Recursion Prevention

// ❌ DANGEROUS - Can cause infinite loop current.update() // In a Before rule

// ✅ SAFE - Use workflow control current.setWorkflow(false) current.update() current.setWorkflow(true)

5.2 Appropriate Rule Type

// ❌ WRONG - Heavy processing in Before rule // Before rules should be fast!

// ✅ RIGHT - Use Async for heavy operations // Move integrations and heavy processing to Async rules

  1. Review Output Format

When reviewing code, structure your feedback as:

Code Review Summary

Critical Issues (Must Fix)

  1. [SECURITY] Description...
  2. [ES5] Description...

Performance Issues (Should Fix)

  1. [PERF] Description...

Code Quality (Nice to Have)

  1. [QUALITY] Description...

Positive Observations

  • Good use of...
  • Well-structured...
  1. Severity Levels

Level Action Examples

CRITICAL Must fix before deployment Security vulnerabilities, ES6 syntax

HIGH Should fix Performance issues, missing error handling

MEDIUM Recommend fixing Code quality, hard-coded values

LOW Consider fixing Style, minor improvements

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

client-scripts

No summary provided by upstream source.

Repository SourceNeeds Review
-49
groeimetai
Coding

mobile-development

No summary provided by upstream source.

Repository SourceNeeds Review
-49
groeimetai
General

predictive-intelligence

No summary provided by upstream source.

Repository SourceNeeds Review
-66
groeimetai