Code Review Skill

You now have expertise in conducting comprehensive code reviews. Follow this structured approach:

Review Checklist

1. Security (Critical)

Check for:

• Injection vulnerabilities: SQL, command, XSS, template injection

• Authentication issues: Hardcoded credentials, weak auth

• Authorization flaws: Missing access controls, IDOR

• Data exposure: Sensitive data in logs, error messages

• Cryptography: Weak algorithms, improper key management

• Dependencies: Known vulnerabilities (check with npm audit , pip-audit )

Quick security scans

npm audit # Node.js pip-audit # Python cargo audit # Rust grep -r "password|secret|api_key" --include=".py" --include=".js"

2. Correctness

Check for:

• Logic errors: Off-by-one, null handling, edge cases

• Race conditions: Concurrent access without synchronization

• Resource leaks: Unclosed files, connections, memory

• Error handling: Swallowed exceptions, missing error paths

• Type safety: Implicit conversions, any types

3. Performance

Check for:

• N+1 queries: Database calls in loops

• Memory issues: Large allocations, retained references

• Blocking operations: Sync I/O in async code

• Inefficient algorithms: O(n^2) when O(n) possible

• Missing caching: Repeated expensive computations

4. Maintainability

Check for:

• Naming: Clear, consistent, descriptive

• Complexity: Functions > 50 lines, deep nesting > 3 levels

• Duplication: Copy-pasted code blocks

• Dead code: Unused imports, unreachable branches

• Comments: Outdated, redundant, or missing where needed

5. Testing

Check for:

• Coverage: Critical paths tested

• Edge cases: Null, empty, boundary values

• Mocking: External dependencies isolated

• Assertions: Meaningful, specific checks

Review Output Format

Code Review: [file/component name]

Summary

[1-2 sentence overview]

Critical Issues

1. [Issue] (line X): [Description]
   • Impact: [What could go wrong]
   • Fix: [Suggested solution]

Improvements

1. [Suggestion] (line X): [Description]

Positive Notes

• [What was done well]

Verdict

[ ] Ready to merge [ ] Needs minor changes [ ] Needs major revision

Common Patterns to Flag

Python

Bad: SQL injection

cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

Good:

cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))

Bad: Command injection

os.system(f"ls {user_input}")

Good:

subprocess.run(["ls", user_input], check=True)

Bad: Mutable default argument

def append(item, lst=[]): # Bug: shared mutable default

Good:

def append(item, lst=None): lst = lst or []

JavaScript/TypeScript

// Bad: Prototype pollution Object.assign(target, userInput) // Good: Object.assign(target, sanitize(userInput))

// Bad: eval usage eval(userCode) // Good: Never use eval with user input

// Bad: Callback hell getData(x => process(x, y => save(y, z => done(z)))) // Good: const data = await getData(); const processed = await process(data); await save(processed);

Review Commands

Show recent changes

git diff HEAD~5 --stat git log --oneline -10

Find potential issues

grep -rn "TODO|FIXME|HACK|XXX" . grep -rn "password|secret|token" . --include="*.py"

Check complexity (Python)

pip install radon && radon cc . -a

Check dependencies

npm outdated # Node pip list --outdated # Python

Review Workflow

• Understand context: Read PR description, linked issues

• Run the code: Build, test, run locally if possible

• Read top-down: Start with main entry points

• Check tests: Are changes tested? Do tests pass?

• Security scan: Run automated tools

• Manual review: Use checklist above

• Write feedback: Be specific, suggest fixes, be kind