Code Review Checklist

1---2name: code-review-checklist3description: "Comprehensive checklist for conducting thorough code reviews covering functionality, security, performance, and maintainability"4risk: unknown5source: community6date_added: "2026-02-27"7---8 9# Code Review Checklist10 11## Overview12 13Provide a systematic checklist for conducting thorough code reviews. This skill helps reviewers ensure code quality, catch bugs, identify security issues, and maintain consistency across the codebase.14 15## When to Use This Skill16 17- Use when reviewing pull requests18- Use when conducting code audits19- Use when establishing code review standards for a team20- Use when training new developers on code review practices21- Use when you want to ensure nothing is missed in reviews22- Use when creating code review documentation23 24## How It Works25 26### Step 1: Understand the Context27 28Before reviewing code, I'll help you understand:29- What problem does this code solve?30- What are the requirements?31- What files were changed and why?32- Are there related issues or tickets?33- What's the testing strategy?34 35### Step 2: Review Functionality36 37Check if the code works correctly:38- Does it solve the stated problem?39- Are edge cases handled?40- Is error handling appropriate?41- Are there any logical errors?42- Does it match the requirements?43 44### Step 3: Review Code Quality45 46Assess code maintainability:47- Is the code readable and clear?48- Are names descriptive?49- Is it properly structured?50- Are functions/methods focused?51- Is there unnecessary complexity?52 53### Step 4: Review Security54 55Check for security issues:56- Are inputs validated?57- Is sensitive data protected?58- Are there SQL injection risks?59- Is authentication/authorization correct?60- Are dependencies secure?61 62### Step 5: Review Performance63 64Look for performance issues:65- Are there unnecessary loops?66- Is database access optimized?67- Are there memory leaks?68- Is caching used appropriately?69- Are there N+1 query problems?70 71### Step 6: Review Tests72 73Verify test coverage:74- Are there tests for new code?75- Do tests cover edge cases?76- Are tests meaningful?77- Do all tests pass?78- Is test coverage adequate?79 80## Examples81 82### Example 1: Functionality Review Checklist83 84```markdown85## Functionality Review86 87### Requirements88- [ ] Code solves the stated problem89- [ ] All acceptance criteria are met90- [ ] Edge cases are handled91- [ ] Error cases are handled92- [ ] User input is validated93 94### Logic95- [ ] No logical errors or bugs96- [ ] Conditions are correct (no off-by-one errors)97- [ ] Loops terminate correctly98- [ ] Recursion has proper base cases99- [ ] State management is correct100 101### Error Handling102- [ ] Errors are caught appropriately103- [ ] Error messages are clear and helpful104- [ ] Errors don't expose sensitive information105- [ ] Failed operations are rolled back106- [ ] Logging is appropriate107 108### Example Issues to Catch:109 110**❌ Bad - Missing validation:**111\`\`\`javascript112function createUser(email, password) {113  // No validation!114  return db.users.create({ email, password });115}116\`\`\`117 118**✅ Good - Proper validation:**119\`\`\`javascript120function createUser(email, password) {121  if (!email || !isValidEmail(email)) {122    throw new Error('Invalid email address');123  }124  if (!password || password.length < 8) {125    throw new Error('Password must be at least 8 characters');126  }127  return db.users.create({ email, password });128}129\`\`\`130```131 132### Example 2: Security Review Checklist133 134```markdown135## Security Review136 137### Input Validation138- [ ] All user inputs are validated139- [ ] SQL injection is prevented (use parameterized queries)140- [ ] XSS is prevented (escape output)141- [ ] CSRF protection is in place142- [ ] File uploads are validated (type, size, content)143 144### Authentication & Authorization145- [ ] Authentication is required where needed146- [ ] Authorization checks are present147- [ ] Passwords are hashed (never stored plain text)148- [ ] Sessions are managed securely149- [ ] Tokens expire appropriately150 151### Data Protection152- [ ] Sensitive data is encrypted153- [ ] API keys are not hardcoded154- [ ] Environment variables are used for secrets155- [ ] Personal data follows privacy regulations156- [ ] Database credentials are secure157 158### Dependencies159- [ ] No known vulnerable dependencies160- [ ] Dependencies are up to date161- [ ] Unnecessary dependencies are removed162- [ ] Dependency versions are pinned163 164### Example Issues to Catch:165 166**❌ Bad - SQL injection risk:**167\`\`\`javascript168const query = \`SELECT * FROM users WHERE email = '\${email}'\`;169db.query(query);170\`\`\`171 172**✅ Good - Parameterized query:**173\`\`\`javascript174const query = 'SELECT * FROM users WHERE email = $1';175db.query(query, [email]);176\`\`\`177 178**❌ Bad - Hardcoded secret:**179\`\`\`javascript180const API_KEY = 'sk_live_abc123xyz';181\`\`\`182 183**✅ Good - Environment variable:**184\`\`\`javascript185const API_KEY = process.env.API_KEY;186if (!API_KEY) {187  throw new Error('API_KEY environment variable is required');188}189\`\`\`190```191 192### Example 3: Code Quality Review Checklist193 194```markdown195## Code Quality Review196 197### Readability198- [ ] Code is easy to understand199- [ ] Variable names are descriptive200- [ ] Function names explain what they do201- [ ] Complex logic has comments202- [ ] Magic numbers are replaced with constants203 204### Structure205- [ ] Functions are small and focused206- [ ] Code follows DRY principle (Don't Repeat Yourself)207- [ ] Proper separation of concerns208- [ ] Consistent code style209- [ ] No dead code or commented-out code210 211### Maintainability212- [ ] Code is modular and reusable213- [ ] Dependencies are minimal214- [ ] Changes are backwards compatible215- [ ] Breaking changes are documented216- [ ] Technical debt is noted217 218### Example Issues to Catch:219 220**❌ Bad - Unclear naming:**221\`\`\`javascript222function calc(a, b, c) {223  return a * b + c;224}225\`\`\`226 227**✅ Good - Descriptive naming:**228\`\`\`javascript229function calculateTotalPrice(quantity, unitPrice, tax) {230  return quantity * unitPrice + tax;231}232\`\`\`233 234**❌ Bad - Function doing too much:**235\`\`\`javascript236function processOrder(order) {237  // Validate order238  if (!order.items) throw new Error('No items');239  240  // Calculate total241  let total = 0;242  for (let item of order.items) {243    total += item.price * item.quantity;244  }245  246  // Apply discount247  if (order.coupon) {248    total *= 0.9;249  }250  251  // Process payment252  const payment = stripe.charge(total);253  254  // Send email255  sendEmail(order.email, 'Order confirmed');256  257  // Update inventory258  updateInventory(order.items);259  260  return { orderId: order.id, total };261}262\`\`\`263 264**✅ Good - Separated concerns:**265\`\`\`javascript266function processOrder(order) {267  validateOrder(order);268  const total = calculateOrderTotal(order);269  const payment = processPayment(total);270  sendOrderConfirmation(order.email);271  updateInventory(order.items);272  273  return { orderId: order.id, total };274}275\`\`\`276```277 278## Best Practices279 280### ✅ Do This281 282- **Review Small Changes** - Smaller PRs are easier to review thoroughly283- **Check Tests First** - Verify tests pass and cover new code284- **Run the Code** - Test it locally when possible285- **Ask Questions** - Don't assume, ask for clarification286- **Be Constructive** - Suggest improvements, don't just criticize287- **Focus on Important Issues** - Don't nitpick minor style issues288- **Use Automated Tools** - Linters, formatters, security scanners289- **Review Documentation** - Check if docs are updated290- **Consider Performance** - Think about scale and efficiency291- **Check for Regressions** - Ensure existing functionality still works292 293### ❌ Don't Do This294 295- **Don't Approve Without Reading** - Actually review the code296- **Don't Be Vague** - Provide specific feedback with examples297- **Don't Ignore Security** - Security issues are critical298- **Don't Skip Tests** - Untested code will cause problems299- **Don't Be Rude** - Be respectful and professional300- **Don't Rubber Stamp** - Every review should add value301- **Don't Review When Tired** - You'll miss important issues302- **Don't Forget Context** - Understand the bigger picture303 304## Complete Review Checklist305 306### Pre-Review307- [ ] Read the PR description and linked issues308- [ ] Understand what problem is being solved309- [ ] Check if tests pass in CI/CD310- [ ] Pull the branch and run it locally311 312### Functionality313- [ ] Code solves the stated problem314- [ ] Edge cases are handled315- [ ] Error handling is appropriate316- [ ] User input is validated317- [ ] No logical errors318 319### Security320- [ ] No SQL injection vulnerabilities321- [ ] No XSS vulnerabilities322- [ ] Authentication/authorization is correct323- [ ] Sensitive data is protected324- [ ] No hardcoded secrets325 326### Performance327- [ ] No unnecessary database queries328- [ ] No N+1 query problems329- [ ] Efficient algorithms used330- [ ] No memory leaks331- [ ] Caching used appropriately332 333### Code Quality334- [ ] Code is readable and clear335- [ ] Names are descriptive336- [ ] Functions are focused and small337- [ ] No code duplication338- [ ] Follows project conventions339 340### Tests341- [ ] New code has tests342- [ ] Tests cover edge cases343- [ ] Tests are meaningful344- [ ] All tests pass345- [ ] Test coverage is adequate346 347### Documentation348- [ ] Code comments explain why, not what349- [ ] API documentation is updated350- [ ] README is updated if needed351- [ ] Breaking changes are documented352- [ ] Migration guide provided if needed353 354### Git355- [ ] Commit messages are clear356- [ ] No merge conflicts357- [ ] Branch is up to date with main358- [ ] No unnecessary files committed359- [ ] .gitignore is properly configured360 361## Common Pitfalls362 363### Problem: Missing Edge Cases364**Symptoms:** Code works for happy path but fails on edge cases365**Solution:** Ask "What if...?" questions366- What if the input is null?367- What if the array is empty?368- What if the user is not authenticated?369- What if the network request fails?370 371### Problem: Security Vulnerabilities372**Symptoms:** Code exposes security risks373**Solution:** Use security checklist374- Run security scanners (npm audit, Snyk)375- Check OWASP Top 10376- Validate all inputs377- Use parameterized queries378- Never trust user input379 380### Problem: Poor Test Coverage381**Symptoms:** New code has no tests or inadequate tests382**Solution:** Require tests for all new code383- Unit tests for functions384- Integration tests for features385- Edge case tests386- Error case tests387 388### Problem: Unclear Code389**Symptoms:** Reviewer can't understand what code does390**Solution:** Request improvements391- Better variable names392- Explanatory comments393- Smaller functions394- Clear structure395 396## Review Comment Templates397 398### Requesting Changes399```markdown400**Issue:** [Describe the problem]401 402**Current code:**403\`\`\`javascript404// Show problematic code405\`\`\`406 407**Suggested fix:**408\`\`\`javascript409// Show improved code410\`\`\`411 412**Why:** [Explain why this is better]413```414 415### Asking Questions416```markdown417**Question:** [Your question]418 419**Context:** [Why you're asking]420 421**Suggestion:** [If you have one]422```423 424### Praising Good Code425```markdown426**Nice!** [What you liked]427 428This is great because [explain why]429```430 431## Related Skills432 433- `@requesting-code-review` - Prepare code for review434- `@receiving-code-review` - Handle review feedback435- `@systematic-debugging` - Debug issues found in review436- `@test-driven-development` - Ensure code has tests437 438## Additional Resources439 440- [Google Code Review Guidelines](https://google.github.io/eng-practices/review/)441- [OWASP Top 10](https://owasp.org/www-project-top-ten/)442- [Code Review Best Practices](https://github.com/thoughtbot/guides/tree/main/code-review)443- [How to Review Code](https://www.kevinlondon.com/2015/05/05/code-review-best-practices.html)444 445---446 447**Pro Tip:** Use a checklist template for every review to ensure consistency and thoroughness. Customize it for your team's specific needs!448 449## Limitations450- Use this skill only when the task clearly matches the scope described above.451- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.452- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.