code-review

code-review

Code Review

When to use this skill

• Reviewing pull requests

• Checking code quality

• Providing feedback on implementations

• Identifying potential bugs

• Suggesting improvements

• Security audits

• Performance analysis

Instructions

Step 1: Understand the context

Read the PR description:

• What is the goal of this change?

• Which issues does it address?

• Are there any special considerations?

Check the scope:

• How many files changed?

• What type of changes? (feature, bugfix, refactor)

• Are tests included?

Step 2: High-level review

Architecture and design:

• Does the approach make sense?

• Is it consistent with existing patterns?

• Are there simpler alternatives?

• Is the code in the right place?

Code organization:

• Clear separation of concerns?

• Appropriate abstraction levels?

• Logical file/folder structure?

Step 3: Detailed code review

Naming:

• Variables: descriptive, meaningful names

• Functions: verb-based, clear purpose

• Classes: noun-based, single responsibility

• Constants: UPPER_CASE for true constants

• Avoid abbreviations unless widely known

Functions:

• Single responsibility

• Reasonable length (< 50 lines ideally)

• Clear inputs and outputs

• Minimal side effects

• Proper error handling

Classes and objects:

• Single responsibility principle

• Open/closed principle

• Liskov substitution principle

• Interface segregation

• Dependency inversion

Error handling:

• All errors caught and handled

• Meaningful error messages

• Proper logging

• No silent failures

• User-friendly errors for UI

Code quality:

• No code duplication (DRY)

• No dead code

• No commented-out code

• No magic numbers

• Consistent formatting

Step 4: Security review

Input validation:

• All user inputs validated

• Type checking

• Range checking

• Format validation

Authentication & Authorization:

• Proper authentication checks

• Authorization for sensitive operations

• Session management

• Password handling (hashing, salting)

Data protection:

• No hardcoded secrets

• Sensitive data encrypted

• SQL injection prevention

• XSS prevention

• CSRF protection

Dependencies:

• No vulnerable packages

• Dependencies up-to-date

• Minimal dependency usage

Step 5: Performance review

Algorithms:

• Appropriate algorithm choice

• Reasonable time complexity

• Reasonable space complexity

• No unnecessary loops

Database:

• Efficient queries

• Proper indexing

• N+1 query prevention

• Connection pooling

Caching:

• Appropriate caching strategy

• Cache invalidation handled

• Memory usage reasonable

Resource management:

• Files properly closed

• Connections released

• Memory leaks prevented

Step 6: Testing review

Test coverage:

• Unit tests for new code

• Integration tests if needed

• Edge cases covered

• Error cases tested

Test quality:

• Tests are readable

• Tests are maintainable

• Tests are deterministic

• No test interdependencies

• Proper test data setup/teardown

Test naming:

# Good
def test_user_creation_with_valid_data_succeeds():
    pass

# Bad
def test1():
    pass

Step 7: Documentation review

Code comments:

• Complex logic explained

• No obvious comments

• TODOs have tickets

• Comments are accurate

Function documentation:

def calculate_total(items: List[Item], tax_rate: float) -> Decimal:
    """
    Calculate the total price including tax.

    Args:
        items: List of items to calculate total for
        tax_rate: Tax rate as decimal (e.g., 0.1 for 10%)

    Returns:
        Total price including tax

    Raises:
        ValueError: If tax_rate is negative
    """
    pass

README/docs:

• README updated if needed

• API docs updated

• Migration guide if breaking changes

Step 8: Provide feedback

Be constructive:

✅ Good:
"Consider extracting this logic into a separate function for better
testability and reusability:

def validate_email(email: str) -> bool:
    return '@' in email and '.' in email.split('@')[1]

This would make it easier to test and reuse across the codebase."

❌ Bad:
"This is wrong. Rewrite it."

Be specific:

✅ Good:
"On line 45, this query could cause N+1 problem. Consider using
.select_related('author') to fetch related objects in a single query."

❌ Bad:
"Performance issues here."

Prioritize issues:

• 🔴 Critical: Security, data loss, major bugs

• 🟡 Important: Performance, maintainability

• 🟢 Nice-to-have: Style, minor improvements

Acknowledge good work:

"Nice use of the strategy pattern here! This makes it easy to add
new payment methods in the future."

Review checklist

Functionality

• Code does what it's supposed to do

• Edge cases handled

• Error cases handled

• No obvious bugs

Code Quality

• Clear, descriptive naming

• Functions are small and focused

• No code duplication

• Consistent with codebase style

• No code smells

Security

• Input validation

• No hardcoded secrets

• Authentication/authorization

• No SQL injection vulnerabilities

• No XSS vulnerabilities

Performance

• No obvious bottlenecks

• Efficient algorithms

• Proper database queries

• Resource management

Testing

• Tests included

• Good test coverage

• Tests are maintainable

• Edge cases tested

Documentation

• Code is self-documenting

• Comments where needed

• Docs updated

• Breaking changes documented

Common issues

Anti-patterns

God class:

# Bad: One class doing everything
class UserManager:
    def create_user(self): pass
    def send_email(self): pass
    def process_payment(self): pass
    def generate_report(self): pass

Magic numbers:

# Bad
if user.age > 18:
    pass

# Good
MINIMUM_AGE = 18
if user.age > MINIMUM_AGE:
    pass

Deep nesting:

# Bad
if condition1:
    if condition2:
        if condition3:
            if condition4:
                # deeply nested code

# Good (early returns)
if not condition1:
    return
if not condition2:
    return
if not condition3:
    return
if not condition4:
    return
# flat code

Security vulnerabilities

SQL Injection:

# Bad
query = f"SELECT * FROM users WHERE id = {user_id}"

# Good
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))

XSS:

// Bad
element.innerHTML = userInput;

// Good
element.textContent = userInput;

Hardcoded secrets:

# Bad
API_KEY = "sk-1234567890abcdef"

# Good
API_KEY = os.environ.get("API_KEY")

Best practices

• Review promptly: Don't make authors wait

• Be respectful: Focus on code, not the person

• Explain why: Don't just say what's wrong

• Suggest alternatives: Show better approaches

• Use examples: Code examples clarify feedback

• Pick your battles: Focus on important issues

• Acknowledge good work: Positive feedback matters

• Review your own code first: Catch obvious issues

• Use automated tools: Let tools catch style issues

• Be consistent: Apply same standards to all code

Tools to use

Linters:

• Python: pylint, flake8, black

• JavaScript: eslint, prettier

• Go: golint, gofmt

• Rust: clippy, rustfmt

Security:

• Bandit (Python)

• npm audit (Node.js)

• OWASP Dependency-Check

Code quality:

• SonarQube

• CodeClimate

• Codacy

References

• Google Code Review Guidelines

• OWASP Top 10

• Clean Code by Robert C. Martin

Examples

Example 1: Basic usage

Example 2: Advanced usage

Weekly Installs11.8KRepositorysupercent-io/sk…templateGitHub Stars58First SeenJan 24, 2026Security AuditsGen Agent Trust HubPassSocketPassSnykPassInstalled oncodex11.7Kgemini-cli11.7Kopencode11.7Kgithub-copilot11.6Kcursor11.6Kamp11.6K