Code Review Checklist Overview
Provide a systematic checklist for conducting thorough code reviews. This skill helps reviewers ensure code quality, catch bugs, identify security issues, and maintain consistency across the codebase.
When to Use This Skill Use when reviewing pull requests Use when conducting code audits Use when establishing code review standards for a team Use when training new developers on code review practices Use when you want to ensure nothing is missed in reviews Use when creating code review documentation How It Works Step 1: Understand the Context
Before reviewing code, I'll help you understand:
What problem does this code solve? What are the requirements? What files were changed and why? Are there related issues or tickets? What's the testing strategy? Step 2: Review Functionality
Check if the code works correctly:
Does it solve the stated problem? Are edge cases handled? Is error handling appropriate? Are there any logical errors? Does it match the requirements? Step 3: Review Code Quality
Assess code maintainability:
Is the code readable and clear? Are names descriptive? Is it properly structured? Are functions/methods focused? Is there unnecessary complexity? Step 4: Review Security
Check for security issues:
Are inputs validated? Is sensitive data protected? Are there SQL injection risks? Is authentication/authorization correct? Are dependencies secure? Step 5: Review Performance
Look for performance issues:
Are there unnecessary loops? Is database access optimized? Are there memory leaks? Is caching used appropriately? Are there N+1 query problems? Step 6: Review Tests
Verify test coverage:
Are there tests for new code? Do tests cover edge cases? Are tests meaningful? Do all tests pass? Is test coverage adequate? Examples Example 1: Functionality Review Checklist
Functionality Review
Requirements
- [ ] Code solves the stated problem
- [ ] All acceptance criteria are met
- [ ] Edge cases are handled
- [ ] Error cases are handled
- [ ] User input is validated
Logic
- [ ] No logical errors or bugs
- [ ] Conditions are correct (no off-by-one errors)
- [ ] Loops terminate correctly
- [ ] Recursion has proper base cases
- [ ] State management is correct
Error Handling
- [ ] Errors are caught appropriately
- [ ] Error messages are clear and helpful
- [ ] Errors don't expose sensitive information
- [ ] Failed operations are rolled back
- [ ] Logging is appropriate
Example Issues to Catch:
❌ Bad - Missing validation: ```javascript function createUser(email, password) { // No validation! return db.users.create({ email, password }); } ```
✅ Good - Proper validation: ```javascript function createUser(email, password) { if (!email || !isValidEmail(email)) { throw new Error('Invalid email address'); } if (!password || password.length < 8) { throw new Error('Password must be at least 8 characters'); } return db.users.create({ email, password }); } ```
Example 2: Security Review Checklist
Security Review
Input Validation
- [ ] All user inputs are validated
- [ ] SQL injection is prevented (use parameterized queries)
- [ ] XSS is prevented (escape output)
- [ ] CSRF protection is in place
- [ ] File uploads are validated (type, size, content)
Authentication & Authorization
- [ ] Authentication is required where needed
- [ ] Authorization checks are present
- [ ] Passwords are hashed (never stored plain text)
- [ ] Sessions are managed securely
- [ ] Tokens expire appropriately
Data Protection
- [ ] Sensitive data is encrypted
- [ ] API keys are not hardcoded
- [ ] Environment variables are used for secrets
- [ ] Personal data follows privacy regulations
- [ ] Database credentials are secure
Dependencies
- [ ] No known vulnerable dependencies
- [ ] Dependencies are up to date
- [ ] Unnecessary dependencies are removed
- [ ] Dependency versions are pinned
Example Issues to Catch:
❌ Bad - SQL injection risk: ```javascript const query = `SELECT * FROM users WHERE email = '\${email}'`; db.query(query); ```
✅ Good - Parameterized query: ```javascript const query = 'SELECT * FROM users WHERE email = $1'; db.query(query, [email]); ```
❌ Bad - Hardcoded secret: ```javascript const API_KEY = 'sk_live_abc123xyz'; ```
✅ Good - Environment variable: ```javascript const API_KEY = process.env.API_KEY; if (!API_KEY) { throw new Error('API_KEY environment variable is required'); } ```
Example 3: Code Quality Review Checklist
Code Quality Review
Readability
- [ ] Code is easy to understand
- [ ] Variable names are descriptive
- [ ] Function names explain what they do
- [ ] Complex logic has comments
- [ ] Magic numbers are replaced with constants
Structure
- [ ] Functions are small and focused
- [ ] Code follows DRY principle (Don't Repeat Yourself)
- [ ] Proper separation of concerns
- [ ] Consistent code style
- [ ] No dead code or commented-out code
Maintainability
- [ ] Code is modular and reusable
- [ ] Dependencies are minimal
- [ ] Changes are backwards compatible
- [ ] Breaking changes are documented
- [ ] Technical debt is noted
Example Issues to Catch:
❌ Bad - Unclear naming: ```javascript function calc(a, b, c) { return a * b + c; } ```
✅ Good - Descriptive naming: ```javascript function calculateTotalPrice(quantity, unitPrice, tax) { return quantity * unitPrice + tax; } ```
❌ Bad - Function doing too much: ```javascript function processOrder(order) { // Validate order if (!order.items) throw new Error('No items');
// Calculate total let total = 0; for (let item of order.items) { total += item.price * item.quantity; }
// Apply discount if (order.coupon) { total *= 0.9; }
// Process payment const payment = stripe.charge(total);
// Send email sendEmail(order.email, 'Order confirmed');
// Update inventory updateInventory(order.items);
return { orderId: order.id, total }; } ```
✅ Good - Separated concerns: ```javascript function processOrder(order) { validateOrder(order); const total = calculateOrderTotal(order); const payment = processPayment(total); sendOrderConfirmation(order.email); updateInventory(order.items);
return { orderId: order.id, total }; } ```
Best Practices ✅ Do This Review Small Changes - Smaller PRs are easier to review thoroughly Check Tests First - Verify tests pass and cover new code Run the Code - Test it locally when possible Ask Questions - Don't assume, ask for clarification Be Constructive - Suggest improvements, don't just criticize Focus on Important Issues - Don't nitpick minor style issues Use Automated Tools - Linters, formatters, security scanners Review Documentation - Check if docs are updated Consider Performance - Think about scale and efficiency Check for Regressions - Ensure existing functionality still works ❌ Don't Do This Don't Approve Without Reading - Actually review the code Don't Be Vague - Provide specific feedback with examples Don't Ignore Security - Security issues are critical Don't Skip Tests - Untested code will cause problems Don't Be Rude - Be respectful and professional Don't Rubber Stamp - Every review should add value Don't Review When Tired - You'll miss important issues Don't Forget Context - Understand the bigger picture Complete Review Checklist Pre-Review Read the PR description and linked issues Understand what problem is being solved Check if tests pass in CI/CD Pull the branch and run it locally Functionality Code solves the stated problem Edge cases are handled Error handling is appropriate User input is validated No logical errors Security No SQL injection vulnerabilities No XSS vulnerabilities Authentication/authorization is correct Sensitive data is protected No hardcoded secrets Performance No unnecessary database queries No N+1 query problems Efficient algorithms used No memory leaks Caching used appropriately Code Quality Code is readable and clear Names are descriptive Functions are focused and small No code duplication Follows project conventions Tests New code has tests Tests cover edge cases Tests are meaningful All tests pass Test coverage is adequate Documentation Code comments explain why, not what API documentation is updated README is updated if needed Breaking changes are documented Migration guide provided if needed Git Commit messages are clear No merge conflicts Branch is up to date with main No unnecessary files committed .gitignore is properly configured Common Pitfalls Problem: Missing Edge Cases
Symptoms: Code works for happy path but fails on edge cases Solution: Ask "What if...?" questions
What if the input is null? What if the array is empty? What if the user is not authenticated? What if the network request fails? Problem: Security Vulnerabilities
Symptoms: Code exposes security risks Solution: Use security checklist
Run security scanners (npm audit, Snyk) Check OWASP Top 10 Validate all inputs Use parameterized queries Never trust user input Problem: Poor Test Coverage
Symptoms: New code has no tests or inadequate tests Solution: Require tests for all new code
Unit tests for functions Integration tests for features Edge case tests Error case tests Problem: Unclear Code
Symptoms: Reviewer can't understand what code does Solution: Request improvements
Better variable names Explanatory comments Smaller functions Clear structure Review Comment Templates Requesting Changes Issue: [Describe the problem]
Current code: ```javascript // Show problematic code ```
Suggested fix: ```javascript // Show improved code ```
Why: [Explain why this is better]
Asking Questions Question: [Your question]
Context: [Why you're asking]
Suggestion: [If you have one]
Praising Good Code Nice! [What you liked]
This is great because [explain why]
Related Skills @requesting-code-review - Prepare code for review @receiving-code-review - Handle review feedback @systematic-debugging - Debug issues found in review @test-driven-development - Ensure code has tests Additional Resources Google Code Review Guidelines OWASP Top 10 Code Review Best Practices How to Review Code
Pro Tip: Use a checklist template for every review to ensure consistency and thoroughness. Customize it for your team's specific needs!