supercent-io avatar
42

This code-review skill provides comprehensive guidance for evaluating code quality, security, performance, testing, and documentation across various programming languages. It offers step-by-step instructions and checklists to identify issues such as bugs, vulnerabilities, and design flaws, making it suitable for developers, reviewers, and technical leads aiming to ensure robust and maintainable code. The skill emphasizes constructive feedback, best practices, and relevant tools to streamline and improve the review process.

npx skills add https://github.com/supercent-io/skills-template --skill code-review

Code Review

When to use this skill

  • Reviewing pull requests
  • Checking code quality
  • Providing feedback on implementations
  • Identifying potential bugs
  • Suggesting improvements
  • Security audits
  • Performance analysis

Instructions

Step 1: Understand the context

Read the PR description:

  • What is the goal of this change?
  • Which issues does it address?
  • Are there any special considerations? Check the scope:
  • How many files changed?
  • What type of changes? (feature, bugfix, refactor)
  • Are tests included?

Step 2: High-level review

Architecture and design:

  • Does the approach make sense?
  • Is it consistent with existing patterns?
  • Are there simpler alternatives?
  • Is the code in the right place? Code organization:
  • Clear separation of concerns?
  • Appropriate abstraction levels?
  • Logical file/folder structure?

Step 3: Detailed code review

Naming:

  • Variables: descriptive, meaningful names
  • Functions: verb-based, clear purpose
  • Classes: noun-based, single responsibility
  • Constants: UPPER_CASE for true constants
  • Avoid abbreviations unless widely known Functions:
  • Single responsibility
  • Reasonable length (< 50 lines ideally)
  • Clear inputs and outputs
  • Minimal side effects
  • Proper error handling Classes and objects:
  • Single responsibility principle
  • Open/closed principle
  • Liskov substitution principle
  • Interface segregation
  • Dependency inversion Error handling:
  • All errors caught and handled
  • Meaningful error messages
  • Proper logging
  • No silent failures
  • User-friendly errors for UI Code quality:
  • No code duplication (DRY)
  • No dead code
  • No commented-out code
  • No magic numbers
  • Consistent formatting

Step 4: Security review

Input validation:

  • All user inputs validated
  • Type checking
  • Range checking
  • Format validation Authentication & Authorization:
  • Proper authentication checks
  • Authorization for sensitive operations
  • Session management
  • Password handling (hashing, salting) Data protection:
  • No hardcoded secrets
  • Sensitive data encrypted
  • SQL injection prevention
  • XSS prevention
  • CSRF protection Dependencies:
  • No vulnerable packages
  • Dependencies up-to-date
  • Minimal dependency usage

Step 5: Performance review

Algorithms:

  • Appropriate algorithm choice
  • Reasonable time complexity
  • Reasonable space complexity
  • No unnecessary loops Database:
  • Efficient queries
  • Proper indexing
  • N+1 query prevention
  • Connection pooling Caching:
  • Appropriate caching strategy
  • Cache invalidation handled
  • Memory usage reasonable Resource management:
  • Files properly closed
  • Connections released
  • Memory leaks prevented

Step 6: Testing review

Test coverage:

  • Unit tests for new code
  • Integration tests if needed
  • Edge cases covered
  • Error cases tested Test quality:
  • Tests are readable
  • Tests are maintainable
  • Tests are deterministic
  • No test interdependencies
  • Proper test data setup/teardown Test naming:
# Good
def test_user_creation_with_valid_data_succeeds():
    pass
# Bad
def test1():
    pass

Step 7: Documentation review

Code comments:

  • Complex logic explained
  • No obvious comments
  • TODOs have tickets
  • Comments are accurate Function documentation:
def calculate_total(items: List[Item], tax_rate: float) -> Decimal:
    """
    Calculate the total price including tax.
    Args:
        items: List of items to calculate total for
        tax_rate: Tax rate as decimal (e.g., 0.1 for 10%)
    Returns:
        Total price including tax
    Raises:
        ValueError: If tax_rate is negative
    """
    pass

README/docs:

  • README updated if needed
  • API docs updated
  • Migration guide if breaking changes

Step 8: Provide feedback

Be constructive:

✅ Good:
"Consider extracting this logic into a separate function for better
testability and reusability:
def validate_email(email: str) -> bool:
    return '@' in email and '.' in email.split('@')[1]
This would make it easier to test and reuse across the codebase."
❌ Bad:
"This is wrong. Rewrite it."

Be specific:

✅ Good:
"On line 45, this query could cause N+1 problem. Consider using
.select_related('author') to fetch related objects in a single query."
❌ Bad:
"Performance issues here."

Prioritize issues:

  • 🔴 Critical: Security, data loss, major bugs
  • 🟡 Important: Performance, maintainability
  • 🟢 Nice-to-have: Style, minor improvements Acknowledge good work:
"Nice use of the strategy pattern here! This makes it easy to add
new payment methods in the future."

Review checklist

Functionality

  • Code does what it's supposed to do
  • Edge cases handled
  • Error cases handled
  • No obvious bugs

Code Quality

  • Clear, descriptive naming
  • Functions are small and focused
  • No code duplication
  • Consistent with codebase style
  • No code smells

Security

  • Input validation
  • No hardcoded secrets
  • Authentication/authorization
  • No SQL injection vulnerabilities
  • No XSS vulnerabilities

Performance

  • No obvious bottlenecks
  • Efficient algorithms
  • Proper database queries
  • Resource management

Testing

  • Tests included
  • Good test coverage
  • Tests are maintainable
  • Edge cases tested

Documentation

  • Code is self-documenting
  • Comments where needed
  • Docs updated
  • Breaking changes documented

Common issues

Anti-patterns

God class:

# Bad: One class doing everything
class UserManager:
    def create_user(self): pass
    def send_email(self): pass
    def process_payment(self): pass
    def generate_report(self): pass

Magic numbers:

# Bad
if user.age > 18:
    pass
# Good
MINIMUM_AGE = 18
if user.age > MINIMUM_AGE:
    pass

Deep nesting:

# Bad
if condition1:
    if condition2:
        if condition3:
            if condition4:
                # deeply nested code
# Good (early returns)
if not condition1:
    return
if not condition2:
    return
if not condition3:
    return
if not condition4:
    return
# flat code

Security vulnerabilities

SQL Injection:

# Bad
query = f"SELECT * FROM users WHERE id = {user_id}"
# Good
query = "SELECT * FROM users WHERE id = %s"
cursor.execute(query, (user_id,))

XSS:

// Bad
element.innerHTML = userInput;
// Good
element.textContent = userInput;

Hardcoded secrets:

# Bad
API_KEY = "sk-1234567890abcdef"
# Good
API_KEY = os.environ.get("API_KEY")

Best practices

  1. Review promptly: Don't make authors wait
  2. Be respectful: Focus on code, not the person
  3. Explain why: Don't just say what's wrong
  4. Suggest alternatives: Show better approaches
  5. Use examples: Code examples clarify feedback
  6. Pick your battles: Focus on important issues
  7. Acknowledge good work: Positive feedback matters
  8. Review your own code first: Catch obvious issues
  9. Use automated tools: Let tools catch style issues
  10. Be consistent: Apply same standards to all code

Tools to use

Linters:

  • Python: pylint, flake8, black
  • JavaScript: eslint, prettier
  • Go: golint, gofmt
  • Rust: clippy, rustfmt Security:
  • Bandit (Python)
  • npm audit (Node.js)
  • OWASP Dependency-Check Code quality:
  • SonarQube
  • CodeClimate
  • Codacy

References

Examples

Example 1: Basic usage

Example 2: Advanced usage

GitHub Owner

Owner: supercent-io

More skills

SI
Code Refactoring

supercent-io

G
File Organization

goldbergyoni

G
Testing Strategies

goldbergyoni