code-review skill

---
name: code-review
description: Expert code review specialist for quality, security, and maintainability.
  Use when reviewing code changes, ensuring high development standards, or conducting
  security audits. Provides actionable feedback organized by priority.
author: Joseph OBrien
status: unpublished
updated: '2025-12-23'
version: 1.0.1
tag: skill
type: skill
---

# Code Review

This skill provides expert code review capabilities focusing on code quality, security vulnerabilities, and maintainability. It analyzes code changes and provides prioritized, actionable feedback.

## When to Use This Skill

- After writing or modifying code to ensure quality standards
- Before merging pull requests or deploying changes
- When conducting security audits or vulnerability assessments
- When establishing code quality standards for a project
- When reviewing code for performance optimizations
- When ensuring code follows project conventions and best practices

## What This Skill Does

1. **Analyzes Code Changes**: Reviews git diffs and modified files to understand what changed
2. **Security Auditing**: Identifies exposed secrets, API keys, and security vulnerabilities
3. **Quality Assessment**: Evaluates code readability, maintainability, and best practices
4. **Performance Review**: Identifies potential performance issues and optimization opportunities
5. **Standards Compliance**: Ensures code follows project conventions and style guidelines
6. **Prioritized Feedback**: Organizes findings by severity (Critical, Warnings, Suggestions)

## How to Use

### Basic Code Review

```
Review the recent code changes in this branch
```

```
Check this file for security issues and code quality
```

### Review Specific Files

```
Review src/auth.js for security vulnerabilities
```

```
Review the changes in this pull request
```

## Review Process

### 1. Analyze Changes

When invoked:

1. **Get Recent Changes**: Run `git diff` to see what changed

   ```bash
   git diff $(git merge-base HEAD main)..HEAD
   ```

2. **Focus on Modified Files**: Prioritize files with actual changes
3. **Review Context**: Understand the purpose of changes from commit messages or conversation

### 2. Review Checklist

For each file, check:

**Code Quality:**

- Code is simple and readable
- Functions and variables are well-named
- No duplicated code
- Proper error handling
- Good test coverage
- Performance considerations addressed

**Security:**

- No exposed secrets or API keys
- Input validation implemented
- Proper authentication/authorization
- Safe handling of user input
- No SQL injection or XSS vulnerabilities

**Maintainability:**

- Consistent code style
- Appropriate comments (not excessive)
- Clear function/method structure
- Proper separation of concerns
- No unnecessary complexity

**Best Practices:**

- Follows framework/library conventions
- Proper use of design patterns
- Efficient algorithms and data structures
- Appropriate use of async/await or promises
- Proper resource cleanup

### 3. Organize Feedback

Provide feedback in three priority levels:

**Critical Issues (Must Fix):**

- Security vulnerabilities
- Bugs that will cause failures
- Code that breaks existing functionality
- Performance issues that will impact users

**Warnings (Should Fix):**

- Code quality issues that affect maintainability
- Potential bugs or edge cases
- Performance optimizations
- Missing error handling
- Incomplete test coverage

**Suggestions (Consider Improving):**

- Code style improvements
- Refactoring opportunities
- Documentation enhancements
- Best practice recommendations
- Minor optimizations

### 4. Provide Specific Examples

For each issue found:

- **Location**: File path and line number
- **Issue**: Clear description of the problem
- **Impact**: Why this matters
- **Fix**: Specific code example showing how to fix it
- **Rationale**: Explanation of why the fix is better

## Examples

### Example 1: Security Issue Found

**Input**: Review `src/api/auth.js`

**Output**:

```markdown
## Code Review: src/api/auth.js

### Critical Issues

**1. Exposed API Key**
- **Location**: `src/api/auth.js:23`
- **Issue**: Hardcoded API key in source code
- **Code**:
  ```javascript
  const API_KEY = "sk_live_1234567890abcdef"; // ❌ Exposed secret
  ```

- **Fix**: Use environment variables

  ```javascript
  const API_KEY = process.env.API_KEY; // ✅ Secure
  ```

- **Impact**: This exposes your API key in version control, allowing unauthorized access

### Warnings

**2. Missing Input Validation**

- **Location**: `src/api/auth.js:45`
- **Issue**: No validation on user input before processing
- **Recommendation**: Add input validation before authentication

### Example 2: Code Quality Review

**Input**: Review recent changes

**Output**:

```markdown
## Code Review Summary

**Files Reviewed**: 5
**Critical Issues**: 0
**Warnings**: 3
**Suggestions**: 5

### Warnings

**1. Duplicated Code**
- **Files**: `src/utils/format.js:12-25` and `src/utils/display.js:8-21`
- **Issue**: Same formatting logic duplicated
- **Fix**: Extract to shared utility function

**2. Missing Error Handling**
- **Location**: `src/api/users.js:34`
- **Issue**: No try/catch for async operation
- **Fix**: Add proper error handling

### Suggestions

**1. Improve Variable Naming**
- **Location**: `src/components/List.jsx:15`
- **Current**: `const d = data.map(...)`
- **Suggested**: `const formattedItems = data.map(...)`
```

## Reference Files

For comprehensive review checklists, load reference files as needed:

- **`references/review_checklist.md`** - Detailed checklists for security, code quality, performance, testing, documentation, and best practices
- **`references/CODE_ANALYSIS.template.md`** - Code analysis report template with security, performance, and maintainability sections

When conducting thorough reviews, load `references/review_checklist.md` and use the appropriate checklist sections.

## Best Practices

### Review Focus Areas

1. **Security First**: Always check for security vulnerabilities first
2. **Context Matters**: Understand the purpose of changes before reviewing
3. **Be Constructive**: Provide actionable feedback, not just criticism
4. **Prioritize**: Focus on critical issues that must be fixed
5. **Explain Why**: Help developers understand the reasoning behind suggestions

### Review Guidelines

- **Be Specific**: Point to exact lines and provide code examples
- **Be Balanced**: Acknowledge good code as well as issues
- **Be Practical**: Consider the context and urgency of changes
- **Be Educational**: Help developers learn and improve
- **Be Consistent**: Apply the same standards across all reviews

### Common Patterns to Check

**Security:**

- Hardcoded secrets or credentials
- SQL injection vulnerabilities
- XSS vulnerabilities
- Missing authentication/authorization
- Insecure random number generation

**Code Quality:**

- Code duplication
- Magic numbers without constants
- Deeply nested conditionals
- Functions that do too much
- Poor error messages

**Performance:**

- N+1 query problems
- Missing indexes
- Inefficient algorithms
- Unnecessary re-renders (React)
- Memory leaks

## Related Use Cases

- Pre-commit code reviews
- Pull request reviews
- Security audits
- Code quality assessments
- Onboarding new team members
- Establishing coding standards