---

name: code-review-checklist description: "Comprehensive checklist for conducting thorough code reviews covering functionality, security, performance, and maintainability" risk: unknown source: community date_added: "2026-02-27"

Code Review Checklist

Overview

Provide a systematic checklist for conducting thorough code reviews. This skill helps reviewers ensure code quality, catch bugs, identify security issues, and maintain consistency across the codebase.

When to Use This Skill

• Use when reviewing pull requests
• Use when conducting code audits
• Use when establishing code review standards for a team
• Use when training new developers on code review practices
• Use when you want to ensure nothing is missed in reviews
• Use when creating code review documentation

How It Works

Step 1: Understand the Context

Before reviewing code, I'll help you understand:

• What problem does this code solve?
• What are the requirements?
• What files were changed and why?
• Are there related issues or tickets?
• What's the testing strategy?

Step 2: Review Functionality

Check if the code works correctly:

• Does it solve the stated problem?
• Are edge cases handled?
• Is error handling appropriate?
• Are there any logical errors?
• Does it match the requirements?

Step 3: Review Code Quality

Assess code maintainability:

• Is the code readable and clear?
• Are names descriptive?
• Is it properly structured?
• Are functions/methods focused?
• Is there unnecessary complexity?

Step 4: Review Security

Check for security issues:

• Are inputs validated?
• Is sensitive data protected?
• Are there SQL injection risks?
• Is authentication/authorization correct?
• Are dependencies secure?

Step 5: Review Performance

Look for performance issues:

• Are there unnecessary loops?
• Is database access optimized?
• Are there memory leaks?
• Is caching used appropriately?
• Are there N+1 query problems?

Step 6: Review Tests

Verify test coverage:

• Are there tests for new code?
• Do tests cover edge cases?
• Are tests meaningful?
• Do all tests pass?
• Is test coverage adequate?

Examples

Example 1: Functionality Review Checklist

## Functionality Review

### Requirements
- [ ] Code solves the stated problem
- [ ] All acceptance criteria are met
- [ ] Edge cases are handled
- [ ] Error cases are handled
- [ ] User input is validated

### Logic
- [ ] No logical errors or bugs
- [ ] Conditions are correct (no off-by-one errors)
- [ ] Loops terminate correctly
- [ ] Recursion has proper base cases
- [ ] State management is correct

### Error Handling
- [ ] Errors are caught appropriately
- [ ] Error messages are clear and helpful
- [ ] Errors don't expose sensitive information
- [ ] Failed operations are rolled back
- [ ] Logging is appropriate

### Example Issues to Catch:

**❌ Bad - Missing validation:**
\`\`\`javascript
function createUser(email, password) {
  // No validation!
  return db.users.create({ email, password });
}
\`\`\`

**✅ Good - Proper validation:**
\`\`\`javascript
function createUser(email, password) {
  if (!email || !isValidEmail(email)) {
    throw new Error('Invalid email address');
  }
  if (!password || password.length < 8) {
    throw new Error('Password must be at least 8 characters');
  }
  return db.users.create({ email, password });
}
\`\`\`

Example 2: Security Review Checklist

## Security Review

### Input Validation
- [ ] All user inputs are validated
- [ ] SQL injection is prevented (use parameterized queries)
- [ ] XSS is prevented (escape output)
- [ ] CSRF protection is in place
- [ ] File uploads are validated (type, size, content)

### Authentication & Authorization
- [ ] Authentication is required where needed
- [ ] Authorization checks are present
- [ ] Passwords are hashed (never stored plain text)
- [ ] Sessions are managed securely
- [ ] Tokens expire appropriately

### Data Protection
- [ ] Sensitive data is encrypted
- [ ] API keys are not hardcoded
- [ ] Environment variables are used for secrets
- [ ] Personal data follows privacy regulations
- [ ] Database credentials are secure

### Dependencies
- [ ] No known vulnerable dependencies
- [ ] Dependencies are up to date
- [ ] Unnecessary dependencies are removed
- [ ] Dependency versions are pinned

### Example Issues to Catch:

**❌ Bad - SQL injection risk:**
\`\`\`javascript
const query = \`SELECT * FROM users WHERE email = '\${email}'\`;
db.query(query);
\`\`\`

**✅ Good - Parameterized query:**
\`\`\`javascript
const query = 'SELECT * FROM users WHERE email = $1';
db.query(query, [email]);
\`\`\`

**❌ Bad - Hardcoded secret:**
\`\`\`javascript
const API_KEY = 'sk_live_abc123xyz';
\`\`\`

**✅ Good - Environment variable:**
\`\`\`javascript
const API_KEY = process.env.API_KEY;
if (!API_KEY) {
  throw new Error('API_KEY environment variable is required');
}
\`\`\`

Example 3: Code Quality Review Checklist

## Code Quality Review

###