关于
全面的代码审查清单,涵盖功能性、安全性、性能和可维护性
name: code-review-checklist description: "全面的代码审查清单,涵盖功能性、安全性、性能和可维护性" risk: unknown source: community date_added: "2026-02-27"
代码审查清单
概述
提供系统化的代码审查清单。此技能帮助审查者确保代码质量、发现缺陷、识别安全问题,并保持代码库的一致性。
何时使用此技能
- 审查 Pull Request 时使用
- 进行代码审计时使用
- 为团队建立代码审查标准时使用
- 培训新开发者代码审查实践时使用
- 确保审查不遗漏任何内容时使用
- 创建代码审查文档时使用
工作原理
步骤 1:理解上下文
在审查代码之前,我会帮助你理解:
- 这段代码解决什么问题?
- 需求是什么?
- 哪些文件被修改了,为什么?
- 是否有相关的 issue 或工单?
- 测试策略是什么?
步骤 2:审查功能性
检查代码是否正确工作:
- 是否解决了所述问题?
- 是否处理了边界情况?
- 错误处理是否恰当?
- 是否存在逻辑错误?
- 是否符合需求?
步骤 3:审查代码质量
评估代码可维护性:
- 代码是否可读且清晰?
- 命名是否具有描述性?
- 结构是否合理?
- 函数/方法是否职责单一?
- 是否存在不必要的复杂性?
步骤 4:审查安全性
检查安全问题:
- 输入是否经过验证?
- 敏感数据是否受到保护?
- 是否存在 SQL 注入风险?
- 身份验证/授权是否正确?
- 依赖项是否安全?
步骤 5:审查性能
查找性能问题:
- 是否存在不必要的循环?
- 数据库访问是否优化?
- 是否存在内存泄漏?
- 缓存使用是否恰当?
- 是否存在 N+1 查询问题?
步骤 6:审查测试
验证测试覆盖率:
- 新代码是否有测试?
- 测试是否覆盖边界情况?
- 测试是否有意义?
- 所有测试是否通过?
- 测试覆盖率是否充足?
示例
示例 1:功能性审查清单
## Functionality Review
### Requirements
- [ ] Code solves the stated problem
- [ ] All acceptance criteria are met
- [ ] Edge cases are handled
- [ ] Error cases are handled
- [ ] User input is validated
### Logic
- [ ] No logical errors or bugs
- [ ] Conditions are correct (no off-by-one errors)
- [ ] Loops terminate correctly
- [ ] Recursion has proper base cases
- [ ] State management is correct
### Error Handling
- [ ] Errors are caught appropriately
- [ ] Error messages are clear and helpful
- [ ] Errors don't expose sensitive information
- [ ] Failed operations are rolled back
- [ ] Logging is appropriate
### Example Issues to Catch:
**❌ Bad - Missing validation:**
\`\`\`javascript
function createUser(email, password) {
// No validation!
return db.users.create({ email, password });
}
\`\`\`
**✅ Good - Proper validation:**
\`\`\`javascript
function createUser(email, password) {
if (!email || !isValidEmail(email)) {
throw new Error('Invalid email address');
}
if (!password || password.length < 8) {
throw new Error('Password must be at least 8 characters');
}
return db.users.create({ email, password });
}
\`\`\`
示例 2:安全性审查清单
## Security Review
### Input Validation
- [ ] All user inputs are validated
- [ ] SQL injection is prevented (use parameterized queries)
- [ ] XSS is prevented (escape output)
- [ ] CSRF protection is in place
- [ ] File uploads are validated (type, size, content)
### Authentication & Authorization
- [ ] Authentication is required where needed
- [ ] Authorization checks are present
- [ ] Passwords are hashed (never stored plain text)
- [ ] Sessions are managed securely
- [ ] Tokens expire appropriately
### Data Protection
- [ ] Sensitive data is encrypted
- [ ] API keys are not hardcoded
- [ ] Environment variables are used for secrets
- [ ] Personal data follows privacy regulations
- [ ] Database credentials are secure
### Dependencies
- [ ] No known vulnerable dependencies
- [ ] Dependencies are up to date
- [ ] Unnecessary dependencies are removed
- [ ] Dependency versions are pinned
### Example Issues to Catch:
**❌ Bad - SQL injection risk:**
\`\`\`javascript
const query = \`SELECT * FROM users WHERE email = '${email}'\`;
db.query(query);
\`\`\`
**✅ Good - Parameterized query:**
\`\`\`javascript
const query = 'SELECT * FROM users WHERE email = $1';
db.query(query, [email]);
\`\`\`
**❌ Bad - Hardcoded secret:**
\`\`\`javascript
const API_KEY = 'sk_live_abc123xyz';
\`\`\`
**✅ Good - Environment variable:**
\`\`\`javascript
const API_KEY = process.env.API_KEY;
if (!API_KEY) {
throw new Error('API_KEY environment variable is required');
}
\`\`\`
示例 3:代码质量审查清单
## Code Quality Review
兼容工具
Claude CodeCursor
标签
安全
