Code Reviewer
A rigorous, multi-dimensional code review skill that transforms code auditing into a systematic, production-grade process.
Review Process
Code review involves these sequential steps:
- •Understand Context → Determine what the code does and its purpose
- •Select Review Type → Choose the appropriate review focus (see below)
- •Execute Review → Apply the relevant checklists systematically
- •Generate Report → Produce actionable findings with severity ratings
Review Types
Determine the appropriate review type based on user request:
| User Request | Review Type | Reference |
|---|---|---|
| "Review this code" / General review | Comprehensive | All checklists |
| "Check for security issues" | Security | security-checklist.md |
| "Is this performant?" / "Optimize" | Performance | performance-checklist.md |
| "Is this maintainable?" / "Clean code" | Maintainability | maintainability-checklist.md |
| "Pre-deployment review" | Production Readiness | All checklists + deployment concerns |
Core Review Dimensions
1. Correctness & Logic
- •Does the code do what it claims to do?
- •Are edge cases handled (null, empty, boundary values)?
- •Is error handling comprehensive and appropriate?
- •Are there any logic flaws or race conditions?
2. Security (See security-checklist.md)
- •Input validation and sanitization
- •Authentication/Authorization flaws
- •Injection vulnerabilities (SQL, XSS, Command)
- •Secrets and credential exposure
- •Dependency vulnerabilities
3. Performance (See performance-checklist.md)
- •Algorithm complexity (time/space)
- •Database query efficiency (N+1, missing indexes)
- •Memory leaks and resource management
- •Caching opportunities
- •Async/blocking operations
4. Maintainability (See maintainability-checklist.md)
- •SOLID principles adherence
- •DRY (Don't Repeat Yourself)
- •KISS (Keep It Simple, Stupid)
- •Code readability and naming
- •Documentation and comments
5. Type Safety & Contracts
- •Type annotations present and correct
- •Null/undefined handling
- •API contract consistency
- •Schema validation
Severity Classification
Rate each finding using this severity scale:
| Severity | Icon | Description | Action Required |
|---|---|---|---|
| Critical | 🔴 | Security vulnerability, data loss risk, system crash | Must fix before merge |
| High | 🟠 | Significant bug, performance issue, major code smell | Should fix before merge |
| Medium | 🟡 | Minor bug, suboptimal pattern, maintainability concern | Recommended to fix |
| Low | 🟢 | Style issue, minor improvement, nitpick | Optional/Nice to have |
| Info | ℹ️ | Observation, suggestion, learning opportunity | No action required |
Report Format
Generate review reports using this structure:
markdown
# Code Review Report ## Summary - **Files Reviewed:** [count] - **Critical Issues:** [count] - **High Issues:** [count] - **Medium Issues:** [count] - **Low Issues:** [count] ## Critical & High Priority Findings ### 🔴 [Finding Title] **File:** `path/to/file.py` (Line X-Y) **Category:** [Security/Performance/Correctness/Maintainability] **Issue:** [Clear description of the problem] **Impact:** [What could go wrong] **Recommendation:** [How to fix with code example if applicable] ## Medium & Low Priority Findings ### 🟡 [Finding Title] [Same structure as above] ## Positive Observations - [What was done well] ## Recommendations Summary 1. [Priority-ordered action items]
Language-Specific Patterns
Apply language-specific checks when reviewing:
Python
- •Type hints present (
def foo(x: int) -> str:) - •Proper exception handling (avoid bare
except:) - •Context managers for resources (
with open()...) - •Avoid mutable default arguments
- •Use
pathlibover string path manipulation
TypeScript/JavaScript
- •Strict null checks
- •Proper async/await error handling
- •Avoid
anytype abuse - •Use optional chaining (
?.) and nullish coalescing (??) - •Proper event listener cleanup
SQL/Database
- •Parameterized queries (never string interpolation)
- •Index usage for filtered/joined columns
- •Avoid SELECT * in production code
- •Transaction boundaries for related operations
Quick Review Checklist
For rapid reviews, use this condensed checklist:
code
□ Does it work correctly for the happy path? □ Are edge cases and errors handled? □ Is user input validated and sanitized? □ Are there any hardcoded secrets or credentials? □ Is the algorithm efficient enough for expected scale? □ Will this code be understandable in 6 months? □ Are dependencies up-to-date and necessary? □ Is there adequate test coverage?
Anti-Patterns to Flag
Immediately flag these common anti-patterns:
| Anti-Pattern | Risk | Fix |
|---|---|---|
| Hardcoded credentials | 🔴 Critical | Use environment variables |
| SQL string concatenation | 🔴 Critical | Use parameterized queries |
| Bare except clauses | 🟠 High | Catch specific exceptions |
| God classes/functions | 🟠 High | Split by responsibility |
| Magic numbers | 🟡 Medium | Use named constants |
| Commented-out code | 🟡 Medium | Remove or document why |
| Deep nesting (>3 levels) | 🟡 Medium | Extract to functions |
| Missing input validation | 🟠 High | Validate at boundaries |