Code Auditing Skill
Comprehensive methodology for systematic code quality audits.
When to Use
- •Comprehensive code quality audits
- •Security vulnerability assessments
- •Technical debt identification
- •Pre-release code reviews
- •Best practices verification
- •Library and dependency audits
Audit Phases
Phase 0: Pre-Analysis Setup
- •Check for project configuration files (package.json, tsconfig.json, etc.)
- •Identify tech stack and main libraries
- •Check for linting/formatting configs
- •Run existing linting/testing commands as baseline
- •Load documentation for identified core libraries
Phase 1: Discovery
- •Find all code files by type
- •Create tracking list for each file
- •Group files by module/feature for contextual analysis
Phase 2: File-by-File Analysis
For each file, analyze for:
- •Dead code (unused functions, variables, imports)
- •Code smells and anti-patterns
- •Custom implementations that could use established libraries
- •Security vulnerabilities
- •Performance issues
- •Outdated patterns or deprecated APIs
- •Missing error handling
- •Overly complex functions
- •Duplicate code
Phase 3: Best Practices Verification
For every library and framework:
- •Retrieve official documentation
- •Compare implementation against official patterns
- •Identify deviations from recommendations
- •Note outdated usage patterns
- •Flag discouraged anti-patterns
Phase 4: Pattern Detection
Look for recurring issues:
- •Common anti-patterns across files
- •Duplicated logic that could be abstracted
- •Inconsistent coding styles
- •Missing error handling patterns
Phase 5: Library Recommendations
For custom implementations:
- •Check if current libraries provide the functionality
- •Search for mature ecosystem packages
- •Verify library health (commits, issues, activity)
- •Check compatibility with project setup
Phase 6: Comprehensive Report
Generate detailed report with:
- •Executive summary
- •Critical issues requiring immediate attention
- •File-by-file findings
- •Prioritized action plan
- •Effort estimates
- •Library recommendations
Issue Priority Levels
- •Critical - Security vulnerabilities, broken functionality
- •High Priority - Performance bottlenecks, unmaintainable code
- •Medium Priority - Code quality, best practices deviations
- •Low Priority - Style, minor improvements
- •Quick Wins - Less than 30 minutes to fix
Analysis Categories
Security
- •Hardcoded secrets
- •SQL injection risks
- •XSS vulnerabilities
- •Missing input validation
- •Exposed sensitive data
Performance
- •Inefficient algorithms
- •Blocking operations
- •Memory leaks
- •Missing caching opportunities
- •N+1 query patterns
TypeScript/Type Safety
- •Missing type annotations
- •Use of
anytype - •Custom types duplicating official types
- •Missing @types packages
Async/Promise Issues
- •Missing await keywords
- •Unhandled promise rejections
- •Callback hell
Dead Code
- •Unused imports and exports
- •Unused functions, classes, and methods
- •Unused variables and types
- •Unreachable code blocks
- •Unused files (not imported anywhere)
- •Unused dependencies
Tools:
- •JavaScript/TypeScript:
npx knip --reporter json - •Python:
deadcode . --dry
Important: Always verify tool findings before reporting. Check for:
- •Dynamic imports (
import(variable)) - •Framework patterns (React components, decorators)
- •Re-exports for public API
- •Entry points (CLI scripts, serverless handlers)
Resources
See the reference documents for complete methodologies:
- •
references/audit-methodology.md- Full 6-phase audit process with detailed checklists - •
references/dead-code-methodology.md- Dead code detection tools, verification, and cleanup workflows
Quick Reference
Before Starting
- • Read project configuration files
- • Identify tech stack and libraries
- • Run existing linters as baseline
- • Create file tracking list
During Audit
- • Mark files as in-progress
- • Analyze each category systematically
- • Note specific line numbers
- • Document before/after examples
- • Mark files as completed
After Audit
- • Categorize all findings by priority
- • Generate comprehensive report
- • Save report to project root
- • Provide brief console summary