>_
Marketplace

code-review

Comprehensive code review knowledge including security, performance, accessibility, and quality standards across multiple languages and frameworks

$ Installieren

git clone https://github.com/Lobbi-Docs/claude /tmp/claude && cp -r /tmp/claude/plugins/jira-orchestrator/skills/code-review ~/.claude/skills/claude

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: code-review description: Comprehensive code review knowledge including security, performance, accessibility, and quality standards across multiple languages and frameworks trigger_phrases: [review code, check changes, analyze PR, code quality, security review] categories: [review, quality, security, performance, accessibility, testing] version: 1.0.0 last_updated: 2025-12-17

Code Review Skill

Systematic code review patterns covering security, performance, accessibility, quality, and testing across languages and frameworks.

Security Review

Critical Checks:

  • Authentication tokens validated; authorization on sensitive ops
  • Session management secure (httpOnly, secure, sameSite)
  • No hardcoded credentials/API keys
  • Proper RBAC implementation
  • JWT tokens with proper algorithms (not 'none')
  • Password hashing: bcrypt/argon2 (not MD5/SHA1)

Input Validation:

  • User inputs sanitized
  • SQL injection prevention (parameterized queries)
  • XSS prevention (escaping/sanitization)
  • CSRF tokens on state-changing ops
  • File upload validation (type, size, content)
  • JSON/XML size limits
  • URL validation for redirects

Data Protection:

  • Sensitive data encrypted at rest
  • TLS/HTTPS for transit
  • No sensitive data in logs
  • PII handling regulation-compliant
  • Secure random (crypto.randomBytes)
  • Secrets in env vars or secret managers
  • Encrypted database connections

OWASP Top 10: No injection, broken auth, data exposure, XXE, broken access control, misconfiguration, XSS, insecure deserialization, vulnerable components, insufficient logging

Performance Review

Database & Queries:

  • N+1 queries identified and fixed
  • Proper indexing on WHERE/JOIN columns
  • Query result sets limited (pagination)
  • Connection pooling implemented
  • Expensive queries cached
  • Batch operations instead of loops

Frontend Performance:

  • Code splitting for large bundles
  • Lazy loading routes/components
  • Images optimized and lazy loaded
  • CSS/JS minified and compressed
  • Memoization for expensive computations
  • Virtual scrolling for long lists

API & Network:

  • API responses paginated
  • GraphQL queries optimized (no over-fetching)
  • Response compression (gzip/brotli)
  • CDN for static assets
  • HTTP/2 or HTTP/3
  • Proper caching headers
  • Rate limiting implemented

Memory Management:

  • Event listeners removed
  • No memory leaks (closures, timers)
  • Large objects disposed
  • File streams closed
  • WeakMap/WeakSet for caching

Accessibility Review (WCAG 2.1 AA)

Semantic HTML:

  • Proper heading hierarchy (h1, h2, h3)
  • Semantic elements (nav, main, article, aside)
  • Form labels properly associated
  • Button vs link used correctly
  • Tables with proper headers

Keyboard Navigation:

  • All interactive elements accessible
  • Logical tab order
  • Focus indicators visible
  • No keyboard traps
  • Skip links for navigation

Screen Reader Support:

  • All images have alt text
  • ARIA labels where needed
  • Live regions for dynamic content
  • Hidden content marked properly

Color & Contrast:

  • Text contrast >= 4.5:1 (normal)
  • Text contrast >= 3:1 (large)
  • Info not conveyed by color alone

Forms:

  • Error messages associated with fields
  • Required fields clearly marked
  • Validation accessible
  • Autocomplete attributes set

Code Quality Standards

Readability:

  • Descriptive variable/function names
  • Functions < 50 lines
  • Consistent naming (camelCase, PascalCase)
  • No magic numbers
  • Proper indentation

Maintainability:

  • DRY principle followed
  • SOLID principles applied
  • Low coupling, high cohesion
  • Proper separation of concerns
  • Configuration externalized
  • Feature flags for gradual rollout

Error Handling:

  • All errors caught and handled
  • User-friendly messages
  • Errors logged with context
  • Graceful degradation
  • Retry logic for transient failures
  • Circuit breakers for external services

Comments:

  • Complex logic explained
  • Why, not what (code self-explanatory)
  • TODO/FIXME with issue tracking
  • JSDoc/TSDoc for public APIs
  • No commented-out code

Testing Requirements

Unit Tests:

  • All business logic tested
  • Edge cases covered
  • Error conditions tested
  • Mocks for external dependencies
  • Test coverage >= 80%
  • Deterministic tests (no flaky)

Integration Tests:

  • API endpoints tested
  • Database operations tested
  • External integrations tested
  • Auth flows tested

E2E Tests:

  • Critical user flows covered
  • Happy paths tested
  • Error scenarios tested

Test Quality:

  • Readable and maintainable
  • AAA pattern (Arrange, Act, Assert)
  • Meaningful descriptions
  • No interdependencies
  • Fast execution (< 10s unit tests)

Language-Specific Patterns

TypeScript/JavaScript

Type Safety:

  • No any types (use unknown if needed)
  • Strict mode enabled
  • Union types over enums
  • Proper generic constraints
  • Type guards for narrowing

Modern Patterns:

  • Destructuring and defaults
  • Optional chaining (?.) and nullish coalescing (??)
  • Async/await over promise chains
  • Arrow functions for callbacks

React Components

Best Practices:

  • Functional components with hooks
  • Props properly typed
  • Minimal, localized state
  • Effect dependencies correct
  • No inline function definitions
  • Keys correct in lists
  • useCallback/useMemo for optimization

Node.js

Server Setup:

  • Error handling middleware
  • Request validation
  • Rate limiting
  • Helmet for security headers
  • CORS configured
  • Graceful shutdown handling

Python

Best Practices:

  • Type hints on functions
  • PEP 8 compliance
  • Context managers for resources
  • List comprehensions over loops
  • Dataclasses for data structures

SQL

Best Practices:

  • Parameterized queries only
  • Indexes on WHERE/JOIN columns
  • LIMIT on large queries
  • Transactions for consistency
  • Specify columns (no SELECT *)

Review Process

File Change Analysis:

  • High risk: auth, migrations, security config, payments, encryption
  • Medium risk: business logic, API, queries, integrations
  • Low risk: UI, tests, docs

Impact Assessment:

  • Blast radius of change
  • Backward compatibility
  • Database migrations needed
  • User impact
  • Performance implications
  • Security implications

Approval Criteria:

  • No critical security issues
  • Tests passing
  • Code coverage maintained/improved
  • Documentation updated
  • No performance regressions
  • Accessibility requirements met
  • Code follows style guide
  • Changes backward compatible (or migration plan exists)

Request Changes for:

  • Critical security vulnerabilities
  • Failing tests
  • Missing test coverage
  • Breaking changes without migration
  • Performance regressions
  • Accessibility violations

Common Issues Reference

Security: Hardcoded secrets, SQL injection, missing auth, weak random generation, PII in logs, missing CSRF

Performance: N+1 queries, missing indexes, unnecessary re-renders, large bundles, sync blocking ops, memory leaks

Code Smells: Functions > 50 lines, nesting > 3 levels, duplication, magic numbers, poor naming, god objects

Missing Error Handling: Unhandled rejections, missing try/catch, no input validation, silent failures, generic messages

Incomplete Tests: Missing edge cases, no error tests, flaky tests, no integration tests, no accessibility tests

Review Workflow

  1. Initial Scan (2 min): PR description, file changes, high-risk files
  2. Deep Dive (15-30 min): Review each file, apply checklists, note issues
  3. Testing Verification (5 min): Check coverage, test quality
  4. Documentation Check (3 min): Updated docs, breaking changes
  5. Feedback Generation (5 min): Organize by severity, code suggestions
  6. Decision (1 min): Approve, request changes, or comment

Tools Integration

Automated Checks:

  • ESLint/Prettier: Code style
  • SonarQube: Quality metrics
  • Snyk/Dependabot: Security vulnerabilities
  • Jest/Vitest: Test coverage
  • Lighthouse: Performance/accessibility
  • TypeScript: Type safety

Manual Review Focus:

  • Business logic correctness
  • Architecture decisions
  • Security implications
  • UX impact
  • Maintainability

Best Practices Summary

  1. Security first
  2. Performance matters
  3. Accessibility is non-negotiable
  4. Quality over speed
  5. Constructive feedback
  6. Continuous improvement

Repository

Lobbi-Docs
Lobbi-Docs
Author
Lobbi-Docs/claude/plugins/jira-orchestrator/skills/code-review
0
Stars
0
Forks
Updated1d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-writer
pytorch/pytorch
95.4k
docstring
pytorch/pytorch
95.4k
at-dispatch-v2
pytorch/pytorch
95.4k
skill-creator
openai/codex
54.7k
skill-installer
openai/codex
54.7k