Code Review Checklist

代码审查清单

Overview

概述

Provide a systematic checklist for conducting thorough code reviews. This skill helps reviewers ensure code quality, catch bugs, identify security issues, and maintain consistency across the codebase.

提供一份用于开展全面代码审查的系统化清单。本技能帮助审查人员确保代码质量、捕获bug、识别安全问题，并保持代码库的一致性。

When to Use This Skill

何时使用本技能

Use when reviewing pull requests
Use when conducting code audits
Use when establishing code review standards for a team
Use when training new developers on code review practices
Use when you want to ensure nothing is missed in reviews
Use when creating code review documentation

在审查拉取请求（PR）时使用
在开展代码审计时使用
在为团队建立代码审查标准时使用
在培训新开发人员掌握代码审查实践时使用
当你希望在审查中不遗漏任何内容时使用
在创建代码审查文档时使用

How It Works

工作流程

Step 1: Understand the Context

步骤1：理解上下文

Before reviewing code, I'll help you understand:

What problem does this code solve?
What are the requirements?
What files were changed and why?
Are there related issues or tickets?
What's the testing strategy?

在审查代码之前，我会帮助你理解：

这段代码要解决什么问题？
需求是什么？
哪些文件被修改了，原因是什么？
是否有相关的问题工单？
测试策略是什么？

Step 2: Review Functionality

步骤2：功能审查

Check if the code works correctly:

Does it solve the stated problem?
Are edge cases handled?
Is error handling appropriate?
Are there any logical errors?
Does it match the requirements?

检查代码是否能正常工作：

它是否解决了既定的问题？
是否处理了边缘情况？
错误处理是否恰当？
是否存在逻辑错误？
是否符合需求？

Step 3: Review Code Quality

步骤3：代码质量审查

Assess code maintainability:

Is the code readable and clear?
Are names descriptive?
Is it properly structured?
Are functions/methods focused?
Is there unnecessary complexity?

评估代码的可维护性：

代码是否易读、清晰？
命名是否具有描述性？
结构是否合理？
函数/方法是否职责单一？
是否存在不必要的复杂度？

Step 4: Review Security

步骤4：安全审查

Check for security issues:

Are inputs validated?
Is sensitive data protected?
Are there SQL injection risks?
Is authentication/authorization correct?
Are dependencies secure?

检查安全问题：

输入是否经过验证？
敏感数据是否受到保护？
是否存在SQL注入风险？
身份验证/授权是否正确？
依赖项是否安全？

Step 5: Review Performance

步骤5：性能审查

Look for performance issues:

Are there unnecessary loops?
Is database access optimized?
Are there memory leaks?
Is caching used appropriately?
Are there N+1 query problems?

查找性能问题：

是否存在不必要的循环？
数据库访问是否经过优化？
是否存在内存泄漏？
缓存是否得到恰当使用？
是否存在N+1查询问题？

Step 6: Review Tests

步骤6：测试审查

Verify test coverage:

Are there tests for new code?
Do tests cover edge cases?
Are tests meaningful?
Do all tests pass?
Is test coverage adequate?

验证测试覆盖率：

新代码是否有对应的测试？
测试是否覆盖了边缘情况？
测试是否有实际意义？
所有测试是否都能通过？
测试覆盖率是否足够？

Examples

示例

Example 1: Functionality Review Checklist

示例1：功能审查清单

markdown

undefined

markdown

undefined

Functionality Review

功能审查

Requirements

需求

Logic

逻辑

No logical errors or bugs
Conditions are correct (no off-by-one errors)
Loops terminate correctly
Recursion has proper base cases
State management is correct

Error Handling

错误处理

Errors are caught appropriately
Error messages are clear and helpful
Errors don't expose sensitive information
Failed operations are rolled back
Logging is appropriate

Example Issues to Catch:

需捕获的示例问题：

❌ Bad - Missing validation: ```javascript function createUser(email, password) { // No validation! return db.users.create({ email, password }); } ```

✅ Good - Proper validation: ```javascript function createUser(email, password) { if (!email || !isValidEmail(email)) { throw new Error('Invalid email address'); } if (!password || password.length < 8) { throw new Error('Password must be at least 8 characters'); } return db.users.create({ email, password }); } ```

undefined

❌ 不佳 - 缺少验证： ```javascript function createUser(email, password) { // No validation! return db.users.create({ email, password }); } ```

✅ 良好 - 恰当的验证： ```javascript function createUser(email, password) { if (!email || !isValidEmail(email)) { throw new Error('Invalid email address'); } if (!password || password.length < 8) { throw new Error('Password must be at least 8 characters'); } return db.users.create({ email, password }); } ```

undefined

Example 2: Security Review Checklist

示例2：安全审查清单

markdown

undefined

markdown

undefined

Security Review

安全审查

Input Validation

输入验证

All user inputs are validated
SQL injection is prevented (use parameterized queries)
XSS is prevented (escape output)
CSRF protection is in place
File uploads are validated (type, size, content)

所有用户输入已验证
防止SQL注入（使用参数化查询）
防止XSS（转义输出）
已部署CSRF防护
文件上传已验证（类型、大小、内容）

Authentication & Authorization

身份验证与授权

Authentication is required where needed
Authorization checks are present
Passwords are hashed (never stored plain text)
Sessions are managed securely
Tokens expire appropriately

Data Protection

数据保护

Sensitive data is encrypted
API keys are not hardcoded
Environment variables are used for secrets
Personal data follows privacy regulations
Database credentials are secure

Dependencies

依赖项

No known vulnerable dependencies
Dependencies are up to date
Unnecessary dependencies are removed
Dependency versions are pinned

无已知易受攻击的依赖项
依赖项已更新
移除了不必要的依赖项
依赖项版本已固定

Example Issues to Catch:

需捕获的示例问题：

❌ Bad - SQL injection risk: ```javascript const query = `SELECT * FROM users WHERE email = '${email}'`; db.query(query); ```

✅ Good - Parameterized query: ```javascript const query = 'SELECT * FROM users WHERE email = $1'; db.query(query, [email]); ```

❌ Bad - Hardcoded secret: ```javascript const API_KEY = 'sk_live_abc123xyz'; ```

✅ Good - Environment variable: ```javascript const API_KEY = process.env.API_KEY; if (!API_KEY) { throw new Error('API_KEY environment variable is required'); } ```

undefined

❌ 不佳 - SQL注入风险： ```javascript const query = `SELECT * FROM users WHERE email = '${email}'`; db.query(query); ```

✅ 良好 - 参数化查询： ```javascript const query = 'SELECT * FROM users WHERE email = $1'; db.query(query, [email]); ```

❌ 不佳 - 硬编码密钥： ```javascript const API_KEY = 'sk_live_abc123xyz'; ```

✅ 良好 - 环境变量： ```javascript const API_KEY = process.env.API_KEY; if (!API_KEY) { throw new Error('API_KEY environment variable is required'); } ```

undefined

Example 3: Code Quality Review Checklist

示例3：代码质量审查清单

markdown

undefined

markdown

undefined

Code Quality Review

代码质量审查

Readability

可读性

Code is easy to understand
Variable names are descriptive
Function names explain what they do
Complex logic has comments
Magic numbers are replaced with constants

Structure

结构

Functions are small and focused
Code follows DRY principle (Don't Repeat Yourself)
Proper separation of concerns
Consistent code style
No dead code or commented-out code

函数小巧且职责单一
代码遵循DRY原则（Don't Repeat Yourself）
恰当的关注点分离
一致的代码风格
无死代码或注释掉的代码

Maintainability

可维护性

Example Issues to Catch:

需捕获的示例问题：

❌ Bad - Unclear naming: ```javascript function calc(a, b, c) { return a * b + c; } ```

✅ Good - Descriptive naming: ```javascript function calculateTotalPrice(quantity, unitPrice, tax) { return quantity * unitPrice + tax; } ```

❌ Bad - Function doing too much: ```javascript function processOrder(order) { // Validate order if (!order.items) throw new Error('No items');

// Calculate total let total = 0; for (let item of order.items) { total += item.price * item.quantity; }

// Apply discount if (order.coupon) { total *= 0.9; }

// Process payment const payment = stripe.charge(total);

// Send email sendEmail(order.email, 'Order confirmed');

// Update inventory updateInventory(order.items);

return { orderId: order.id, total }; } ```

✅ Good - Separated concerns: ```javascript function processOrder(order) { validateOrder(order); const total = calculateOrderTotal(order); const payment = processPayment(total); sendOrderConfirmation(order.email); updateInventory(order.items);

return { orderId: order.id, total }; } ```

undefined

❌ 不佳 - 命名不清晰： ```javascript function calc(a, b, c) { return a * b + c; } ```

✅ 良好 - 描述性命名： ```javascript function calculateTotalPrice(quantity, unitPrice, tax) { return quantity * unitPrice + tax; } ```

❌ 不佳 - 函数职责过多： ```javascript function processOrder(order) { // Validate order if (!order.items) throw new Error('No items');

// Calculate total let total = 0; for (let item of order.items) { total += item.price * item.quantity; }

// Apply discount if (order.coupon) { total *= 0.9; }

// Process payment const payment = stripe.charge(total);

// Send email sendEmail(order.email, 'Order confirmed');

// Update inventory updateInventory(order.items);

return { orderId: order.id, total }; } ```

✅ 良好 - 关注点分离： ```javascript function processOrder(order) { validateOrder(order); const total = calculateOrderTotal(order); const payment = processPayment(total); sendOrderConfirmation(order.email); updateInventory(order.items);

return { orderId: order.id, total }; } ```

undefined

Best Practices

最佳实践

✅ Do This

✅ 建议做法

Review Small Changes - Smaller PRs are easier to review thoroughly
Check Tests First - Verify tests pass and cover new code
Run the Code - Test it locally when possible
Ask Questions - Don't assume, ask for clarification
Be Constructive - Suggest improvements, don't just criticize
Focus on Important Issues - Don't nitpick minor style issues
Use Automated Tools - Linters, formatters, security scanners
Review Documentation - Check if docs are updated
Consider Performance - Think about scale and efficiency
Check for Regressions - Ensure existing functionality still works

审查小改动 - 更小的PR更容易全面审查
先检查测试 - 验证测试通过且覆盖新代码
运行代码 - 尽可能在本地测试
提出问题 - 不要假设，请求澄清
保持建设性 - 建议改进，不要只批评
关注重要问题 - 不要纠结于次要的风格问题
使用自动化工具 - 代码检查器、格式化工具、安全扫描器
审查文档 - 检查文档是否更新
考虑性能 - 思考扩展性和效率
检查回归 - 确保现有功能仍能正常工作

❌ Don't Do This

❌ 避免做法

Don't Approve Without Reading - Actually review the code
Don't Be Vague - Provide specific feedback with examples
Don't Ignore Security - Security issues are critical
Don't Skip Tests - Untested code will cause problems
Don't Be Rude - Be respectful and professional
Don't Rubber Stamp - Every review should add value
Don't Review When Tired - You'll miss important issues
Don't Forget Context - Understand the bigger picture

不要未读就批准 - 实际去审查代码
不要模糊表述 - 提供带有示例的具体反馈
不要忽视安全 - 安全问题至关重要
不要跳过测试 - 未测试的代码会引发问题
不要粗鲁无礼 - 保持尊重和专业
不要敷衍批准 - 每次审查都应带来价值
不要在疲惫时审查 - 你会遗漏重要问题
不要忘记上下文 - 理解全局情况

Complete Review Checklist

完整审查清单

Pre-Review

审查前准备

Read the PR description and linked issues
Understand what problem is being solved
Check if tests pass in CI/CD
Pull the branch and run it locally

阅读PR描述和关联的问题
理解要解决的问题
检查CI/CD中的测试是否通过
拉取分支并在本地运行

Functionality

功能

Security

安全

No SQL injection vulnerabilities
No XSS vulnerabilities
Authentication/authorization is correct
Sensitive data is protected
No hardcoded secrets

Performance

性能

Code Quality

代码质量

Tests

测试

Documentation

文档

Code comments explain why, not what
API documentation is updated
README is updated if needed
Breaking changes are documented
Migration guide provided if needed

Git

Common Pitfalls

常见陷阱

Problem: Missing Edge Cases

问题：遗漏边缘情况

Symptoms: Code works for happy path but fails on edge cases Solution: Ask "What if...?" questions

What if the input is null?
What if the array is empty?
What if the user is not authenticated?
What if the network request fails?

症状： 代码在正常路径下工作，但在边缘情况中失败 解决方案： 提出“如果……会怎样？”的问题

如果输入为null会怎样？
如果数组为空会怎样？
如果用户未通过身份验证会怎样？
如果网络请求失败会怎样？

Problem: Security Vulnerabilities

问题：安全漏洞

Symptoms: Code exposes security risks Solution: Use security checklist

Run security scanners (npm audit, Snyk)
Check OWASP Top 10
Validate all inputs
Use parameterized queries
Never trust user input

症状： 代码存在安全风险 解决方案： 使用安全审查清单

运行安全扫描器（npm audit、Snyk）
检查OWASP Top 10
验证所有输入
使用参数化查询
永远不要信任用户输入

Problem: Poor Test Coverage

问题：测试覆盖率不足

Symptoms: New code has no tests or inadequate tests Solution: Require tests for all new code

Unit tests for functions
Integration tests for features
Edge case tests
Error case tests

症状： 新代码无测试或测试不充分 解决方案： 要求所有新代码都有测试

函数的单元测试
功能的集成测试
边缘情况测试
错误情况测试

Problem: Unclear Code

问题：代码不清晰

Symptoms: Reviewer can't understand what code does Solution: Request improvements

Better variable names
Explanatory comments
Smaller functions
Clear structure

症状： 审查人员无法理解代码的功能 解决方案： 请求改进

更清晰的变量名
解释性注释
更小巧的函数
清晰的结构

Review Comment Templates

审查评论模板

Requesting Changes

请求更改

markdown

**Issue:** [Describe the problem]

**Current code:**
\`\`\`javascript
// Show problematic code
\`\`\`

**Suggested fix:**
\`\`\`javascript
// Show improved code
\`\`\`

**Why:** [Explain why this is better]

markdown

**问题：** [描述问题]

**当前代码：**
\`\`\`javascript
// 展示有问题的代码
\`\`\`

**建议修复：**
\`\`\`javascript
// 展示改进后的代码
\`\`\`

**原因：** [解释为何这样更好]

Asking Questions

提出问题

markdown

**Question:** [Your question]

**Context:** [Why you're asking]

**Suggestion:** [If you have one]

markdown

**问题：** [你的问题]

**上下文：** [提问的原因]

**建议：** [如果有的话]

Praising Good Code

表扬优质代码

markdown

**Nice!** [What you liked]

This is great because [explain why]

markdown

**很棒！** [你喜欢的点]

这很棒，因为 [解释原因]

Related Skills

Additional Resources

额外资源

Pro Tip: Use a checklist template for every review to ensure consistency and thoroughness. Customize it for your team's specific needs!

专业提示： 为每次审查使用清单模板，以确保一致性和全面性。根据团队的具体需求进行定制！

code-review-checklist

Original

Translation

Code Review Checklist

代码审查清单

Overview

概述

When to Use This Skill

何时使用本技能

How It Works

工作流程

Step 1: Understand the Context

步骤1：理解上下文

Step 2: Review Functionality

步骤2：功能审查

Step 3: Review Code Quality

步骤3：代码质量审查

Step 4: Review Security

步骤4：安全审查

Step 5: Review Performance

步骤5：性能审查

Step 6: Review Tests

步骤6：测试审查

Examples

示例

Example 1: Functionality Review Checklist

示例1：功能审查清单

Functionality Review

功能审查

Requirements

需求

Logic

逻辑

Error Handling

错误处理

Example Issues to Catch:

需捕获的示例问题：

Example 2: Security Review Checklist

示例2：安全审查清单

Security Review

安全审查

Input Validation

输入验证

Authentication & Authorization

身份验证与授权

Data Protection

数据保护

Dependencies

依赖项

Example Issues to Catch:

需捕获的示例问题：

Example 3: Code Quality Review Checklist

示例3：代码质量审查清单

Code Quality Review

代码质量审查

Readability

可读性

Structure

结构

Maintainability

可维护性

Example Issues to Catch:

需捕获的示例问题：

Best Practices

最佳实践

✅ Do This

✅ 建议做法

❌ Don't Do This

❌ 避免做法

Complete Review Checklist

完整审查清单

Pre-Review

审查前准备

Functionality

功能

Security

安全

Performance

性能

Code Quality