代码审查清单：系统化代码审查指南，提升代码质量与安全性

code-review-checklist by sickn33/antigravity-awesome-skills

523 周安装量

27,400 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill code-review-checklist

质量管理开发代码规范

🇨🇳中文介绍

代码审查清单

概述

提供一个系统化的清单，用于进行彻底的代码审查。此技能帮助审查者确保代码质量、发现错误、识别安全问题，并保持整个代码库的一致性。

何时使用此技能

审查拉取请求时使用
进行代码审计时使用
为团队建立代码审查标准时使用
培训新开发者代码审查实践时使用
当你想确保审查中不遗漏任何内容时使用
创建代码审查文档时使用

工作原理

步骤 1：理解上下文

在审查代码之前，我将帮助你理解：

这段代码解决了什么问题？
需求是什么？
哪些文件被更改了，为什么？
是否有相关的问题或工单？
测试策略是什么？

步骤 2：审查功能

检查代码是否正确工作：

它是否解决了所述问题？
是否处理了边界情况？
错误处理是否恰当？
是否存在逻辑错误？
是否符合需求？

步骤 3：审查代码质量

评估代码的可维护性：

代码是否可读且清晰？
命名是否具有描述性？
结构是否合理？
函数/方法是否专注？
是否存在不必要的复杂性？

步骤 4：审查安全性

检查安全问题：

输入是否经过验证？
敏感数据是否受到保护？
是否存在 SQL 注入风险？
身份验证/授权是否正确？
依赖项是否安全？

步骤 5：审查性能

寻找性能问题：

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 6：审查测试

验证测试覆盖率：

新代码是否有测试？
测试是否覆盖边界情况？
测试是否有意义？
所有测试是否通过？
测试覆盖率是否足够？

示例 1：功能审查清单

## 功能审查

### 需求
- [ ] 代码解决了所述问题
- [ ] 所有验收标准都已满足
- [ ] 边界情况已处理
- [ ] 错误情况已处理
- [ ] 用户输入已验证

### 逻辑
- [ ] 无逻辑错误或缺陷
- [ ] 条件正确（无差一错误）
- [ ] 循环正确终止
- [ ] 递归有适当的基准情况
- [ ] 状态管理正确

### 错误处理
- [ ] 错误被适当地捕获
- [ ] 错误信息清晰且有用
- [ ] 错误不会暴露敏感信息
- [ ] 失败的操作已回滚
- [ ] 日志记录适当

### 要捕获的示例问题：

**❌ 不好 - 缺少验证：**
```javascript
function createUser(email, password) {
  // 没有验证！
  return db.users.create({ email, password });
}
```

**✅ 好 - 适当的验证：**
```javascript
function createUser(email, password) {
  if (!email || !isValidEmail(email)) {
    throw new Error('Invalid email address');
  }
  if (!password || password.length < 8) {
    throw new Error('Password must be at least 8 characters');
  }
  return db.users.create({ email, password });
}
```

示例 2：安全审查清单

## 安全审查

### 输入验证
- [ ] 所有用户输入都经过验证
- [ ] SQL 注入已预防（使用参数化查询）
- [ ] XSS 已预防（转义输出）
- [ ] CSRF 保护已就位
- [ ] 文件上传已验证（类型、大小、内容）

### 身份验证与授权
- [ ] 需要身份验证的地方已要求
- [ ] 授权检查存在
- [ ] 密码已哈希（绝不存储明文）
- [ ] 会话安全管理得当
- [ ] 令牌适时过期

### 数据保护
- [ ] 敏感数据已加密
- [ ] API 密钥未硬编码
- [ ] 环境变量用于存储密钥
- [ ] 个人数据遵循隐私法规
- [ ] 数据库凭据安全

### 依赖项
- [ ] 没有已知的易受攻击的依赖项
- [ ] 依赖项是最新的
- [ ] 不必要的依赖项已移除
- [ ] 依赖项版本已固定

### 要捕获的示例问题：

**❌ 不好 - SQL 注入风险：**
```javascript
const query = `SELECT * FROM users WHERE email = '${email}'`;
db.query(query);
```

**✅ 好 - 参数化查询：**
```javascript
const query = 'SELECT * FROM users WHERE email = $1';
db.query(query, [email]);
```

**❌ 不好 - 硬编码密钥：**
```javascript
const API_KEY = 'sk_live_abc123xyz';
```

**✅ 好 - 环境变量：**
```javascript
const API_KEY = process.env.API_KEY;
if (!API_KEY) {
  throw new Error('API_KEY environment variable is required');
}
```

示例 3：代码质量审查清单

## 代码质量审查

### 可读性
- [ ] 代码易于理解
- [ ] 变量名具有描述性
- [ ] 函数名解释了其功能
- [ ] 复杂逻辑有注释
- [ ] 魔法数字已替换为常量

### 结构
- [ ] 函数小巧且专注
- [ ] 代码遵循 DRY 原则（不要重复自己）
- [ ] 关注点分离得当
- [ ] 代码风格一致
- [ ] 没有死代码或注释掉的代码

### 可维护性
- [ ] 代码是模块化的且可重用
- [ ] 依赖项最少
- [ ] 更改向后兼容
- [ ] 破坏性更改已记录
- [ ] 技术债务已注明

### 要捕获的示例问题：

**❌ 不好 - 命名不清晰：**
```javascript
function calc(a, b, c) {
  return a * b + c;
}
```

**✅ 好 - 描述性命名：**
```javascript
function calculateTotalPrice(quantity, unitPrice, tax) {
  return quantity * unitPrice + tax;
}
```

**❌ 不好 - 函数做太多事情：**
```javascript
function processOrder(order) {
  // 验证订单
  if (!order.items) throw new Error('No items');

  // 计算总额
  let total = 0;
  for (let item of order.items) {
    total += item.price * item.quantity;
  }

  // 应用折扣
  if (order.coupon) {
    total *= 0.9;
  }

  // 处理支付
  const payment = stripe.charge(total);

  // 发送邮件
  sendEmail(order.email, 'Order confirmed');

  // 更新库存
  updateInventory(order.items);

  return { orderId: order.id, total };
}
```

**✅ 好 - 关注点分离：**
```javascript
function processOrder(order) {
  validateOrder(order);
  const total = calculateOrderTotal(order);
  const payment = processPayment(total);
  sendOrderConfirmation(order.email);
  updateInventory(order.items);

  return { orderId: order.id, total };
}
```

审查小改动 - 较小的 PR 更容易彻底审查
先检查测试 - 验证测试通过并覆盖了新代码
运行代码 - 尽可能在本地测试
提问 - 不要假设，请求澄清
具有建设性 - 提出改进建议，不要只是批评
关注重要问题 - 不要吹毛求疵于次要的风格问题
使用自动化工具 - 代码检查器、格式化器、安全扫描器
审查文档 - 检查文档是否已更新
考虑性能 - 考虑规模和效率
检查回归 - 确保现有功能仍然有效

❌ 不应该这样做

不要不阅读就批准 - 实际审查代码
不要含糊其辞 - 提供带有示例的具体反馈
不要忽视安全 - 安全问题是关键
不要跳过测试 - 未经测试的代码会导致问题
不要粗鲁 - 保持尊重和专业
不要橡皮图章 - 每次审查都应增加价值
不要在疲劳时审查 - 你会遗漏重要问题
不要忘记上下文 - 理解大局

阅读 PR 描述和相关联的问题
理解正在解决的问题
检查 CI/CD 中的测试是否通过
拉取分支并在本地运行

代码解决了所述问题
边界情况已处理
错误处理恰当
用户输入已验证
无逻辑错误

无 SQL 注入漏洞
无 XSS 漏洞
身份验证/授权正确
敏感数据受到保护
无硬编码的密钥

没有不必要的数据库查询
无 N+1 查询问题
使用了高效的算法
无内存泄漏
缓存使用恰当

代码可读且清晰
命名具有描述性
函数专注且小巧
无代码重复
遵循项目约定

新代码有测试
测试覆盖边界情况
测试有意义
所有测试通过
测试覆盖率足够

代码注释解释原因，而非内容
API 文档已更新
如果需要，README 已更新
破坏性更改已记录
如果需要，提供了迁移指南

提交信息清晰
无合并冲突
分支与主分支保持同步
没有不必要的文件被提交
.gitignore 配置正确

问题：遗漏边界情况

症状： 代码在正常路径下工作，但在边界情况下失败 解决方案： 提出"如果...会怎样？"的问题

如果输入是 null 会怎样？
如果数组为空会怎样？
如果用户未通过身份验证会怎样？
如果网络请求失败会怎样？

问题：安全漏洞

症状： 代码暴露安全风险 解决方案： 使用安全清单

运行安全扫描器（npm audit, Snyk）
检查 OWASP Top 10
验证所有输入
使用参数化查询
永远不要信任用户输入

问题：测试覆盖率差

症状： 新代码没有测试或测试不足 解决方案： 要求所有新代码都有测试

函数的单元测试
功能的集成测试
边界情况测试
错误情况测试

问题：代码不清晰

症状： 审查者无法理解代码的作用 解决方案： 请求改进

更好的变量名
解释性注释
更小的函数
清晰的结构

**问题：** [描述问题]

**当前代码：**
```javascript
// 显示有问题的代码
```

**建议的修复：**
```javascript
// 显示改进后的代码
```

**原因：** [解释为什么这样更好]

**问题：** [你的问题]

**上下文：** [你为什么提问]

**建议：** [如果你有的话]

**很好！** [你喜欢的地方]

这很棒，因为 [解释原因]

@requesting-code-review - 准备代码以供审查
@receiving-code-review - 处理审查反馈
@systematic-debugging - 调试审查中发现的问题
@test-driven-development - 确保代码有测试

专业提示： 为每次审查使用清单模板，以确保一致性和彻底性。根据你团队的具体需求进行定制！

🇺🇸English

Code Review Checklist

Overview

Provide a systematic checklist for conducting thorough code reviews. This skill helps reviewers ensure code quality, catch bugs, identify security issues, and maintain consistency across the codebase.

When to Use This Skill

Use when reviewing pull requests
Use when conducting code audits
Use when establishing code review standards for a team
Use when training new developers on code review practices
Use when you want to ensure nothing is missed in reviews
Use when creating code review documentation

How It Works

Step 1: Understand the Context

Before reviewing code, I'll help you understand:

What problem does this code solve?
What are the requirements?
What files were changed and why?
Are there related issues or tickets?
What's the testing strategy?

Step 2: Review Functionality

Check if the code works correctly:

Does it solve the stated problem?
Are edge cases handled?
Is error handling appropriate?
Are there any logical errors?
Does it match the requirements?

Step 3: Review Code Quality

Assess code maintainability:

Is the code readable and clear?
Are names descriptive?
Is it properly structured?
Are functions/methods focused?
Is there unnecessary complexity?

Step 4: Review Security

Check for security issues:

Are inputs validated?
Is sensitive data protected?
Are there SQL injection risks?
Is authentication/authorization correct?
Are dependencies secure?

Step 5: Review Performance

Look for performance issues:

Are there unnecessary loops?
Is database access optimized?
Are there memory leaks?
Is caching used appropriately?
Are there N+1 query problems?

Step 6: Review Tests

Verify test coverage:

Are there tests for new code?
Do tests cover edge cases?
Are tests meaningful?
Do all tests pass?
Is test coverage adequate?

Examples

Example 1: Functionality Review Checklist

## Functionality Review

### Requirements
- [ ] Code solves the stated problem
- [ ] All acceptance criteria are met
- [ ] Edge cases are handled
- [ ] Error cases are handled
- [ ] User input is validated

### Logic
- [ ] No logical errors or bugs
- [ ] Conditions are correct (no off-by-one errors)
- [ ] Loops terminate correctly
- [ ] Recursion has proper base cases
- [ ] State management is correct

### Error Handling
- [ ] Errors are caught appropriately
- [ ] Error messages are clear and helpful
- [ ] Errors don't expose sensitive information
- [ ] Failed operations are rolled back
- [ ] Logging is appropriate

### Example Issues to Catch:

**❌ Bad - Missing validation:**
\`\`\`javascript
function createUser(email, password) {
  // No validation!
  return db.users.create({ email, password });
}
\`\`\`

**✅ Good - Proper validation:**
\`\`\`javascript
function createUser(email, password) {
  if (!email || !isValidEmail(email)) {
    throw new Error('Invalid email address');
  }
  if (!password || password.length < 8) {
    throw new Error('Password must be at least 8 characters');
  }
  return db.users.create({ email, password });
}
\`\`\`

Example 2: Security Review Checklist

## Security Review

### Input Validation
- [ ] All user inputs are validated
- [ ] SQL injection is prevented (use parameterized queries)
- [ ] XSS is prevented (escape output)
- [ ] CSRF protection is in place
- [ ] File uploads are validated (type, size, content)

### Authentication & Authorization
- [ ] Authentication is required where needed
- [ ] Authorization checks are present
- [ ] Passwords are hashed (never stored plain text)
- [ ] Sessions are managed securely
- [ ] Tokens expire appropriately

### Data Protection
- [ ] Sensitive data is encrypted
- [ ] API keys are not hardcoded
- [ ] Environment variables are used for secrets
- [ ] Personal data follows privacy regulations
- [ ] Database credentials are secure

### Dependencies
- [ ] No known vulnerable dependencies
- [ ] Dependencies are up to date
- [ ] Unnecessary dependencies are removed
- [ ] Dependency versions are pinned

### Example Issues to Catch:

**❌ Bad - SQL injection risk:**
\`\`\`javascript
const query = \`SELECT * FROM users WHERE email = '\${email}'\`;
db.query(query);
\`\`\`

**✅ Good - Parameterized query:**
\`\`\`javascript
const query = 'SELECT * FROM users WHERE email = $1';
db.query(query, [email]);
\`\`\`

**❌ Bad - Hardcoded secret:**
\`\`\`javascript
const API_KEY = 'sk_live_abc123xyz';
\`\`\`

**✅ Good - Environment variable:**
\`\`\`javascript
const API_KEY = process.env.API_KEY;
if (!API_KEY) {
  throw new Error('API_KEY environment variable is required');
}
\`\`\`

Example 3: Code Quality Review Checklist

## Code Quality Review

### Readability
- [ ] Code is easy to understand
- [ ] Variable names are descriptive
- [ ] Function names explain what they do
- [ ] Complex logic has comments
- [ ] Magic numbers are replaced with constants

### Structure
- [ ] Functions are small and focused
- [ ] Code follows DRY principle (Don't Repeat Yourself)
- [ ] Proper separation of concerns
- [ ] Consistent code style
- [ ] No dead code or commented-out code

### Maintainability
- [ ] Code is modular and reusable
- [ ] Dependencies are minimal
- [ ] Changes are backwards compatible
- [ ] Breaking changes are documented
- [ ] Technical debt is noted

### Example Issues to Catch:

**❌ Bad - Unclear naming:**
\`\`\`javascript
function calc(a, b, c) {
  return a * b + c;
}
\`\`\`

**✅ Good - Descriptive naming:**
\`\`\`javascript
function calculateTotalPrice(quantity, unitPrice, tax) {
  return quantity * unitPrice + tax;
}
\`\`\`

**❌ Bad - Function doing too much:**
\`\`\`javascript
function processOrder(order) {
  // Validate order
  if (!order.items) throw new Error('No items');
  
  // Calculate total
  let total = 0;
  for (let item of order.items) {
    total += item.price * item.quantity;
  }
  
  // Apply discount
  if (order.coupon) {
    total *= 0.9;
  }
  
  // Process payment
  const payment = stripe.charge(total);
  
  // Send email
  sendEmail(order.email, 'Order confirmed');
  
  // Update inventory
  updateInventory(order.items);
  
  return { orderId: order.id, total };
}
\`\`\`

**✅ Good - Separated concerns:**
\`\`\`javascript
function processOrder(order) {
  validateOrder(order);
  const total = calculateOrderTotal(order);
  const payment = processPayment(total);
  sendOrderConfirmation(order.email);
  updateInventory(order.items);
  
  return { orderId: order.id, total };
}
\`\`\`

Best Practices

✅ Do This

Review Small Changes - Smaller PRs are easier to review thoroughly
Check Tests First - Verify tests pass and cover new code
Run the Code - Test it locally when possible
Ask Questions - Don't assume, ask for clarification
Be Constructive - Suggest improvements, don't just criticize
Focus on Important Issues - Don't nitpick minor style issues
Use Automated Tools - Linters, formatters, security scanners
Review Documentation - Check if docs are updated
Consider Performance - Think about scale and efficiency
Check for Regressions - Ensure existing functionality still works

❌ Don't Do This

Don't Approve Without Reading - Actually review the code
Don't Be Vague - Provide specific feedback with examples
Don't Ignore Security - Security issues are critical
Don't Skip Tests - Untested code will cause problems
Don't Be Rude - Be respectful and professional
Don't Rubber Stamp - Every review should add value
Don't Review When Tired - You'll miss important issues
Don't Forget Context - Understand the bigger picture

Complete Review Checklist

Pre-Review

Read the PR description and linked issues
Understand what problem is being solved
Check if tests pass in CI/CD
Pull the branch and run it locally

Functionality

Code solves the stated problem
Edge cases are handled
Error handling is appropriate
User input is validated
No logical errors

Security

No SQL injection vulnerabilities
No XSS vulnerabilities
Authentication/authorization is correct
Sensitive data is protected
No hardcoded secrets

Performance

No unnecessary database queries
No N+1 query problems
Efficient algorithms used
No memory leaks
Caching used appropriately

Code Quality

Code is readable and clear
Names are descriptive
Functions are focused and small
No code duplication
Follows project conventions

Tests

New code has tests
Tests cover edge cases
Tests are meaningful
All tests pass
Test coverage is adequate

Documentation

Code comments explain why, not what
API documentation is updated
README is updated if needed
Breaking changes are documented
Migration guide provided if needed

Git

Commit messages are clear
No merge conflicts
Branch is up to date with main
No unnecessary files committed
.gitignore is properly configured

Common Pitfalls

Problem: Missing Edge Cases

Symptoms: Code works for happy path but fails on edge cases Solution: Ask "What if...?" questions

What if the input is null?
What if the array is empty?
What if the user is not authenticated?
What if the network request fails?

Problem: Security Vulnerabilities

Symptoms: Code exposes security risks Solution: Use security checklist

Run security scanners (npm audit, Snyk)
Check OWASP Top 10
Validate all inputs
Use parameterized queries
Never trust user input

Problem: Poor Test Coverage

Symptoms: New code has no tests or inadequate tests Solution: Require tests for all new code

Unit tests for functions
Integration tests for features
Edge case tests
Error case tests

Problem: Unclear Code

Symptoms: Reviewer can't understand what code does Solution: Request improvements

Better variable names
Explanatory comments
Smaller functions
Clear structure

Review Comment Templates

Requesting Changes

**Issue:** [Describe the problem]

**Current code:**
\`\`\`javascript
// Show problematic code
\`\`\`

**Suggested fix:**
\`\`\`javascript
// Show improved code
\`\`\`

**Why:** [Explain why this is better]

Asking Questions

**Question:** [Your question]

**Context:** [Why you're asking]

**Suggestion:** [If you have one]

Praising Good Code

**Nice!** [What you liked]

This is great because [explain why]

Related Skills

@requesting-code-review - Prepare code for review
@receiving-code-review - Handle review feedback
@systematic-debugging - Debug issues found in review
@test-driven-development - Ensure code has tests

Additional Resources

Pro Tip: Use a checklist template for every review to ensure consistency and thoroughness. Customize it for your team's specific needs!

Weekly Installs

523

Repository

sickn33/antigra…e-skills

GitHub Stars

27.4K

First Seen

Jan 20, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

opencode419

gemini-cli399

claude-code395

codex367

cursor356

github-copilot333

React 组合模式指南：Vercel 组件架构最佳实践，提升代码可维护性

103,800 周安装