code-review
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCode Review Skill
代码审查技能
Perform comprehensive code reviews following industry best practices.
遵循行业最佳实践执行全面的代码审查。
1. Security Review
1. 安全审查
Check for OWASP Top 10 vulnerabilities:
SQL Injection:
bash
undefined检查OWASP Top 10漏洞:
SQL注入:
bash
undefinedSearch for SQL injection risks
Search for SQL injection risks
grep -r "execute.+" . --include=".py" --include=".js" --include=".php"
grep -r "query.+" . --include=".py" --include=".js"
grep -r "SELECT.%" . --include="*.py"
**XSS (Cross-Site Scripting):**
```bashgrep -r "execute.+" . --include=".py" --include=".js" --include=".php"
grep -r "query.+" . --include=".py" --include=".js"
grep -r "SELECT.%" . --include="*.py"
**跨站脚本攻击(XSS):**
```bashCheck for unescaped output
Check for unescaped output
grep -r "innerHTML\s*=" . --include=".js" --include=".jsx"
grep -r "dangerouslySetInnerHTML" . --include=".jsx" --include=".tsx"
grep -r "render_template_string" . --include="*.py"
**Command Injection:**
```bashgrep -r "innerHTML\s*=" . --include=".js" --include=".jsx"
grep -r "dangerouslySetInnerHTML" . --include=".jsx" --include=".tsx"
grep -r "render_template_string" . --include="*.py"
**命令注入:**
```bashCheck for command injection
Check for command injection
grep -r "exec|eval|system|shell_exec" . --include=".py" --include=".js" --include=".php"
grep -r "os.system|subprocess.call" . --include=".py"
grep -r "child_process.exec" . --include="*.js"
**Hardcoded Secrets:**
```bashgrep -r "exec|eval|system|shell_exec" . --include=".py" --include=".js" --include=".php"
grep -r "os.system|subprocess.call" . --include=".py"
grep -r "child_process.exec" . --include="*.js"
**硬编码密钥:**
```bashFind potential secrets
Find potential secrets
grep -r "password\s*=\s*['"]" . --include=".py" --include=".js" --include=".java"
grep -r "api_key\s=\s*['"]" . --include=".py" --include=".js"
grep -r "secret\s*=\s*['"]" . --include=".py" --include=".js"
grep -r "Bearer\s+[A-Za-z0-9]" . --include=".py" --include=".js"
**Insecure Deserialization:**
```bashgrep -r "password\s*=\s*['"]" . --include=".py" --include=".js" --include=".java"
grep -r "api_key\s=\s*['"]" . --include=".py" --include=".js"
grep -r "secret\s*=\s*['"]" . --include=".py" --include=".js"
grep -r "Bearer\s+[A-Za-z0-9]" . --include=".py" --include=".js"
**不安全的反序列化:**
```bashCheck for insecure deserialization
Check for insecure deserialization
grep -r "pickle.loads|yaml.load|eval|exec" . --include=".py"
grep -r "JSON.parse.localStorage" . --include=".js"
grep -r "unserialize" . --include=".php"
undefinedgrep -r "pickle.loads|yaml.load|eval|exec" . --include=".py"
grep -r "JSON.parse.localStorage" . --include=".js"
grep -r "unserialize" . --include=".php"
undefined2. Code Quality Review
2. 代码质量审查
Complexity Analysis:
bash
undefined复杂度分析:
bash
undefinedFind long functions (potential complexity issues)
Find long functions (potential complexity issues)
grep -n "def |function " . -r --include=".py" --include=".js" | while read line; do
echo "$line"
done
grep -n "def |function " . -r --include=".py" --include=".js" | while read line; do
echo "$line"
done
Find files with too many lines
Find files with too many lines
find . -name ".py" -o -name ".js" | xargs wc -l | sort -rn | head -20
**Code Smells:**
```bashfind . -name ".py" -o -name ".js" | xargs wc -l | sort -rn | head -20
**代码异味:**
```bashFind duplicate code patterns
Find duplicate code patterns
God classes (too many methods)
God classes (too many methods)
grep -c "def |function " **/.py **/.js
grep -c "def |function " **/.py **/.js
Long parameter lists
Long parameter lists
grep "def.,.,.,.,.," . -r --include=".py"
grep "function.,.,.,.,.," . -r --include=".js"
grep "def.,.,.,.,.," . -r --include=".py"
grep "function.,.,.,.,.," . -r --include=".js"
Magic numbers
Magic numbers
grep -r "\s[0-9]{3,}" . --include=".py" --include=".js" | grep -v "test"
**Naming Conventions:**
```bashgrep -r "\s[0-9]{3,}" . --include=".py" --include=".js" | grep -v "test"
**命名规范:**
```bashCheck naming conventions
Check naming conventions
Python: snake_case for functions
Python: snake_case for functions
grep "def [A-Z]" . -r --include="*.py"
grep "def [A-Z]" . -r --include="*.py"
JavaScript: camelCase for functions
JavaScript: camelCase for functions
grep "function [a-z_]" . -r --include="*.js"
grep "function [a-z_]" . -r --include="*.js"
Constants should be UPPER_CASE
Constants should be UPPER_CASE
grep "const [a-z]" . -r --include=".js" --include=".ts"
undefinedgrep "const [a-z]" . -r --include=".js" --include=".ts"
undefined3. Best Practices Review
3. 最佳实践审查
Error Handling:
bash
undefined错误处理:
bash
undefinedFind bare except clauses (Python)
Find bare except clauses (Python)
grep -r "except:" . --include="*.py"
grep -r "except:" . --include="*.py"
Find empty catch blocks (JavaScript)
Find empty catch blocks (JavaScript)
grep -A2 "catch\s*(" . -r --include=".js" | grep -A1 "{\s}"
grep -A2 "catch\s*(" . -r --include=".js" | grep -A1 "{\s}"
Find TODO/FIXME comments
Find TODO/FIXME comments
grep -r "TODO|FIXME|HACK|XXX" . --include=".py" --include=".js" --include="*.java"
**Resource Management:**
```bashgrep -r "TODO|FIXME|HACK|XXX" . --include=".py" --include=".js" --include="*.java"
**资源管理:**
```bashFind files opened without 'with' statement (Python)
Find files opened without 'with' statement (Python)
grep -r "open(" . --include="*.py" | grep -v "with"
grep -r "open(" . --include="*.py" | grep -v "with"
Find potential memory leaks
Find potential memory leaks
grep -r "addEventListener" . --include="*.js" | grep -v "removeEventListener"
**Documentation:**
```bashgrep -r "addEventListener" . --include="*.js" | grep -v "removeEventListener"
**文档:**
```bashFind functions without docstrings (Python)
Find functions without docstrings (Python)
grep -B1 "def " . -r --include="*.py" | grep -v '"""' | grep -v "'''" | grep -v "#"
grep -B1 "def " . -r --include="*.py" | grep -v '"""' | grep -v "'''" | grep -v "#"
Find exported functions without JSDoc (JavaScript)
Find exported functions without JSDoc (JavaScript)
grep "export function" . -r --include="*.js" | grep -B3 -v "/**"
undefinedgrep "export function" . -r --include="*.js" | grep -B3 -v "/**"
undefined4. Performance Review
4. 性能审查
N+1 Query Problems:
bash
undefinedN+1查询问题:
bash
undefinedFind potential N+1 queries
Find potential N+1 queries
grep -r "for.in|forEach" . --include=".py" --include="*.js" -A5 | grep "query|find|get"
**Inefficient Algorithms:**
```bashgrep -r "for.in|forEach" . --include=".py" --include="*.js" -A5 | grep "query|find|get"
**低效算法:**
```bashNested loops (potential O(n²))
Nested loops (potential O(n²))
grep -r "for.in" . --include=".py" --include="*.js" -A3 | grep "for.*in"
grep -r "for.in" . --include=".py" --include="*.js" -A3 | grep "for.*in"
Multiple database calls in loops
Multiple database calls in loops
grep -r "for|while" . --include=".py" --include=".js" -A5 | grep "query|execute|find"
**Large File Operations:**
```bashgrep -r "for|while" . --include=".py" --include=".js" -A5 | grep "query|execute|find"
**大文件操作:**
```bashCheck for files read entirely into memory
Check for files read entirely into memory
grep -r "read()|readlines()|readFile" . --include=".py" --include=".js"
undefinedgrep -r "read()|readlines()|readFile" . --include=".py" --include=".js"
undefined5. Dependency Review
5. 依赖审查
Outdated Dependencies:
bash
undefined过时依赖:
bash
undefinedCheck for outdated npm packages
Check for outdated npm packages
npm outdated
npm outdated
Check for Python package updates
Check for Python package updates
pip list --outdated
pip list --outdated
Security vulnerabilities
Security vulnerabilities
npm audit
pip-audit
**Unused Imports:**
```bashnpm audit
pip-audit
**未使用的导入:**
```bashPython unused imports
Python unused imports
grep -r "^import|^from" . --include="*.py" | cut -d: -f2 | sort | uniq
grep -r "^import|^from" . --include="*.py" | cut -d: -f2 | sort | uniq
JavaScript unused imports
JavaScript unused imports
grep -r "^import" . --include=".js" --include=".jsx" | cut -d: -f2 | sort | uniq
undefinedgrep -r "^import" . --include=".js" --include=".jsx" | cut -d: -f2 | sort | uniq
undefined6. Testing Coverage
6. 测试覆盖率
Missing Tests:
bash
undefined缺失测试:
bash
undefinedFind source files without corresponding test files
Find source files without corresponding test files
for file in src/**/*.py; do
testfile="tests/test_$(basename $file)"
[ ! -f "$testfile" ] && echo "Missing test: $testfile for $file"
done
for file in src/**/*.py; do
testfile="tests/test_$(basename $file)"
[ ! -f "$testfile" ] && echo "Missing test: $testfile for $file"
done
Find functions without tests
Find functions without tests
grep "def test_" tests/ -r | cut -d: -f2 | sort
**Test Quality:**
```bashgrep "def test_" tests/ -r | cut -d: -f2 | sort
**测试质量:**
```bashFind tests without assertions
Find tests without assertions
grep -r "def test_" . --include="test_*.py" -A10 | grep -v "assert"
grep -r "def test_" . --include="test_*.py" -A10 | grep -v "assert"
Find disabled tests
Find disabled tests
grep -r "@skip|@unittest.skip|test.skip" . --include=".py" --include=".js"
undefinedgrep -r "@skip|@unittest.skip|test.skip" . --include=".py" --include=".js"
undefined7. Code Review Checklist
7. 代码审查检查表
When reviewing code, check:
Functionality:
- Does the code do what it's supposed to do?
- Are edge cases handled?
- Is error handling appropriate?
Security:
- No SQL injection vulnerabilities
- No XSS vulnerabilities
- No hardcoded secrets
- Input validation present
- Output encoding applied
Performance:
- No N+1 query problems
- Efficient algorithms used
- Proper indexing on database queries
- No unnecessary loops or operations
Maintainability:
- Code is readable and well-organized
- Proper naming conventions
- Adequate comments and documentation
- Functions are small and focused
- DRY principle followed
Testing:
- Unit tests present
- Tests cover edge cases
- Tests are maintainable
- Good test coverage
Dependencies:
- No unnecessary dependencies
- Dependencies are up to date
- No known vulnerabilities
审查代码时,请检查:
功能:
- 代码是否实现了预期功能?
- 是否处理了边缘情况?
- 错误处理是否恰当?
安全:
- 无SQL注入漏洞
- 无XSS漏洞
- 无硬编码密钥
- 存在输入验证
- 应用了输出编码
性能:
- 无N+1查询问题
- 使用了高效算法
- 数据库查询有适当索引
- 无不必要的循环或操作
可维护性:
- 代码可读性强且组织良好
- 遵循正确的命名规范
- 有足够的注释和文档
- 函数小巧且职责单一
- 遵循DRY原则
测试:
- 存在单元测试
- 测试覆盖了边缘情况
- 测试易于维护
- 测试覆盖率良好
依赖:
- 无不必要的依赖
- 依赖已更新至最新版本
- 无已知漏洞
8. Automated Code Review Tools
8. 自动化代码审查工具
Python:
bash
undefinedPython:
bash
undefinedLinting
Linting
pylint src/
flake8 src/
black --check src/
pylint src/
flake8 src/
black --check src/
Security
Security
bandit -r src/
safety check
bandit -r src/
safety check
Complexity
Complexity
radon cc src/ -a
radon mi src/
**JavaScript:**
```bashradon cc src/ -a
radon mi src/
**JavaScript:**
```bashLinting
Linting
eslint .
prettier --check .
eslint .
prettier --check .
Security
Security
npm audit
snyk test
npm audit
snyk test
Complexity
Complexity
npx complexity-report src/
**Type Checking:**
```bashnpx complexity-report src/
**类型检查:**
```bashPython
Python
mypy src/
mypy src/
TypeScript
TypeScript
tsc --noEmit
tsc --noEmit
JavaScript (with JSDoc)
JavaScript (with JSDoc)
npx typescript --allowJs --checkJs --noEmit src/**/*.js
undefinednpx typescript --allowJs --checkJs --noEmit src/**/*.js
undefined9. Review Report Format
9. 审查报告格式
Provide feedback in this structure:
markdown
undefined请按照以下结构提供反馈:
markdown
undefinedCode Review Report
Code Review Report
Summary
Summary
- Files reviewed: X
- Critical issues: X
- Warnings: X
- Suggestions: X
- Files reviewed: X
- Critical issues: X
- Warnings: X
- Suggestions: X
Critical Issues
Critical Issues
- [File:Line] Security: SQL Injection risk in user input
- [File:Line] Security: Hardcoded API key
- [File:Line] Security: SQL Injection risk in user input
- [File:Line] Security: Hardcoded API key
Warnings
Warnings
- [File:Line] Performance: N+1 query in loop
- [File:Line] Code Quality: Function too complex (CC: 15)
- [File:Line] Performance: N+1 query in loop
- [File:Line] Code Quality: Function too complex (CC: 15)
Suggestions
Suggestions
- [File:Line] Consider extracting method for better readability
- [File:Line] Add error handling for edge case
- [File:Line] Consider extracting method for better readability
- [File:Line] Add error handling for edge case
Positive Observations
Positive Observations
- Good test coverage
- Well-documented functions
- Proper error handling
undefined- Good test coverage
- Well-documented functions
- Proper error handling
undefined10. Common Review Patterns
10. 常见审查模式
Python Specific:
bash
undefinedPython特定:
bash
undefinedCheck for mutable default arguments
Check for mutable default arguments
grep "def.=[]" . -r --include=".py"
grep "def.={}" . -r --include=".py"
grep "def.=[]" . -r --include=".py"
grep "def.={}" . -r --include=".py"
Check for string concatenation in loops
Check for string concatenation in loops
grep -A5 "for.in" . -r --include=".py" | grep "+="
**JavaScript Specific:**
```bashgrep -A5 "for.in" . -r --include=".py" | grep "+="
**JavaScript特定:**
```bashCheck for var instead of let/const
Check for var instead of let/const
grep "\svar\s" . -r --include="*.js"
grep "\svar\s" . -r --include="*.js"
Check for == instead of ===
Check for == instead of ===
grep "==|!=" . -r --include="*.js" | grep -v "===" | grep -v "!=="
grep "==|!=" . -r --include="*.js" | grep -v "===" | grep -v "!=="
Check for missing 'use strict'
Check for missing 'use strict'
head -5 src/**/*.js | grep -L "use strict"
undefinedhead -5 src/**/*.js | grep -L "use strict"
undefinedWhen to Use This Skill
何时使用本技能
Use when:
/code-review- Reviewing pull requests
- Conducting security audits
- Checking code quality before deployment
- Onboarding new code into a project
- Performing pre-commit reviews
- Analyzing legacy code
- Preparing for code refactoring
The skill will analyze code and provide actionable feedback on security, quality, performance, and best practices.
在以下场景使用:
/code-review- 审查拉取请求
- 执行安全审计
- 部署前检查代码质量
- 将新代码纳入项目
- 执行提交前审查
- 分析遗留代码
- 准备代码重构
本技能将分析代码并提供关于安全、质量、性能和最佳实践的可操作反馈。