software-code-review
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCode Reviewing Skill — Quick Reference
代码审查技能——快速参考
This skill provides operational checklists and prompts for structured code review across languages and stacks. Use it when the primary task is reviewing existing code rather than designing new systems.
本技能提供跨语言和技术栈的结构化代码审查操作清单与提示。当主要任务是审查现有代码而非设计新系统时使用。
Quick Reference
快速参考
| Review Type | Focus Areas | Key Checklist | When to Use |
|---|---|---|---|
| Security Review | Auth, input validation, secrets, OWASP Top 10 | software-security-appsec | Security-critical code, API endpoints |
| Supply Chain Review | Dependencies, lockfiles, licenses, SBOM, CI policies | dev-dependency-management | Dependency bumps, build/CI changes |
| Performance Review | N+1 queries, algorithms, caching, hot paths | DB queries, loops, memory allocation | High-traffic features, bottlenecks |
| Correctness Review | Logic, edge cases, error handling, tests | Boundary conditions, null checks, retries | Business logic, data transformations |
| Maintainability Review | Naming, complexity, duplication, readability | Function length, naming clarity, DRY | Complex modules, shared code |
| Test Review | Coverage, edge cases, flakiness, assertions | Test quality, missing scenarios | New features, refactors |
| Frontend Review | Accessibility, responsive design, performance | frontend-review.md | UI/UX changes |
| Backend Review | API design, error handling, database patterns | api-review.md | API endpoints, services |
| Blockchain Review | Reentrancy, access control, gas optimization | crypto-review.md | Smart contracts, DeFi protocols |
| 审查类型 | 关注领域 | 核心检查清单 | 使用场景 |
|---|---|---|---|
| 安全审查 | 认证、输入验证、密钥、OWASP Top 10 | software-security-appsec | 安全关键代码、API端点 |
| 供应链审查 | 依赖项、锁定文件、许可证、SBOM、CI策略 | dev-dependency-management | 依赖项版本升级、构建/CI变更 |
| 性能审查 | N+1查询、算法、缓存、热点路径 | 数据库查询、循环、内存分配 | 高流量功能、性能瓶颈 |
| 正确性审查 | 逻辑、边界情况、错误处理、测试 | 边界条件、空值检查、重试机制 | 业务逻辑、数据转换 |
| 可维护性审查 | 命名、复杂度、重复代码、可读性 | 函数长度、命名清晰度、DRY原则 | 复杂模块、共享代码 |
| 测试审查 | 覆盖率、边界情况、不稳定测试、断言 | 测试质量、缺失场景 | 新功能、重构 |
| 前端审查 | 可访问性、响应式设计、性能 | frontend-review.md | UI/UX变更 |
| 后端审查 | API设计、错误处理、数据库模式 | api-review.md | API端点、服务 |
| 区块链审查 | 重入攻击、访问控制、Gas优化 | crypto-review.md | 智能合约、DeFi协议 |
Specialized: .NET/EF Core Crypto Integration
专项:.NET/EF Core加密集成
Skip unless reviewing C#/.NET crypto/fintech services using Entity Framework Core.
For C#/.NET crypto/fintech services using Entity Framework Core, see:
- references/dotnet-efcore-crypto-rules.md — Complete review rules (correctness, security, async, EF Core, tests, MRs)
Key rules summary:
- Review only new/modified code in the MR
- Use for financial values, UTC for dates
decimal - Follow (no secrets in code) and
CC-SEC-03(no sensitive data in logs)CC-OBS-02 - Async for I/O, pass , avoid
CancellationToken/.Result(see.Wait(),CC-ERR-04)CC-FLOW-03 - EF Core: for reads, avoid N+1, no dynamic SQL
AsNoTracking - pattern for explicit success/fail
Result<T>
仅在审查使用Entity Framework Core的C#/.NET加密/金融科技服务时使用。
对于使用Entity Framework Core的C#/.NET加密/金融科技服务,请参考:
- references/dotnet-efcore-crypto-rules.md — 完整审查规则(正确性、安全性、异步、EF Core、测试、MR)
核心规则摘要:
- 仅审查MR中的新增/修改代码
- 财务数值使用类型,日期使用UTC格式
decimal - 遵循(代码中不包含密钥)和
CC-SEC-03(日志中不包含敏感数据)CC-OBS-02 - I/O操作使用异步,传递,避免使用
CancellationToken/.Result(参见.Wait()、CC-ERR-04)CC-FLOW-03 - EF Core:读取操作使用,避免N+1查询,禁止动态SQL
AsNoTracking - 使用模式明确表示成功/失败
Result<T>
When to Use This Skill
何时使用本技能
Invoke this skill when the user asks to:
- Review a pull request or diff for issues
- Audit code for security vulnerabilities or injection risks
- Improve readability, structure, and maintainability
- Suggest targeted refactors without changing behavior
- Validate tests and edge-case coverage
当用户提出以下请求时调用本技能:
- 审查拉取请求或代码差异中的问题
- 审计代码中的安全漏洞或注入风险
- 提升代码的可读性、结构和可维护性
- 提出针对性的重构建议且不改变功能
- 验证测试和边界场景覆盖情况
When NOT to Use This Skill
何时不使用本技能
- System design or architecture: Use software-architecture-design for greenfield architecture decisions
- Writing new code from scratch: This skill reviews existing code, not authoring new features
- Deep security audits: For penetration testing or comprehensive security assessments, use software-security-appsec
- Deep performance investigations: For profiling/observability, use qa-observability and for SQL/query tuning use data-sql-optimization
- 系统设计或架构:对于全新架构决策,使用software-architecture-design
- 从零开始编写新代码:本技能用于审查现有代码,而非编写新功能
- 深度安全审计:对于渗透测试或全面安全评估,使用software-security-appsec
- 深度性能调研:对于性能分析/可观测性,使用qa-observability;对于SQL/查询调优,使用data-sql-optimization
Decision Tree: Selecting Review Mode
决策树:选择审查模式
text
Code review task: [What to Focus On?]
├─ Security-critical changes?
│ ├─ Auth/access control → Security Review (OWASP, auth patterns)
│ ├─ User input handling → Input validation, XSS, SQL injection
│ └─ Smart contracts → Blockchain Review (reentrancy, access control)
│
├─ Performance concerns?
│ ├─ Database queries → Check for N+1, missing indexes
│ ├─ Loops/algorithms → Complexity analysis, caching
│ └─ API response times → Profiling, lazy loading
│
├─ Correctness issues?
│ ├─ Business logic → Edge cases, error handling, tests
│ ├─ Data transformations → Boundary conditions, null checks
│ └─ Integration points → Retry logic, timeouts, fallbacks
│
├─ Maintainability problems?
│ ├─ Complex code → Naming, function length, duplication
│ ├─ Hard to understand → Comments, abstractions, clarity
│ └─ Technical debt → Refactoring suggestions
│
├─ Test coverage gaps?
│ ├─ New features → Happy path + error cases
│ ├─ Refactors → Regression tests
│ └─ Bug fixes → Reproduction tests
│
└─ Stack-specific review?
├─ Frontend → [frontend-review.md](assets/web-frontend/frontend-review.md)
├─ Backend → [api-review.md](assets/backend-api/api-review.md)
├─ Mobile → [mobile-review.md](assets/mobile/mobile-review.md)
├─ Infrastructure → [infrastructure-review.md](assets/infrastructure/infrastructure-review.md)
└─ Blockchain → [crypto-review.md](assets/blockchain/crypto-review.md)Multi-Mode Reviews:
For complex PRs, apply multiple review modes sequentially:
- Security first (P0/P1 issues)
- Correctness (logic, edge cases)
- Performance (if applicable)
- Maintainability (P2/P3 suggestions)
text
代码审查任务:[重点关注什么?]
├─ 涉及安全的关键变更?
│ ├─ 认证/访问控制 → 安全审查(OWASP、认证模式)
│ ├─ 用户输入处理 → 输入验证、XSS、SQL注入
│ └─ 智能合约 → 区块链审查(重入攻击、访问控制)
│
├─ 性能相关问题?
│ ├─ 数据库查询 → 检查N+1问题、缺失索引
│ ├─ 循环/算法 → 复杂度分析、缓存
│ └─ API响应时间 → 性能分析、懒加载
│
├─ 正确性问题?
│ ├─ 业务逻辑 → 边界情况、错误处理、测试
│ ├─ 数据转换 → 边界条件、空值检查
│ └─ 集成点 → 重试逻辑、超时、降级
│
├─ 可维护性问题?
│ ├─ 复杂代码 → 命名、函数长度、重复代码
│ ├─ 难以理解 → 注释、抽象、清晰度
│ └─ 技术债务 → 重构建议
│
├─ 测试覆盖率缺口?
│ ├─ 新功能 → 正常流程 + 错误场景
│ ├─ 重构 → 回归测试
│ └─ Bug修复 → 复现测试
│
└─ 技术栈专项审查?
├─ 前端 → [frontend-review.md](assets/web-frontend/frontend-review.md)
├─ 后端 → [api-review.md](assets/backend-api/api-review.md)
├─ 移动 → [mobile-review.md](assets/mobile/mobile-review.md)
├─ 基础设施 → [infrastructure-review.md](assets/infrastructure/infrastructure-review.md)
└─ 区块链 → [crypto-review.md](assets/blockchain/crypto-review.md)多模式审查:
对于复杂的PR,按以下顺序应用多种审查模式:
- 优先安全审查(P0/P1级问题)
- 正确性审查(逻辑、边界情况)
- 性能审查(如适用)
- 可维护性审查(P2/P3级建议)
Async Review Workflows (2026)
异步审查工作流(2026)
Timezone-Friendly Reviews
时区友好型审查
| Practice | Implementation |
|---|---|
| Review windows | Define 4-hour overlap windows |
| Review rotation | Assign reviewers across timezones |
| Async communication | Use PR comments, not DMs |
| Review SLAs | 24-hour initial response, 48-hour completion |
| 实践 | 实现方式 |
|---|---|
| 审查窗口 | 定义4小时重叠窗口 |
| 审查轮换 | 跨时区分配审查人员 |
| 异步沟通 | 使用PR评论,不使用即时消息 |
| 审查SLA | 24小时内初始响应,48小时内完成 |
Non-Blocking Reviews
非阻塞式审查
text
PR Submitted -> Auto-checks (CI) -> Async Review -> Merge
| | |
Author continues If green, Reviewer comments
on other work queue for when available
reviewAnti-patterns:
- Synchronous review meetings for routine PRs
- Blocking on reviewer availability for non-critical changes
- Single reviewer bottleneck
text
PR提交 -> 自动检查(CI) -> 异步审查 -> 合并
| | |
作者继续 检查通过后, 审查人员在可用时
其他工作 进入审查队列 提交评论反模式:
- 常规PR使用同步审查会议
- 非关键变更因审查人员不可用而阻塞
- 单一审查人员形成瓶颈
Review Prioritization Matrix
审查优先级矩阵
| Priority | Criteria | SLA |
|---|---|---|
| P0 | Security fix, production incident | 4 hours |
| P1 | Bug fix, blocking dependency | 24 hours |
| P2 | Feature work, tech debt | 48 hours |
| P3 | Documentation, refactoring | 72 hours |
| 优先级 | 判定标准 | SLA |
|---|---|---|
| P0 | 安全修复、生产事故 | 4小时 |
| P1 | Bug修复、阻塞性依赖项 | 24小时 |
| P2 | 功能开发、技术债务 | 48小时 |
| P3 | 文档、重构 | 72小时 |
Optional: AI/Automation Extensions
可选:AI/自动化扩展
Note: AI-assisted review tools. Human review remains authoritative.
注意:AI辅助审查工具。人工审查仍具有权威性。
AI Review Assistants
AI审查助手
| Tool | Use Case | Limitation |
|---|---|---|
| GitHub Copilot PR | Summary, suggestions | May miss context |
| CodeRabbit | Automated PR review comments | Requires human validation |
| Qodo | Test generation + review, 15+ workflows | Enterprise pricing |
| OpenAI Codex | System-level codebase context | API integration required |
| AWS Security Agent | OWASP Top 10, policy violations | Preview only (2026) |
| Endor Labs AI SAST | AI-assisted SAST | Security-focused |
| Graphite | PR stacking, stack-aware merge queue | Process, not content |
AI assistant rules:
- AI suggestions are advisory only
- Human reviewer approves/rejects
- AI cannot bypass security review
- AI findings require manual verification
| 工具 | 使用场景 | 局限性 |
|---|---|---|
| GitHub Copilot PR | 摘要、建议 | 可能缺失上下文 |
| CodeRabbit | 自动化PR评论 | 需要人工验证 |
| Qodo | 测试生成+审查,15+工作流 | 企业级定价 |
| OpenAI Codex | 系统级代码库上下文 | 需要API集成 |
| AWS Security Agent | OWASP Top 10、策略违规 | 仅预览版(2026) |
| Endor Labs AI SAST | AI辅助静态应用安全测试 | 聚焦安全 |
| Graphite | PR堆叠、支持堆叠的合并队列 | 关注流程而非内容 |
AI助手规则:
- AI建议仅作为参考
- 人工审查人员批准/否决
- AI不能绕过安全审查
- AI发现的问题需要手动验证
AI Review Checklist
AI审查检查清单
- AI suggestions validated against codebase patterns
- AI-flagged issues manually confirmed
- False positives documented for tool improvement
- Human reviewer explicitly approved
- AI建议已根据代码库模式验证
- AI标记的问题已手动确认
- 误报已记录用于工具改进
- 人工审查人员已明确批准
Simplicity and Complexity Control
简洁性与复杂度控制
- Prefer existing, battle-tested libraries over bespoke implementations when behavior is identical.
- Flag avoidable complexity early: remove dead/commented-out code, collapse duplication, and extract single-responsibility helpers.
- Call out premature optimization; favor clarity and measured, evidence-based tuning.
- Encourage incremental refactors alongside reviews to keep modules small, predictable, and aligned to standards.
- 当功能相同时,优先使用经过验证的现有库而非自定义实现。
- 尽早标记可避免的复杂度:删除死代码/注释代码、消除重复、提取单一职责的辅助函数。
- 指出过早优化的问题;优先保证代码清晰,基于数据进行调优。
- 鼓励在审查过程中进行增量重构,保持模块小巧、可预测并符合标准。
Operational Playbooks
操作手册
Shared Foundation
- ../software-clean-code-standard/references/clean-code-standard.md - Canonical clean code rules () for citation in reviews
CC-* - Legacy playbook: ../software-clean-code-standard/references/code-quality-operational-playbook.md - –
RULE-01, refactoring decision trees, and design patternsRULE-13
Code Review Specific
- references/operational-playbook.md — Review scope rules, severity ratings (P0-P3), checklists, modes, and PR workflow patterns
通用基础
- ../software-clean-code-standard/references/clean-code-standard.md - 规范的整洁代码规则(),用于审查时引用
CC-* - 遗留系统手册:../software-clean-code-standard/references/code-quality-operational-playbook.md - –
RULE-01、重构决策树和设计模式RULE-13
代码审查专项
- references/operational-playbook.md — 审查范围规则、严重程度评级(P0-P3)、检查清单、模式和PR工作流模式
Default Review Output (Agent-Facing)
默认审查输出(面向Agent)
When producing a review, default to:
- Short summary of intent + risk
- Findings grouped by /
P0/P1/P2(mark REQUIRED vs OPTIONAL)P3 - Concrete suggestions (minimal diffs or test cases)
- Follow-up questions when requirements or constraints are unclear
Use assets/core/review-comment-guidelines.md for comment style and labeling.
生成审查结果时,默认遵循:
- 简短的意图+风险摘要
- 按/
P0/P1/P2分组的发现(标记必填/可选)P3 - 具体建议(最小化差异或测试用例)
- 当需求或约束不明确时提出跟进问题
使用assets/core/review-comment-guidelines.md规范评论风格和标记。
Navigation
导航
Resources
- references/operational-playbook.md
- references/review-checklist-comprehensive.md
- references/implementing-effective-code-reviews-checklist.md
- references/looks-good-to-me-checklist.md
- references/automation-tools.md
- references/dotnet-efcore-crypto-rules.md
- references/psychological-safety-guide.md
Templates
- assets/core/pull-request-description-template.md
- assets/core/review-checklist-judgment.md
- assets/core/review-comment-guidelines.md
- assets/backend-api/api-review.md
- assets/web-frontend/frontend-review.md
- assets/mobile/mobile-review.md
- assets/infrastructure/infrastructure-review.md
- assets/blockchain/crypto-review.md
- assets/data-ml/data-pipeline-review.md
- assets/data-ml/experiment-tracking-review.md
- assets/data-ml/ml-model-review.md
- assets/data-ml/ml-deployment-review.md
Data
- data/sources.json — Curated external references
- Shared checklists: ../software-clean-code-standard/assets/checklists/secure-code-review-checklist.md, ../software-clean-code-standard/assets/checklists/backend-api-review-checklist.md
资源
- references/operational-playbook.md
- references/review-checklist-comprehensive.md
- references/implementing-effective-code-reviews-checklist.md
- references/looks-good-to-me-checklist.md
- references/automation-tools.md
- references/dotnet-efcore-crypto-rules.md
- references/psychological-safety-guide.md
模板
- assets/core/pull-request-description-template.md
- assets/core/review-checklist-judgment.md
- assets/core/review-comment-guidelines.md
- assets/backend-api/api-review.md
- assets/web-frontend/frontend-review.md
- assets/mobile/mobile-review.md
- assets/infrastructure/infrastructure-review.md
- assets/blockchain/crypto-review.md
- assets/data-ml/data-pipeline-review.md
- assets/data-ml/experiment-tracking-review.md
- assets/data-ml/ml-model-review.md
- assets/data-ml/ml-deployment-review.md
数据
- data/sources.json — 精选外部参考
- 共享检查清单:../software-clean-code-standard/assets/checklists/secure-code-review-checklist.md, ../software-clean-code-standard/assets/checklists/backend-api-review-checklist.md
Trend Awareness Protocol
趋势感知协议
IMPORTANT: When users ask recommendation questions about code review tools, practices, or automation, you MUST use WebSearch to check current trends before answering.
重要提示:当用户询问代码审查工具、实践或自动化的建议时,必须先使用WebSearch检查当前趋势再回答。
Trigger Conditions
触发条件
- "What's the best code review tool?"
- "What should I use for [automated code review/PR automation]?"
- "What's the latest in code review practices?"
- "Current best practices for [code review/PR workflow]?"
- "Is [GitHub Copilot PR/CodeRabbit] still relevant in 2026?"
- "[CodeRabbit] vs [Graphite] vs [other]?"
- "Best AI code review assistant?"
- "最好的代码审查工具是什么?"
- "[自动化代码审查/PR自动化]应该用什么?"
- "代码审查实践的最新进展是什么?"
- "[代码审查/PR工作流]的当前最佳实践是什么?"
- "[GitHub Copilot PR/CodeRabbit]在2026年还适用吗?"
- "[CodeRabbit] vs [Graphite] vs [其他工具]?"
- "最好的AI代码审查助手是什么?"
Required Searches
必查搜索
- Search:
"code review best practices 2026" - Search:
"[specific tool] vs alternatives 2026" - Search:
"AI code review tools January 2026" - Search:
"PR automation trends 2026"
- 搜索:
"code review best practices 2026" - 搜索:
"[特定工具] vs alternatives 2026" - 搜索:
"AI code review tools January 2026" - 搜索:
"PR automation trends 2026"
What to Report
需汇报内容
After searching, provide:
- Current landscape: What code review tools/practices are popular NOW
- Emerging trends: New AI assistants, PR tools, or review patterns gaining traction
- Deprecated/declining: Tools/approaches losing relevance or support
- Recommendation: Based on fresh data, not just static knowledge
搜索后提供:
- 当前格局:现在流行的代码审查工具/实践
- 新兴趋势:正在兴起的新AI助手、PR工具或审查模式
- 已淘汰/衰退:失去相关性或支持的工具/方法
- 建议:基于最新数据,而非仅静态知识
Example Topics (verify with fresh search)
示例主题(需通过最新搜索验证)
- AI code review (GitHub Copilot PR, CodeRabbit, Cursor)
- PR automation (Graphite, Stacked PRs, merge queues)
- Code review platforms (GitHub, GitLab, Bitbucket)
- Review bots and automation
- Async review practices for distributed teams
- Review metrics and analytics tools
- AI代码审查(GitHub Copilot PR、CodeRabbit、Cursor)
- PR自动化(Graphite、堆叠PR、合并队列)
- 代码审查平台(GitHub、GitLab、Bitbucket)
- 审查机器人与自动化
- 分布式团队的异步审查实践
- 审查指标与分析工具