ワンクリックでManusで任意のスキルを実行

code-review-and-audit

Systematic code review and audit practices including automated checks, security audits, compliance verification, and review checklists.

Manusで実行

概要

Systematic code review and audit practices including automated checks, security audits, compliance verification, and review checklists.

インストールコマンド

npx skills add https://github.com/jnPiyush/AI-Squad --skill code-review-and-audit

このコマンドをClaude Codeにコピー＆ペーストしてスキルをインストール

ソース

jnPiyush/AI-Squad

スター0

フォーク0

更新日2026年1月23日 05:09

SKILL.md

readonly

このリポジトリの他の Skills

同じリポジトリ

ai-agent-development

jnPiyush/AI-Squad

Build production-ready AI agents with Microsoft Foundry and Agent Framework. Covers agent architecture, model selection, orchestration, tracing, and evaluation.

2026-01-230

api-design

jnPiyush/AI-Squad

Design robust REST APIs with proper versioning, pagination, error handling, rate limiting, and OpenAPI documentation.

2026-01-230

code-organization

jnPiyush/AI-Squad

Structure projects for maintainability and scalability with clean architecture, separation of concerns, and consistent project layouts.

2026-01-230

configuration

jnPiyush/AI-Squad

Manage application configuration with environment variables, Azure Key Vault, feature flags, and environment-specific settings.

2026-01-230

core-principles

jnPiyush/AI-Squad

Fundamental coding principles for production development including SOLID, DRY, KISS, and common design patterns with C# examples.

2026-01-230

database

jnPiyush/AI-Squad

Efficient database operations with PostgreSQL, Entity Framework Core, migrations, indexing strategies, transactions, and connection pooling.

2026-01-230

ソース

jnPiyush

jnPiyush/AI-Squad

GitHub リポジトリを開く Creator のリポジトリを見る

インストールコマンド

ダウンロード

Manusで実行

役立つ用途SOC

ソフトウェア品質保証アナリスト・テスターコンピュータ・数学職15-1253L4

name	code-review-and-audit
description	Systematic code review and audit practices including automated checks, security audits, compliance verification, and review checklists.

Code Review & Audit

Purpose: Systematic validation of implementations against production guardrails.
Focus: Self-review automation, manual review checklists, security audits, compliance verification.

Pre-Review Automated Checks

Run these before requesting human review or deploying.

Quick Check Script

# Run all automated checks
./scripts/pre-review-check.sh

# Or manually:
dotnet format --verify-no-changes
dotnet build --no-incremental
dotnet test --collect:"XPlat Code Coverage"
dotnet list package --vulnerable --include-transitive

PowerShell Pre-Review Script

# scripts/Pre-Review-Check.ps1
Write-Host "=== Pre-Review Automated Checks ===" -ForegroundColor Cyan

# 1. Format Check
Write-Host "`n[1/6] Checking code formatting..." -ForegroundColor Yellow
dotnet format --verify-no-changes
if ($LASTEXITCODE -ne 0) {
    Write-Host "❌ Format issues found. Run 'dotnet format'" -ForegroundColor Red
    exit 1
}

# 2. Build
Write-Host "`n[2/6] Building solution..." -ForegroundColor Yellow
dotnet build --no-incremental
if ($LASTEXITCODE -ne 0) {
    Write-Host "❌ Build failed" -ForegroundColor Red
    exit 1
}

# 3. Tests
Write-Host "`n[3/6] Running tests..." -ForegroundColor Yellow
dotnet test --no-build --verbosity minimal --collect:"XPlat Code Coverage"
if ($LASTEXITCODE -ne 0) {
    Write-Host "❌ Tests failed" -ForegroundColor Red
    exit 1
}

# 4. Coverage Check (requires ReportGenerator)
Write-Host "`n[4/6] Checking code coverage..." -ForegroundColor Yellow
$coverageFile = Get-ChildItem -Path "TestResults" -Filter "coverage.cobertura.xml" -Recurse | Select-Object -First 1
if ($coverageFile) {
    $xml = [xml](Get-Content $coverageFile.FullName)
    $coverage = [math]::Round([decimal]$xml.coverage.'line-rate' * 100, 2)
    Write-Host "Coverage: $coverage%" -ForegroundColor Cyan
    if ($coverage -lt 80) {
        Write-Host "⚠️  Coverage below 80% threshold" -ForegroundColor Yellow
    }
}

# 5. Security Vulnerabilities
Write-Host "`n[5/6] Checking for vulnerable packages..." -ForegroundColor Yellow
dotnet list package --vulnerable --include-transitive
if ($LASTEXITCODE -ne 0) {
    Write-Host "❌ Vulnerable packages found" -ForegroundColor Red
    exit 1
}

# 6. Static Analysis (if SonarScanner installed)
if (Get-Command "dotnet-sonarscanner" -ErrorAction SilentlyContinue) {
    Write-Host "`n[6/6] Running SonarQube analysis..." -ForegroundColor Yellow
    dotnet sonarscanner begin /k:"project-key"
    dotnet build
    dotnet sonarscanner end
}

Write-Host "`n✅ All automated checks passed!" -ForegroundColor Green

Code Review Checklist

Architecture & Design (AGENTS.md Alignment)

Research → Design → Implement workflow followed
Architecture documented (ADRs for significant decisions)
SOLID principles adhered to (especially SRP, DIP)
Design patterns used appropriately (not over-engineered)
No premature optimization (YAGNI principle)

Code Quality

Single Responsibility - Each class/method does one thing
DRY - No code duplication (extracted to methods/classes)
KISS - Simple solution, not over-complicated
Meaningful names - Self-documenting code
Functions < 50 lines - Long methods refactored
No magic numbers - Constants with clear names
No dead code - Unused code removed
No commented code - Remove or document why kept

Type Safety & Documentation

Type annotations on all parameters and return values
Nullable reference types handled correctly
XML documentation on all public APIs
Inline comments explain "why", not "what"
README updated with new features/changes
API documentation generated and accurate

Error Handling

Specific exceptions caught (not generic Exception)
No empty catch blocks - Log or handle properly
Errors logged with context (correlation IDs)
Retry logic for transient failures (Polly)
Circuit breakers for external dependencies
Timeouts configured on all external calls
Graceful degradation implemented where needed
No sensitive data in error messages

Security (OWASP Top 10)

Testing (80%+ Coverage)

Performance

Async/await used for I/O operations
No blocking calls (Task.Result, .Wait())
Database queries optimized (indexes, projections)
N+1 queries prevented (Include() or projections)
Caching implemented where appropriate
Connection pooling enabled
Large collections paginated
Response compression enabled

Database (EF Core)

Migrations created and tested
Indexes defined on foreign keys and query filters
Transactions used for multi-step operations
AsNoTracking for read-only queries
Soft deletes implemented (not hard deletes)
Audit fields present (CreatedAt, UpdatedAt, etc.)

Configuration & Deployment

Config externalized - No hardcoded values
Environment-specific settings in appsettings.{env}.json
Feature flags for toggleable features
Health checks implemented (liveness + readiness)
Structured logging with correlation IDs
Metrics/monitoring configured
Graceful shutdown handling
Dependencies version-pinned in lock files

Version Control

Atomic commits - One logical change per commit
Conventional commits format followed
No merge commits in feature branch (use rebase)
PR description clear and complete
Tests passing in CI/CD pipeline
No merge conflicts with main branch

Security Audit Procedures

Automated Security Scans

# 1. Dependency Vulnerabilities
dotnet list package --vulnerable --include-transitive

# 2. .NET Security Analyzers
dotnet add package Microsoft.CodeAnalysis.NetAnalyzers
dotnet build /p:EnableNETAnalyzers=true /p:AnalysisLevel=latest

# 3. SonarQube (if configured)
dotnet sonarscanner begin /k:"project-key" /d:sonar.host.url="http://localhost:9000"
dotnet build
dotnet sonarscanner end

# 4. OWASP ZAP (for running APIs)
docker run -t owasp/zap2docker-stable zap-baseline.py -t https://api.myapp.com

# 5. GitHub Advanced Security (in CI/CD)
# Automatic in GitHub Actions with code scanning enabled

Manual Security Review

# Search for security anti-patterns
grep -r "AllowAnyOrigin" . --include=*.cs
grep -r "SELECT.*\+.*WHERE" . --include=*.cs  # SQL concatenation
grep -r "password.*=.*\"" . --include=*.cs     # Hardcoded passwords
grep -r "api[_-]?key.*=.*\"" . --include=*.cs  # Hardcoded API keys
grep -r "\.Wait()" . --include=*.cs            # Blocking async calls

PowerShell Security Scan:

# Find security issues
Write-Host "Scanning for security anti-patterns..." -ForegroundColor Yellow

$patterns = @{
    "Hardcoded Secrets" = 'password|apikey|secret|connectionstring.*=.*"[^"]+"'
    "SQL Injection Risk" = 'SELECT.*\+|ExecuteSqlRaw.*\+'
    "CORS Issues" = 'AllowAnyOrigin|AllowAnyHeader|AllowAnyMethod'
    "Blocking Async" = '\.Wait\(\)|\.Result[^a-zA-Z]'
}

foreach ($pattern in $patterns.GetEnumerator()) {
    Write-Host "`nChecking: $($pattern.Key)" -ForegroundColor Cyan
    Get-ChildItem -Recurse -Include *.cs | Select-String -Pattern $pattern.Value
}

Compliance Verification

OWASP Top 10 (2025) Checklist

Production Readiness (AGENTS.md Checklist)

Development

Functionality verified with edge cases
Type annotations and XML docs complete
Error handling with logging
Input validation/sanitization
No hardcoded secrets

Testing & Quality

Unit, integration, e2e tests passing (80%+ coverage)
Linters and formatters passing
No code duplication or dead code

Security

SQL queries parameterized
Auth/authz implemented
OWASP Top 10 addressed

Operations

Structured logging, metrics, alerts
Health checks (liveness/readiness)
Config externalized per environment
Dependencies version-pinned
Database migrations tested
CI/CD pipeline passing
Deployment rollback strategy defined

Review Tools

Static Analysis

Tool	Purpose	Command
Roslyn Analyzers	.NET code analysis	`dotnet build /p:AnalysisLevel=latest`
SonarQube	Code quality, security	`dotnet sonarscanner begin/end`
StyleCop	C# style rules	`dotnet add package StyleCop.Analyzers`
Security Code Scan	Security vulnerabilities	`dotnet add package SecurityCodeScan.VS2019`

Coverage Tools

# Generate coverage report
dotnet test --collect:"XPlat Code Coverage"

# Install ReportGenerator
dotnet tool install -g dotnet-reportgenerator-globaltool

# Generate HTML report
reportgenerator \
  -reports:"**/coverage.cobertura.xml" \
  -targetdir:"coveragereport" \
  -reporttypes:Html

# Open report
start coveragereport/index.html  # Windows
open coveragereport/index.html   # macOS

CI/CD Integration

GitHub Actions (.github/workflows/review.yml):

name: Code Review Checks

on: [pull_request]

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Setup .NET
        uses: actions/setup-dotnet@v3
        with:
          dotnet-version: '8.0.x'
      
      - name: Restore dependencies
        run: dotnet restore
      
      - name: Format check
        run: dotnet format --verify-no-changes
      
      - name: Build
        run: dotnet build --no-restore
      
      - name: Test with coverage
        run: dotnet test --no-build --collect:"XPlat Code Coverage"
      
      - name: Security scan
        run: dotnet list package --vulnerable --include-transitive
      
      - name: Upload coverage
        uses: codecov/codecov-action@v3

Review Workflow

1. Self-Review (Pre-PR)

# Run automated checks
./scripts/pre-review-check.sh

# Review own changes
git diff main...HEAD

# Check file changes
git diff --name-only main...HEAD

# Review commit messages
git log main..HEAD --oneline

2. Submit for Review

# Create PR with template
gh pr create --title "feat(auth): Add OAuth integration" \
  --body "$(cat .github/PULL_REQUEST_TEMPLATE.md)"

3. Address Feedback

# Make changes
git add .
git commit -m "fix: Address review feedback"

# Update PR
git push origin feature-branch

# Re-run checks
./scripts/pre-review-check.sh

4. Final Approval

All review comments addressed
CI/CD pipeline passing
Code coverage maintained/improved
Security scan clean
Two approvals received (if required)

Best Practices

✅ DO

Automate checks - Pre-commit hooks, CI/CD
Review incrementally - Small, focused PRs
Use checklists - Ensure nothing missed
Run security scans - Before every release
Document decisions - ADRs for architecture
Test audit scripts - Verify they catch issues
Update checklists - As standards evolve

❌ DON'T

Skip automated checks - Always run before PR
Large PRs - > 400 lines hard to review
Review own code only - Get peer review
Ignore warnings - Fix or document exceptions
Manual-only audits - Automate what you can
Deploy without audit - Security scans mandatory

Quick Reference

Pre-Review Command:

dotnet format --verify-no-changes && \
dotnet build && \
dotnet test --collect:"XPlat Code Coverage" && \
dotnet list package --vulnerable --include-transitive

Security Scan:

grep -rn "password.*=.*\"" . --include=*.cs
dotnet list package --vulnerable

Coverage Check:

dotnet test --collect:"XPlat Code Coverage"
reportgenerator -reports:"**/coverage.cobertura.xml" -targetdir:"coverage"

See Also: AGENTS.md • 02-testing.md • 04-security.md • 16-remote-git-operations.md

Last Updated: January 13, 2026