code-review-best-practices/code_review_guidelines.example.yaml at main · augmentcode/code-review-best-practices · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# Example Augment Code Review Guidelines
# ========================================
# This file demonstrates the complete format for Augment Code Review guidelines.
# Copy and customize this file to your repository at:
#   <repo-root>/.augment/code_review_guidelines.yaml
#
# For more information, see: https://docs.augmentcode.com/codereview/review-guidelines

areas:
  # ============================================================================
  # PYTHON BACKEND
  # Rules scoped to Python files in the backend directory
  # ============================================================================
  python_backend:
    description: "Python backend code review guidelines"
    globs:
      - "backend/**/*.py"
      - "api/**/*.py"
    rules:
      - id: "no_eval_exec"
        description: "Never use eval() or exec() with user input. These functions can execute arbitrary code and are a critical security vulnerability."
        severity: "high"

      - id: "use_parameterized_queries"
        description: "Always use parameterized queries or ORM methods instead of string formatting for SQL. This prevents SQL injection attacks."
        severity: "high"

      - id: "handle_exceptions_explicitly"
        description: "Avoid bare except clauses. Catch specific exceptions and handle them appropriately. Log unexpected errors with full context."
        severity: "medium"

  # ============================================================================
  # TYPESCRIPT FRONTEND
  # Rules scoped to TypeScript/React files
  # ============================================================================
  typescript_frontend:
    description: "TypeScript and React code review guidelines"
    globs:
      - "frontend/**/*.ts"
      - "frontend/**/*.tsx"
      - "src/**/*.ts"
      - "src/**/*.tsx"
    rules:
      - id: "no_any_type"
        description: "Avoid using 'any' type. Use proper TypeScript types, generics, or 'unknown' with type guards for better type safety."
        severity: "medium"

      - id: "sanitize_user_content"
        description: "Always sanitize user-generated content before rendering. Use DOMPurify or similar for HTML content. Never use dangerouslySetInnerHTML with unsanitized data."
        severity: "high"

      - id: "cleanup_effects"
        description: "React useEffect hooks that set up subscriptions, timers, or event listeners must return cleanup functions to prevent memory leaks."
        severity: "medium"

  # ============================================================================
  # DATABASE OPERATIONS
  # Rules for SQL and database-related files
  # ============================================================================
  database:
    description: "Database and SQL best practices"
    globs:
      - "**/*.sql"
      - "**/migrations/**"
      - "**/models/**"
    rules:
      - id: "add_indexes_for_foreign_keys"
        description: "Foreign key columns should have indexes for efficient JOIN operations and cascade deletes."
        severity: "medium"

      - id: "use_transactions_for_related_changes"
        description: "Group related database changes in transactions to ensure atomicity. Partial updates can leave data in inconsistent states."
        severity: "high"

      - id: "avoid_select_star"
        description: "Specify column names explicitly instead of SELECT *. This improves performance and prevents issues when schema changes."
        severity: "low"

  # ============================================================================
  # SECURITY (GLOBAL)
  # Security rules that apply to all files
  # ============================================================================
  security:
    description: "Security guidelines for all code"
    globs:
      - "**"
    rules:
      - id: "no_hardcoded_secrets"
        description: "Never hardcode API keys, passwords, tokens, or other secrets. Use environment variables or a secrets manager."
        severity: "high"

      - id: "validate_all_inputs"
        description: "Validate and sanitize all user inputs at system boundaries. Never trust data from external sources."
        severity: "high"

      - id: "use_https_only"
        description: "All external API calls and webhooks must use HTTPS. HTTP connections can be intercepted and modified."
        severity: "high"

  # ============================================================================
  # INFRASTRUCTURE
  # Rules for Docker, Kubernetes, and Terraform files
  # ============================================================================
  infrastructure:
    description: "Infrastructure as Code guidelines"
    globs:
      - "**/Dockerfile*"
      - "**/*.yaml"
      - "**/*.yml"
      - "**/*.tf"
    rules:
      - id: "no_root_containers"
        description: "Docker containers should not run as root. Specify a non-root USER in Dockerfile."
        severity: "high"

      - id: "pin_dependency_versions"
        description: "Pin specific versions for base images and dependencies. Using 'latest' tags can cause unexpected breaking changes."
        severity: "medium"

      - id: "set_resource_limits"
        description: "Set CPU and memory limits for containers to prevent resource exhaustion and ensure fair scheduling."
        severity: "medium"

  # ============================================================================
  # TESTING
  # Rules for test files
  # ============================================================================
  testing:
    description: "Testing best practices"
    globs:
      - "**/*test*.py"
      - "**/*test*.ts"
      - "**/*spec*.ts"
      - "**/tests/**"
      - "**/__tests__/**"
    rules:
      - id: "no_skipped_tests"
        description: "Remove or fix skipped tests. Permanently skipped tests indicate untested code paths and should be addressed."
        severity: "low"

      - id: "avoid_test_interdependence"
        description: "Tests should be independent and not rely on execution order or shared mutable state."
        severity: "medium"

      - id: "use_meaningful_assertions"
        description: "Use specific assertions (assertEquals, assertContains) rather than assertTrue with complex expressions. Clear assertions make failures easier to diagnose."
        severity: "low"