Codebase Audit Pre Push | Skills Pool
Codebase Audit Pre Push Deep audit before GitHub push: removes junk files, dead code, security holes, and optimization issues. Checks every file line-by-line for production readiness.
sickn33 33,802 estrellas 13 abr 2026 Ocupación Categorías Flujos de Trabajo Git Contenido de la habilidad
Pre-Push Codebase Audit
As a senior engineer, you're doing the final review before pushing this code to GitHub. Check everything carefully and fix problems as you find them.
When to Use This Skill
User requests "audit the codebase" or "review before push"
Before making the first push to GitHub
Before making a repository public
Pre-production deployment review
User asks to "clean up the code" or "optimize everything"
Your Job
Review the entire codebase file by file. Read the code carefully. Fix issues right away. Don't just note problems—make the necessary changes.
Audit Process
1. Clean Up Junk Files
Start by looking for files that shouldn't be on GitHub:
Delete these immediately:
Instalación rápida
Codebase Audit Pre Push npx skillvault add sickn33/sickn33-antigravity-awesome-skills-plugins-antigravity-awesome-skills-claude-skills-codebase-audit-pre-push-skill-md
estrellas 33,802
Actualizado 13 abr 2026
Ocupación
OS files: .DS_Store, Thumbs.db, desktop.ini
Logs: *.log, npm-debug.log*, yarn-error.log*
Temp files: *.tmp, *.temp, *.cache, *.swp
Build output: dist/, build/, .next/, out/, .cache/
Dependencies: node_modules/, vendor/, __pycache__/, *.pyc
IDE files: .idea/, .vscode/ (ask user first), *.iml, .project
Backup files: *.bak, *_old.*, *_backup.*, *_copy.*
Test artifacts: coverage/, .nyc_output/, test-results/
Personal junk: TODO.txt, NOTES.txt, scratch.*, test123.* Critical - Check for secrets:
.env files (should never be committed)Files containing: password, api_key, token, secret, private_key
*.pem, *.key, *.cert, credentials.json, serviceAccountKey.json If you find secrets in the code, mark it as a CRITICAL BLOCKER.
2. Fix .gitignore Check if the .gitignore file exists and is thorough. If it’s missing or not complete, update it to include all junk file patterns above. Ensure that .env.example exists with keys but no values.
3. Audit Every Source File Look through each code file and check:
Dead Code (remove immediately):
Commented-out code blocks
Unused imports/requires
Unused variables (declared but never used)
Unused functions (defined but never called)
Unreachable code (after return, inside if (false))
Duplicate logic (same code in multiple places—combine)
Code Quality (fix issues as you go):
Vague names: data, info, temp, thing → rename to be descriptive
Magic numbers: if (status === 3) → extract to named constant
Debug statements: remove console.log, print(), debugger
TODO/FIXME comments: either resolve them or delete them
TypeScript any: add proper types or explain why any is used
Use === instead of == in JavaScript
Functions longer than 50 lines: consider splitting
Nested code greater than 3 levels: refactor with early returns
Missing null/undefined checks
Array operations on potentially empty arrays
Async functions that are not awaited
Promises without .catch() or try/catch
Possibilities for infinite loops
Missing default in switch statements
4. Security Check (Zero Tolerance) Secrets: Search for hardcoded passwords, API keys, and tokens. They must be in environment variables.
Injection vulnerabilities:
SQL: No string concatenation in queries—use parameterized queries only
Command injection: No exec() with user-provided input
Path traversal: No file paths from user input without validation
XSS: No innerHTML or dangerouslySetInnerHTML with user data
Passwords hashed with bcrypt/argon2 (never MD5 or plain text)
Protected routes check for authentication
Authorization checks on the server side, not just in the UI
No IDOR: verify users own the resources they are accessing
API responses do not leak unnecessary information
Error messages do not expose stack traces or database details
Pagination is present on list endpoints
Run npm audit or an equivalent tool
Flag critically outdated or vulnerable packages
5. Scalability Check
N+1 queries: loops with database calls inside → use JOINs or batch queries
Missing indexes on WHERE/ORDER BY columns
Unbounded queries: add LIMIT or pagination
Avoid SELECT *: specify columns
Heavy operations (like email, reports, file processing) → move to a background queue
Rate limiting on public endpoints
Caching for data that is read frequently
Timeouts on external calls
No global mutable state
Clean up event listeners (to avoid memory leaks)
Stream large files instead of loading them into memory
6. Architecture Check
Clear folder structure
Files are in logical locations
No "misc" or "stuff" folders
UI layer: only responsible for rendering
Business logic: pure functions
Data layer: isolated database queries
No 500+ line "god files"
Duplicate code → extract to shared utilities
Constants defined once and imported
Types/interfaces reused, not redefined
Expensive operations do not block requests
Batch database calls when possible
Set cache headers correctly
Frontend (if applicable):
Implement code splitting
Optimize images
Avoid massive dependencies for small utilities
Use lazy loading for heavy components
8. Documentation
Description of what the project does
Instructions for installation and execution
Required environment variables
Guidance on running tests
Explain WHY, not WHAT
Provide explanations for complex logic
Avoid comments that merely repeat the code
9. Testing
Critical paths should have tests (auth, payments, core features)
No test.only or fdescribe should remain in the code
Avoid test.skip without an explanation
Tests should verify behavior, not implementation details
10. Final Verification After making all changes, run the app. Ensure nothing is broken. Check that:
The app starts without errors
Main features work
Tests pass (if they exist)
No regressions have been introduced
After auditing, provide a report:
CODEBASE AUDIT COMPLETE
FILES REMOVED:
- node_modules/ (build artifact)
- .env (contained secrets)
- old_backup.js (unused duplicate)
CODE CHANGES:
[src/api/users.js]
✂ Removed unused import: lodash
✂ Removed dead function: formatOldWay()
🔧 Renamed 'data' → 'userData' for clarity
🛡 Added try/catch around API call (line 47)
[src/db/queries.js]
⚡ Fixed N+1 query: now uses JOIN instead of loop
SECURITY ISSUES:
🚨 CRITICAL: Hardcoded API key in config.js (line 12) → moved to .env
⚠️ HIGH: SQL injection risk in search.js (line 34) → fixed with parameterized query
SCALABILITY:
⚡ Added pagination to /api/users endpoint
⚡ Added index on users.email column
FINAL STATUS:
✅ CLEAN - Ready to push to GitHub
Scores:
Security: 9/10 (one minor header missing)
Code Quality: 10/10
Scalability: 9/10
Overall: 9/10
Key Principles
Read the code thoroughly, don't skim
Fix issues immediately, don’t just document them
If uncertain about removing something, ask the user
Test after making changes
Be thorough but practical—focus on real problems
Security issues are blockers—nothing should ship with critical vulnerabilities
@security-auditor - Deeper security review@systematic-debugging - Investigate specific issues@git-pushing - Push code after audit
Limitations
Use this skill only when the task clearly matches the scope described above.
Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
Flujos de Trabajo Git
Repository Setup Initialize a worktree-based repo layout for parallel development. Creates a main worktree, a reviews worktree for PR reviews, and N numbered work branches. Handles .env creation, dependency installation, and branchlet config. TRIGGER when user asks to set up the repo from scratch, initialize worktrees, bootstrap their dev environment, "setup repo", "setup worktrees", "initialize dev environment", "set up branches", or when a freshly cloned repo has no sibling worktrees.
Significant-Gravitas