Code quality assessment and security review — complexity metrics, OWASP, tech debt. USE FOR: code review, quality, complexity, coupling, cohesion, OWASP, security, secrets, LGPD, GDPR, tech debt, cyclomatic, SAST, SCA, DAST, secret detection, vulnerability, CVE, qualidade, segurança, revisão de código. DO NOT USE FOR: writing code (route to developer agent), writing tests (use test-engineering), CI/CD integration of scans (use cicd-orchestration).
Measure, don't opine. Every quality assessment is backed by metrics (cyclomatic complexity, coupling, cohesion, coverage). Every security finding references a specific vulnerability class (OWASP, CVE). The Code Reviewer is an objective evaluator — quantitative verdicts replace subjective opinions.
Measures the number of independent paths through a function.
| CC Range | Risk Level | Action |
|---|---|---|
| 1-10 | ✅ Low | Simple, well-structured — accept |
| 11-20 | ⚠️ Moderate | Consider refactoring — flag as Minor |
| 21-50 | 🔴 High | Must refactor — flag as Major |
| > 50 | 🚫 Very High | Reject — flag as Critical |
Calculation: CC = Edges - Nodes + 2 (for a single connected component)
Quick heuristic: Count decision points (if, elif, for, while, case, catch, &&, ||, ?) + 1
| CBO | Assessment | Action |
|---|---|---|
| 0-4 | ✅ Low coupling | Accept |
| 5-8 | ⚠️ Moderate | Review dependencies, consider DI |
| > 8 | 🔴 High coupling | Flag as Major — extract interface, apply DI |
| LCOM* | Assessment | Action |
|---|---|---|
| 0-0.3 | ✅ High cohesion | Methods use shared fields — well-designed class |
| 0.3-0.7 | ⚠️ Moderate | Some methods don't share state — review |
| > 0.7 | 🔴 Low cohesion | Class does too many things — split |
| Threshold | Action |
|---|---|
| 0-3% | ✅ Accept |
| 3-5% | ⚠️ Minor — consider extraction |
| > 5% | 🔴 Major — extract shared functions/modules |
| # | Category | What to Look For | Remediation Pattern |
|---|---|---|---|
| A01 | Broken Access Control | Missing authZ checks, IDOR, path traversal | Deny by default, validate ownership per request |
| A02 | Cryptographic Failures | Plaintext secrets, weak hashing (MD5/SHA1), missing TLS | Use bcrypt/argon2, enforce HTTPS, rotate keys |
| A03 | Injection | String concatenation in SQL/NoSQL/OS commands | Parameterized queries, input validation, allowlists |
| A04 | Insecure Design | Missing threat model, no rate limiting, business logic flaws | Threat modeling, abuse case testing, rate limits |
| A05 | Security Misconfiguration | Default credentials, verbose errors in production, unnecessary features enabled | Hardened defaults, error handling without details |
| A06 | Vulnerable Components | Outdated dependencies with known CVEs | SCA scanning, automated dependency updates |
| A07 | Auth Failures | Weak passwords allowed, no MFA, broken session management | Password policy, MFA, secure session config |
| A08 | Data Integrity Failures | Unsigned updates, insecure deserialization, tampered CI/CD | Signed artifacts, integrity checks, secure pipelines |
| A09 | Logging Failures | Missing audit trail, log injection, PII in logs | Structured logging, log injection prevention, PII masking |
| A10 | SSRF | Unvalidated URLs in server requests, internal network access | URL allowlists, network segmentation, disable redirects |
| Secret Type | Pattern | Example Match |
|---|---|---|
| AWS Access Key | AKIA[0-9A-Z]{16} | AKIAIOSFODNN7EXAMPLE |
| AWS Secret Key | [0-9a-zA-Z/+=]{40} (near AWS context) | Base64-like 40-char string |
| GitHub Token | gh[ps]_[0-9a-zA-Z]{36,} | ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
| Azure Storage Key | [A-Za-z0-9+/=]{88} | 88-char base64 string |
| JWT | eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+ | eyJhbGciOi... |
| Generic API Key | (?i)(api[_-]?key|apikey|api_secret)['":\s]*[=:]\s*['"][A-Za-z0-9]{20,} | API_KEY = "abc123..." |
| Connection String | (?i)(password|pwd|passwd)[=:][^\s;]{8,} | password=mySecretPwd |
For strings that don't match known patterns:
1. Immediately rotate the exposed secret
2. Remove from Git history (git filter-branch or BFG Repo Cleaner)
3. Add to .gitignore or use environment variables
4. Add pre-commit hook to prevent recurrence
5. Document incident in security log
| Severity | Criteria | SLA |
|---|---|---|
| Critical | Exploitable vulnerability, data exposure, auth bypass | Block PR — fix immediately |
| Major | High complexity (CC>20), missing auth checks, no input validation | Block PR — must fix before approval |
| Minor | Style issues, naming conventions, minor code smell | Advisory — fix recommended, not blocking |
| Info | Suggestions, alternative approaches, optimization opportunities | Optional — developer decides |
# Code Review Report — PR #[number]
## Verdict: [APPROVE | REQUEST_CHANGES]
## Iteration: [1/3 | 2/3 | 3/3]
## Summary
[One paragraph: overall code quality assessment]
## Findings
### Critical
- **[CRT-1]** `[file:line]` — [Description]
- **Category:** [OWASP A0X | Complexity | Secret]
- **Risk:** [What could go wrong]
- **Fix:** [Specific remediation]
### Major
- **[MAJ-1]** `[file:line]` — [Description]
- **Fix:** [Remediation]
### Minor
- **[MIN-1]** `[file:line]` — [Description]
### Info
- **[INF-1]** [Suggestion]
## Metrics Dashboard
| Metric | Value | Threshold | Status |
|--------|-------|-----------|--------|
| Cyclomatic Complexity (max) | [N] | ≤ 20 | [PASS/FAIL] |
| Test Coverage (changed code) | [N]% | ≥ 80% | [PASS/FAIL] |
| CBO (max class) | [N] | ≤ 8 | [PASS/FAIL] |
| Code Duplication | [N]% | ≤ 5% | [PASS/FAIL] |
| Secrets Detected | [N] | 0 | [PASS/FAIL] |
| OWASP Findings (Critical+Major) | [N] | 0 | [PASS/FAIL] |
## OWASP Checklist (Scanned)
- [ ] A01: Access Control
- [ ] A02: Cryptography
- [ ] A03: Injection
- [ ] A04: Insecure Design
- [ ] A05: Misconfiguration
- [ ] A06: Vulnerable Components
- [ ] A07: Authentication
- [ ] A08: Data Integrity
- [ ] A09: Logging
- [ ] A10: SSRF
| Low Impact | Medium Impact | High Impact | |
|---|---|---|---|
| High Likelihood | Medium Risk | High Risk | Critical Risk |
| Medium Likelihood | Low Risk | Medium Risk | High Risk |
| Low Likelihood | Negligible | Low Risk | Medium Risk |
Use this matrix to prioritize findings when multiple issues compete for attention.
| Check | What to Verify |
|---|---|
| Data Minimization | Only collect data needed for the stated purpose |
| Consent | User consent obtained before processing personal data |
| Right to Deletion | Mechanism exists to delete user data on request |
| Data Portability | Export user data in machine-readable format |
| PII in Logs | No personal data in log files (mask email, IP, names) |
| Encryption at Rest | Sensitive data encrypted in database |
| Encryption in Transit | All API communication over TLS 1.2+ |
| Data Retention | Automated deletion after retention period |
Load references/domain-guide.md when you need: