AI Code Review Checklist

Checklist BUILD

Purpose

Structured checklist for reviewing AI-generated and AI-integrated code covering security, quality, and compliance.

Related Controls

AI-Generated Code Review Standards "Vibe Coding" Risk Assessment
ISO A.5 OWASP LLM09

1. Review Information

Capture metadata about the code review session.

Reviewer: [NAME], [ROLE TITLE]

Date: [DATE]

Repository/Branch: [REPO] / [BRANCH]

PR/MR Number: [NUMBER]

Author: [NAME]

AI Tool Used: [TOOL NAME AND VERSION — e.g., Claude Code, GitHub Copilot, Cursor]

Percentage AI-Generated: [ESTIMATE — e.g., 60%]

Review Type: Standard / Security-Focused / Pre-Production

2. Security Checks

Every AI-generated code review must verify these security items.

  • [ ] No hardcoded secrets — API keys, passwords, tokens, connection strings are not embedded in code
  • [ ] Input validation — All external inputs are validated and sanitized before processing
  • [ ] Output encoding — Outputs are properly encoded to prevent XSS, injection attacks
  • [ ] Authentication/Authorization — Access controls are correctly implemented; no privilege escalation paths
  • [ ] SQL/NoSQL injection — Database queries use parameterized queries or ORM; no string concatenation
  • [ ] Prompt injection defense — If AI prompts are constructed from user input, proper sanitization and boundary enforcement is applied
  • [ ] Dependency check — New dependencies have been reviewed for known vulnerabilities (CVE check)
  • [ ] Error handling — Errors do not expose stack traces, internal paths, or sensitive information
  • [ ] Logging — Sensitive data is not logged; security events are properly logged

3. AI-Specific Checks

Items specific to code that was generated by or interacts with AI systems.

  • [ ] Hallucination review — AI-generated code does not reference non-existent APIs, libraries, or functions
  • [ ] License compliance — Generated code does not replicate copyrighted or GPL-licensed code without proper attribution
  • [ ] Functionality verification — Every AI-generated function has been tested; no untested dead code
  • [ ] Context leakage — AI prompts or system instructions are not exposed in client-side code
  • [ ] Model API safety — Rate limiting, timeout, and error handling for AI API calls are implemented
  • [ ] Token/cost controls — Maximum token limits are set for AI API calls; no unbounded generation
  • [ ] Fallback behavior — System degrades gracefully when AI service is unavailable
  • [ ] Output filtering — AI outputs are validated/filtered before being displayed to users or used in decisions

4. Code Quality Checks

Standard code quality items that apply to all code regardless of origin.

  • [ ] Tests included — New code has corresponding unit tests with meaningful assertions
  • [ ] Test coverage — Code coverage meets team minimum (target: [X]%)
  • [ ] Documentation — Public APIs and complex logic are documented
  • [ ] Naming conventions — Variables, functions, and classes follow project naming standards
  • [ ] No dead code — Unused imports, variables, and functions are removed
  • [ ] Error handling — Errors are caught, logged, and handled appropriately (not silently swallowed)
  • [ ] Performance — No obvious performance issues (N+1 queries, unbounded loops, memory leaks)
  • [ ] Idempotency — Operations that could be retried are idempotent where applicable

5. Review Outcome

Record the review decision and any required follow-up.

Decision: Approved / Approved with Changes / Request Changes / Rejected

Findings Summary:

  • Critical Issues: [COUNT]
  • Major Issues: [COUNT]
  • Minor Issues: [COUNT]
  • Suggestions: [COUNT]

Required Actions Before Merge:

  1. [ACTION]
  2. [ACTION]

Reviewer Signature: [NAME] — [DATE]

← Back to all templates