Chuyển tới nội dung chính

Use Case: Code Review

Step-by-step walkthrough for performing comprehensive code reviews using FAOS agents and workflows.

Overview

MethodDurationBest For
Workflow (automated)15-30 minFull codebase review, CI/CD integration
Agent (interactive)VariableSpecific files, quick checks, discussions

Method 1: Using the Code Review Workflow

The code-review workflow performs a structured, comprehensive review.

Step 1: Start the Workflow

Prompt:

"Run FAOS code-review workflow on the authentication module in src/auth/"

Response:

Starting code-review workflow...
Workflow ID: wfrun_review_001
Status: running
Current step: Analyzing code structure

Review scope:
- src/auth/login.py
- src/auth/session.py
- src/auth/middleware.py
- src/auth/tests/

Focus areas: security, error handling, test coverage

Step 2: Add Focus Areas (Optional)

Prompt:

"Add focus on SQL injection prevention and password hashing to the review"

Step 3: Get Review Results

Prompt:

"Get the output of FAOS workflow wfrun_review_001"

Response:

Code Review Complete

Summary:
- Files reviewed: 4
- Issues found: 12
- Critical: 2
- High: 4
- Medium: 4
- Low: 2

Critical Issues:

1. SQL Injection Vulnerability (src/auth/login.py:45)

   Current:
   query = f"SELECT * FROM users WHERE email = '{email}'"

   Recommended:
   query = "SELECT * FROM users WHERE email = %s"
   cursor.execute(query, (email,))

   Impact: Direct database compromise possible

2. Weak Password Hashing (src/auth/session.py:23)

   Current: Using MD5
   Recommended: Use bcrypt or argon2

   Impact: Password database vulnerable to rainbow tables

High Priority Issues:
[... continues with all findings ...]

Method 2: Using the Dev Agent Interactively

For quick reviews or discussions about specific code.

Review Specific Code

Prompt:

"Use FAOS dev agent to review this authentication code for security issues:

def authenticate(email, password):
    conn = get_db_connection()
    query = f"SELECT * FROM users WHERE email = '{email}'"
    user = conn.execute(query).fetchone()
    if user and user['password'] == hashlib.md5(password.encode()).hexdigest():
        return create_session(user['id'])
    return None
```"

Response:

Critical Security Issues Found:

1. SQL Injection (Line 3)
   - User input directly interpolated into SQL
   - Attacker can bypass auth or dump database

   Fix:
   query = "SELECT * FROM users WHERE email = ?"
   user = conn.execute(query, (email,)).fetchone()

2. Weak Password Hashing (Line 5)
   - MD5 is cryptographically broken
   - No salt = vulnerable to rainbow tables

   Fix:
   import bcrypt
   if user and bcrypt.checkpw(password.encode(), user['password_hash']):

3. Timing Attack Vulnerability (Line 5)
   - String comparison reveals password length

   Fix:
   import hmac
   if user and hmac.compare_digest(computed_hash, stored_hash):

Additional Recommendations:
- Add rate limiting to prevent brute force
- Log failed authentication attempts
- Consider adding 2FA support

Would you like me to provide a fully refactored version?

Request Refactored Code

Prompt:

"Yes, show me the secure version with all fixes applied"

Review for Specific Concerns

Prompt:

"Ask FAOS dev agent to review src/api/payments.py specifically for PCI-DSS compliance"

Multi-File Review Pattern

Step 1: Get Context

Prompt:

"Get FAOS context for the current sprint"

Step 2: Identify Files to Review

Prompt:

"Ask FAOS dev agent: which files in src/checkout/ should be reviewed for the payment integration story?"

Step 3: Review Each Area

Prompt:

"Review src/checkout/payment_processor.py for error handling and edge cases"

Prompt:

"Review src/checkout/receipt_generator.py for proper data validation"

Step 4: Get Summary

Prompt:

"Summarize all the review findings so far and prioritize the fixes"

Review Checklists by Type

Security Review Focus

"Review [code] focusing on: input validation, authentication, authorization, data exposure, injection vulnerabilities, and cryptographic practices"

Performance Review Focus

"Review [code] focusing on: algorithm complexity, memory usage, unnecessary re-renders, N+1 queries, caching opportunities"

Maintainability Review Focus

"Review [code] focusing on: code organization, naming conventions, documentation, test coverage, error handling"

Tips for Better Reviews

Do

  • Provide context - What the code is supposed to do
  • Specify focus areas - Security, performance, patterns
  • Ask follow-up questions - Deep dive into specific issues
  • Request refactored examples - See the fix, not just the problem

Don't

  • Review too much at once - Focus on related files
  • Ignore the test files - Include them in review scope
  • Skip architectural concerns - Ask about overall design
  • Accept first suggestion blindly - Discuss alternatives