codebase-audit-pre-push
Deep audit before GitHub push: removes junk files, dead code, security holes, and optimization issues. Checks every file line-by-line for production readiness.
Best use case
codebase-audit-pre-push is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Deep audit before GitHub push: removes junk files, dead code, security holes, and optimization issues. Checks every file line-by-line for production readiness.
Teams using codebase-audit-pre-push should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/codebase-audit-pre-push/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How codebase-audit-pre-push Compares
| Feature / Agent | codebase-audit-pre-push | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Deep audit before GitHub push: removes junk files, dead code, security holes, and optimization issues. Checks every file line-by-line for production readiness.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Pre-Push Codebase Audit As a senior engineer, you're doing the final review before pushing this code to GitHub. Check everything carefully and fix problems as you find them. ## When to Use This Skill - User requests "audit the codebase" or "review before push" - Before making the first push to GitHub - Before making a repository public - Pre-production deployment review - User asks to "clean up the code" or "optimize everything" ## Your Job Review the entire codebase file by file. Read the code carefully. Fix issues right away. Don't just note problems—make the necessary changes. ## Audit Process ### 1. Clean Up Junk Files Start by looking for files that shouldn't be on GitHub: **Delete these immediately:** - OS files: `.DS_Store`, `Thumbs.db`, `desktop.ini` - Logs: `*.log`, `npm-debug.log*`, `yarn-error.log*` - Temp files: `*.tmp`, `*.temp`, `*.cache`, `*.swp` - Build output: `dist/`, `build/`, `.next/`, `out/`, `.cache/` - Dependencies: `node_modules/`, `vendor/`, `__pycache__/`, `*.pyc` - IDE files: `.idea/`, `.vscode/` (ask user first), `*.iml`, `.project` - Backup files: `*.bak`, `*_old.*`, `*_backup.*`, `*_copy.*` - Test artifacts: `coverage/`, `.nyc_output/`, `test-results/` - Personal junk: `TODO.txt`, `NOTES.txt`, `scratch.*`, `test123.*` **Critical - Check for secrets:** - `.env` files (should never be committed) - Files containing: `password`, `api_key`, `token`, `secret`, `private_key` - `*.pem`, `*.key`, `*.cert`, `credentials.json`, `serviceAccountKey.json` If you find secrets in the code, mark it as a CRITICAL BLOCKER. ### 2. Fix .gitignore Check if the `.gitignore` file exists and is thorough. If it’s missing or not complete, update it to include all junk file patterns above. Ensure that `.env.example` exists with keys but no values. ### 3. Audit Every Source File Look through each code file and check: **Dead Code (remove immediately):** - Commented-out code blocks - Unused imports/requires - Unused variables (declared but never used) - Unused functions (defined but never called) - Unreachable code (after `return`, inside `if (false)`) - Duplicate logic (same code in multiple places—combine) **Code Quality (fix issues as you go):** - Vague names: `data`, `info`, `temp`, `thing` → rename to be descriptive - Magic numbers: `if (status === 3)` → extract to named constant - Debug statements: remove `console.log`, `print()`, `debugger` - TODO/FIXME comments: either resolve them or delete them - TypeScript `any`: add proper types or explain why `any` is used - Use `===` instead of `==` in JavaScript - Functions longer than 50 lines: consider splitting - Nested code greater than 3 levels: refactor with early returns **Logic Issues (critical):** - Missing null/undefined checks - Array operations on potentially empty arrays - Async functions that are not awaited - Promises without `.catch()` or try/catch - Possibilities for infinite loops - Missing `default` in switch statements ### 4. Security Check (Zero Tolerance) **Secrets:** Search for hardcoded passwords, API keys, and tokens. They must be in environment variables. **Injection vulnerabilities:** - SQL: No string concatenation in queries—use parameterized queries only - Command injection: No `exec()` with user-provided input - Path traversal: No file paths from user input without validation - XSS: No `innerHTML` or `dangerouslySetInnerHTML` with user data **Auth/Authorization:** - Passwords hashed with bcrypt/argon2 (never MD5 or plain text) - Protected routes check for authentication - Authorization checks on the server side, not just in the UI - No IDOR: verify users own the resources they are accessing **Data exposure:** - API responses do not leak unnecessary information - Error messages do not expose stack traces or database details - Pagination is present on list endpoints **Dependencies:** - Run `npm audit` or an equivalent tool - Flag critically outdated or vulnerable packages ### 5. Scalability Check **Database:** - N+1 queries: loops with database calls inside → use JOINs or batch queries - Missing indexes on WHERE/ORDER BY columns - Unbounded queries: add LIMIT or pagination - Avoid `SELECT *`: specify columns **API Design:** - Heavy operations (like email, reports, file processing) → move to a background queue - Rate limiting on public endpoints - Caching for data that is read frequently - Timeouts on external calls **Code:** - No global mutable state - Clean up event listeners (to avoid memory leaks) - Stream large files instead of loading them into memory ### 6. Architecture Check **Organization:** - Clear folder structure - Files are in logical locations - No "misc" or "stuff" folders **Separation of concerns:** - UI layer: only responsible for rendering - Business logic: pure functions - Data layer: isolated database queries - No 500+ line "god files" **Reusability:** - Duplicate code → extract to shared utilities - Constants defined once and imported - Types/interfaces reused, not redefined ### 7. Performance **Backend:** - Expensive operations do not block requests - Batch database calls when possible - Set cache headers correctly **Frontend (if applicable):** - Implement code splitting - Optimize images - Avoid massive dependencies for small utilities - Use lazy loading for heavy components ### 8. Documentation **README.md must include:** - Description of what the project does - Instructions for installation and execution - Required environment variables - Guidance on running tests **Code comments:** - Explain WHY, not WHAT - Provide explanations for complex logic - Avoid comments that merely repeat the code ### 9. Testing - Critical paths should have tests (auth, payments, core features) - No `test.only` or `fdescribe` should remain in the code - Avoid `test.skip` without an explanation - Tests should verify behavior, not implementation details ### 10. Final Verification After making all changes, run the app. Ensure nothing is broken. Check that: - The app starts without errors - Main features work - Tests pass (if they exist) - No regressions have been introduced ## Output Format After auditing, provide a report: ``` CODEBASE AUDIT COMPLETE FILES REMOVED: - node_modules/ (build artifact) - .env (contained secrets) - old_backup.js (unused duplicate) CODE CHANGES: [src/api/users.js] ✂ Removed unused import: lodash ✂ Removed dead function: formatOldWay() 🔧 Renamed 'data' → 'userData' for clarity 🛡 Added try/catch around API call (line 47) [src/db/queries.js] ⚡ Fixed N+1 query: now uses JOIN instead of loop SECURITY ISSUES: 🚨 CRITICAL: Hardcoded API key in config.js (line 12) → moved to .env ⚠️ HIGH: SQL injection risk in search.js (line 34) → fixed with parameterized query SCALABILITY: ⚡ Added pagination to /api/users endpoint ⚡ Added index on users.email column FINAL STATUS: ✅ CLEAN - Ready to push to GitHub Scores: Security: 9/10 (one minor header missing) Code Quality: 10/10 Scalability: 9/10 Overall: 9/10 ``` ## Key Principles - Read the code thoroughly, don't skim - Fix issues immediately, don’t just document them - If uncertain about removing something, ask the user - Test after making changes - Be thorough but practical—focus on real problems - Security issues are blockers—nothing should ship with critical vulnerabilities ## Related Skills - `@security-auditor` - Deeper security review - `@systematic-debugging` - Investigate specific issues - `@git-pushing` - Push code after audit
Related Skills
zeroize-audit
Detects missing zeroization of sensitive data in source code and identifies zeroization removed by compiler optimizations, with assembly-level analysis, and control-flow verification. Use for auditing C/C++/Rust code handling secrets, keys, passwords, or other sensitive data.
wcag-audit-patterns
Conduct WCAG 2.2 accessibility audits with automated testing, manual verification, and remediation guidance. Use when auditing websites for accessibility, fixing WCAG violations, or implementing ac...
vibe-code-auditor
Audit rapidly generated or AI-produced code for structural flaws, fragility, and production risks.
seo-content-auditor
Analyzes provided content for quality, E-E-A-T signals, and SEO best practices. Scores content and provides improvement recommendations based on established guidelines.
seo-audit
Diagnose and audit SEO issues affecting crawlability, indexation, rankings, and organic performance.
aws-security-audit
Comprehensive AWS security posture assessment using AWS CLI and security best practices
security-auditor
Expert security auditor specializing in DevSecOps, comprehensive cybersecurity, and compliance frameworks.
security-audit
Comprehensive security auditing workflow covering web application testing, API security, penetration testing, vulnerability scanning, and security hardening.
production-code-audit
Autonomously deep-scan entire codebase line-by-line, understand architecture and patterns, then systematically transform it to production-grade, corporate-level professional quality with optimizations
local-legal-seo-audit
Audit and improve local SEO for law firms, attorneys, forensic experts and legal/professional services sites with local presence, focusing on GBP, directories, E-E-A-T and practice/location pages.
laravel-security-audit
Security auditor for Laravel applications. Analyzes code for vulnerabilities, misconfigurations, and insecure practices using OWASP standards and Laravel security best practices.
git-pushing
Stage, commit, and push git changes with conventional commit messages. Use when user wants to commit and push changes, mentions pushing to remote, or asks to save and push their work. Also activate...