code-review

📁 groeimetai/snow-flow 📅 Jan 22, 2026

总安装量

周安装量

#10227

全站排名

安装命令

npx skills add https://github.com/groeimetai/snow-flow --skill code-review

Agent 安装分布

claude-code 7

antigravity 6

gemini-cli 5

windsurf 5

codex 5

opencode 5

Skill 文档

ServiceNow Code Review Checklist

Use this checklist when reviewing ServiceNow server-side code (Business Rules, Script Includes, Scheduled Jobs, etc.).

1. ES5 Compliance (CRITICAL)

// CHECK FOR THESE ES6+ VIOLATIONS:
const x = 5;           // â Use var
let items = [];        // â Use var
() => {}               // â Use function()
`template ${var}`      // â Use 'string ' + var
for (x of arr)         // â Use traditional for loop
{a, b} = obj           // â Use obj.a, obj.b

Action: Flag ALL ES6+ syntax as CRITICAL errors.

2. Security Issues

2.1 SQL/GlideRecord Injection

// â DANGEROUS - User input directly in query
gr.addEncodedQuery(userInput);
gr.addQuery('field', userInput);  // OK if validated

// â SAFE - Validate and sanitize
var safeInput = new GlideSysAttachment().cleanFileName(userInput);
gr.addQuery('field', safeInput);

2.2 Cross-Site Scripting (XSS)

// â DANGEROUS - Unescaped output
gs.addInfoMessage(userInput);

// â SAFE - Escape HTML
gs.addInfoMessage(GlideStringUtil.escapeHTML(userInput));

2.3 Access Control

// â MISSING - No ACL check
var gr = new GlideRecord('sys_user');
gr.get(userProvidedSysId);

// â SAFE - Check permissions
var gr = new GlideRecord('sys_user');
if (gr.get(userProvidedSysId) && gr.canRead()) {
  // Process record
}

2.4 Sensitive Data Exposure

// â DANGEROUS - Logging sensitive data
gs.info('Password: ' + password);
gs.info('API Key: ' + apiKey);

// â SAFE - Never log credentials
gs.info('Authentication attempt for user: ' + username);

3. Performance Issues

3.1 Queries in Loops

// â SLOW - N+1 query problem
for (var i = 0; i < userIds.length; i++) {
  var gr = new GlideRecord('sys_user');
  gr.get(userIds[i]);  // Query for each user!
}

// â FAST - Single query
var gr = new GlideRecord('sys_user');
gr.addQuery('sys_id', 'IN', userIds.join(','));
gr.query();
while (gr.next()) { }

3.2 Missing setLimit()

// â SLOW - Could return millions of records
var gr = new GlideRecord('incident');
gr.query();

// â FAST - Limit results
var gr = new GlideRecord('incident');
gr.setLimit(1000);
gr.query();

3.3 Unnecessary Queries

// â WASTEFUL - Query just to check existence
var gr = new GlideRecord('incident');
gr.addQuery('number', incNumber);
gr.query();
if (gr.getRowCount() > 0) { }

// â EFFICIENT - Use get() for single record
var gr = new GlideRecord('incident');
if (gr.get('number', incNumber)) { }

3.4 GlideRecord vs GlideAggregate

// â SLOW - Counting with loop
var count = 0;
var gr = new GlideRecord('incident');
gr.addQuery('active', true);
gr.query();
while (gr.next()) count++;

// â FAST - Use GlideAggregate
var ga = new GlideAggregate('incident');
ga.addQuery('active', true);
ga.addAggregate('COUNT');
ga.query();
var count = ga.next() ? ga.getAggregate('COUNT') : 0;

4. Code Quality Issues

4.1 Hard-coded sys_ids

// â BAD - Hard-coded sys_id (breaks across instances)
var assignmentGroup = '681ccaf9c0a8016400b98a06818d57c7';

// â GOOD - Use property or lookup
var assignmentGroup = gs.getProperty('my.default.assignment.group');
// OR
var gr = new GlideRecord('sys_user_group');
if (gr.get('name', 'Service Desk')) {
  var assignmentGroup = gr.getUniqueValue();
}

4.2 Magic Numbers/Strings

// â BAD - Magic numbers
if (current.state == 6) { }
if (current.priority == 1) { }

// â GOOD - Named constants or comments
var STATE_RESOLVED = 6;
var PRIORITY_CRITICAL = 1;
if (current.state == STATE_RESOLVED) { }

4.3 Missing Error Handling

// â BAD - No error handling
var response = request.execute();
var data = JSON.parse(response.getBody());

// â GOOD - Proper error handling
try {
  var response = request.execute();
  var status = response.getStatusCode();
  if (status != 200) {
    gs.error('API call failed: ' + status);
    return null;
  }
  var data = JSON.parse(response.getBody());
} catch (e) {
  gs.error('Exception: ' + e.message);
  return null;
}

4.4 Proper Logging

// â BAD - No context in logs
gs.info('Error occurred');

// â GOOD - Contextual logging
gs.info('[MyScriptInclude.process] Processing incident: ' +
        current.number + ', user: ' + gs.getUserName());

5. Business Rule Specific

5.1 Recursion Prevention

// â DANGEROUS - Can cause infinite loop
current.update();  // In a Before rule

// â SAFE - Use workflow control
current.setWorkflow(false);
current.update();
current.setWorkflow(true);

5.2 Appropriate Rule Type

// â WRONG - Heavy processing in Before rule
// Before rules should be fast!

// â RIGHT - Use Async for heavy operations
// Move integrations and heavy processing to Async rules

6. Review Output Format

When reviewing code, structure your feedback as:

## Code Review Summary

### Critical Issues (Must Fix)
1. [SECURITY] Description...
2. [ES5] Description...

### Performance Issues (Should Fix)
1. [PERF] Description...

### Code Quality (Nice to Have)
1. [QUALITY] Description...

### Positive Observations
- Good use of...
- Well-structured...

7. Severity Levels

Level	Action	Examples
CRITICAL	Must fix before deployment	Security vulnerabilities, ES6 syntax
HIGH	Should fix	Performance issues, missing error handling
MEDIUM	Recommend fixing	Code quality, hard-coded values
LOW	Consider fixing	Style, minor improvements

GitHub 仓库 ↗ ← 返回陌讯 Skills 聚合平台