Quality

laravel-review

Reviews code for quality, security, and Laravel best practices

Overview

The laravel-review agent performs comprehensive code reviews focusing on Laravel best practices, security vulnerabilities, performance issues, and code quality. It can review staged changes, pull requests, or run full codebase audits.

Responsibilities

  • PR Reviews - Review pull requests with parallel specialized reviewers
  • Staged Review - Review staged changes before commit
  • Full Audit - Complete codebase security and quality audit
  • Laravel Patterns - Check adherence to Laravel conventions
  • Security Analysis - OWASP Top 10 vulnerability detection
  • Performance Review - N+1 queries, caching opportunities

Review Categories

Category What It Checks Severity
Security SQL injection, XSS, CSRF, mass assignment Critical
Performance N+1 queries, missing indexes, inefficient loops Warning
Architecture Fat controllers, missing service layer, coupling Info
Laravel Patterns Incorrect facades, missing policies, validation Info
Testing Missing tests, low coverage, brittle tests Warning

Review Process Flow

┌─────────────────────────────────────────────────────────────┐
│                   Parallel Code Review                       │
├─────────────────────────────────────────────────────────────┤
│                                                              │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐          │
│  │  Security   │  │ Performance │  │  Laravel    │          │
│  │  Reviewer   │  │  Reviewer   │  │  Patterns   │          │
│  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘          │
│         │                │                │                  │
│         └────────────────┼────────────────┘                  │
│                          ▼                                   │
│              ┌─────────────────────┐                         │
│              │   Aggregate Issues  │                         │
│              │   by Severity       │                         │
│              └──────────┬──────────┘                         │
│                         ▼                                    │
│              ┌─────────────────────┐                         │
│              │  Generate Report    │                         │
│              │  with Suggestions   │                         │
│              └─────────────────────┘                         │
└─────────────────────────────────────────────────────────────┘

Example Review Output

# Review Summary for PR #142

## Critical Issues (2)

### 1. SQL Injection Vulnerability
File: app/Http/Controllers/SearchController.php:45

// VULNERABLE
$results = DB::select("SELECT * FROM users WHERE name LIKE '%{$request->q}%'");

// FIXED
$results = DB::select("SELECT * FROM users WHERE name LIKE ?", ["%{$request->q}%"]);

### 2. Mass Assignment Vulnerability
File: app/Http/Controllers/UserController.php:23

// VULNERABLE - Accepts all input
$user->update($request->all());

// FIXED - Only validated fields
$user->update($request->validated());

## Warnings (3)

### 1. N+1 Query Detected
File: app/Http/Controllers/OrderController.php:15

// N+1 - Each order triggers a user query
$orders = Order::all();
foreach ($orders as $order) {
    echo $order->user->name; // N+1!
}

// FIXED - Eager load
$orders = Order::with('user')->get();

### 2. Missing Index
File: database/migrations/create_orders_table.php
The 'status' column is frequently filtered but has no index.

### 3. Missing Test Coverage
File: app/Services/PaymentService.php
New service class has no corresponding tests.

Security Checks

// Patterns the reviewer detects:

// 1. SQL Injection
DB::raw("WHERE id = " . $id); // BAD
DB::raw("WHERE id = ?", [$id]); // GOOD

// 2. XSS Vulnerabilities
{!! $userInput !!} // BAD - Unescaped
 // GOOD - Escaped

// 3. Mass Assignment
User::create($request->all()); // BAD
User::create($request->validated()); // GOOD
User::create($request->only(['name', 'email'])); // GOOD

// 4. Path Traversal
file_get_contents($request->file); // BAD
Storage::get($validatedPath); // GOOD

// 5. Open Redirect
return redirect($request->url); // BAD
return redirect()->intended(); // GOOD

// 6. CSRF Missing
// <form method="POST"> // BAD
// <form method="POST">@csrf // GOOD

// 7. Insecure Deserialization
unserialize($request->data); // BAD
json_decode($request->data); // GOOD

Laravel Pattern Checks

// Patterns enforced:

// 1. Use Eloquent over raw queries
DB::table('users')->where(...); // Consider User::where(...)

// 2. Use policies for authorization
if ($user->id === $post->user_id) // BAD
$this->authorize('update', $post); // GOOD

// 3. Use config() over env()
env('APP_DEBUG'); // BAD (except in config files)
config('app.debug'); // GOOD

// 4. Use route names
redirect('/dashboard'); // Avoid
redirect()->route('dashboard'); // GOOD

// 5. Use Form Requests for validation
$request->validate([...]); // For complex validation
StoreUserRequest $request // GOOD

// 6. Avoid logic in Blade
@php $total = $items->sum('price'); @endphp // BAD
 // GOOD (computed in controller/view model)

Invoked By Commands

Guardrails

The review agent follows strict rules:

  • ALWAYS prioritize security issues as critical
  • ALWAYS provide fix suggestions with issues
  • ALWAYS check for test coverage on new code
  • NEVER approve PRs with security vulnerabilities
  • NEVER report issues with confidence < 80%

See Also