code-review
Comprehensive instructions for building secure, compliant Docker containers within Optum using golden images, SaaS Artifactory authentication, and enterprise best practices.
IDE:
claude
codex
vscode
Version:
0.0.0
Optum Python Application Code Review Standards
Golden Image Compliance
Verify all Dockerfiles use Optum golden images from edgeinternal1uhg.optum.com. No external base images allowed. Ensure multi-stage builds are used properly.
Python Code Quality
- Check for proper error handling and exception management
- Verify type hints are used where appropriate
- Ensure proper logging instead of print statements for production code
- Check for security vulnerabilities in dependencies
API Integration Security
- Verify OpenAI API client configuration follows security best practices
- Check that API keys and sensitive data are not hardcoded
- Ensure proper input validation for any user-facing inputs
Docker Best Practices
- Verify non-root user usage (nonroot user in golden images)
- Check proper COPY order for layer caching optimization
- Ensure proper environment variable configuration
- Verify health checks are implemented where needed
Supply Chain Compliance
- Check package dependencies are properly pinned in requirements.txt
- Ensure all dependencies are from approved sources
- Verify requirements.txt includes all needed packages
Documentation Quality
- Check that functions have appropriate docstrings
- Verify README includes setup and usage instructions
- Ensure proper comments for complex logic
Dojo Terraform Standards
- Verify Terraform code follows Optum Dojo standards
- Check for proper module usage and variable definitions
- Ensure state management follows best practices
- Verify security group and IAM role configurations adhere to least privilege principles
- Ensure proper tagging of resources for cost allocation and management
- Check for use of remote state backends and locking mechanisms
- Verify compliance with Optum's naming conventions for resources
- Ensure Terraform code is formatted using
terraform fmtand validated withterraform validate - Ensure data is always encrypted at rest and in transit
- Verify audit logging is enabled for all critical resources
- Check for regular updates and patching of Terraform modules and providers to mitigate vulnerabilities
- Ensure proper use of workspaces for different environments (e.g., dev, staging, prod
- Verify that sensitive variables are managed securely using tools like HashiCorp Vault or AWS Secrets Manager
- Ensure compliance with Optum's tagging conventions for resource management and cost tracking
CI/CD Pipeline Review
- Verify pipelines use secure runners (e.g., uhg-runner)
- Check for proper secret management in pipelines
- Utilise github-workflows-dojo* for standard CI/CD practices
- Ensure automated tests are included in the pipeline
- Verify deployment steps follow Optum deployment guidelines
- Check for proper rollback mechanisms in case of deployment failures
- Ensure compliance checks are integrated into the CI/CD process

