Skip to content

code-review

Comprehensive instructions for building secure, compliant Docker containers within Optum using golden images, SaaS Artifactory authentication, and enterprise best practices.

IDE:
claude
codex
vscode
Version:
0.0.0

Optum Python Application Code Review Standards

Golden Image Compliance

Verify all Dockerfiles use Optum golden images from edgeinternal1uhg.optum.com. No external base images allowed. Ensure multi-stage builds are used properly.

Python Code Quality

  • Check for proper error handling and exception management
  • Verify type hints are used where appropriate
  • Ensure proper logging instead of print statements for production code
  • Check for security vulnerabilities in dependencies

API Integration Security

  • Verify OpenAI API client configuration follows security best practices
  • Check that API keys and sensitive data are not hardcoded
  • Ensure proper input validation for any user-facing inputs

Docker Best Practices

  • Verify non-root user usage (nonroot user in golden images)
  • Check proper COPY order for layer caching optimization
  • Ensure proper environment variable configuration
  • Verify health checks are implemented where needed

Supply Chain Compliance

  • Check package dependencies are properly pinned in requirements.txt
  • Ensure all dependencies are from approved sources
  • Verify requirements.txt includes all needed packages

Documentation Quality

  • Check that functions have appropriate docstrings
  • Verify README includes setup and usage instructions
  • Ensure proper comments for complex logic

Dojo Terraform Standards

  • Verify Terraform code follows Optum Dojo standards
  • Check for proper module usage and variable definitions
  • Ensure state management follows best practices
  • Verify security group and IAM role configurations adhere to least privilege principles
  • Ensure proper tagging of resources for cost allocation and management
  • Check for use of remote state backends and locking mechanisms
  • Verify compliance with Optum's naming conventions for resources
  • Ensure Terraform code is formatted using terraform fmt and validated with terraform validate
  • Ensure data is always encrypted at rest and in transit
  • Verify audit logging is enabled for all critical resources
  • Check for regular updates and patching of Terraform modules and providers to mitigate vulnerabilities
  • Ensure proper use of workspaces for different environments (e.g., dev, staging, prod
  • Verify that sensitive variables are managed securely using tools like HashiCorp Vault or AWS Secrets Manager
  • Ensure compliance with Optum's tagging conventions for resource management and cost tracking

CI/CD Pipeline Review

  • Verify pipelines use secure runners (e.g., uhg-runner)
  • Check for proper secret management in pipelines
  • Utilise github-workflows-dojo* for standard CI/CD practices
  • Ensure automated tests are included in the pipeline
  • Verify deployment steps follow Optum deployment guidelines
  • Check for proper rollback mechanisms in case of deployment failures
  • Ensure compliance checks are integrated into the CI/CD process