avoiding-false-positives
Validating Findings
Rejection Criteria
A finding is a false positive — drop it — if ANY of the following are true:
- Pre-existing — code existed before this PR and was not modified by this change
- Not actually buggy — appears wrong but is correct (e.g., variable IS defined, logic DOES produce correct results)
- Pedantic nitpick — a senior engineer would not flag this in a real review
- Linter-catchable — a linter or type checker will catch this; do not duplicate their work
- Generic concern — "lacks test coverage", "general security issue" without a specific, traceable problem
- Explicitly silenced — lint ignore comments, pragma suppressions, or documented exceptions
- Handled elsewhere — error boundaries, middleware, validators, or framework guarantees make the issue moot
Verification Checks
For each finding that passes rejection criteria, verify ALL three:
- Can you trace the execution path showing incorrect behavior?
More from bitwarden/ai-plugins
retrospecting
Performs comprehensive analysis of Claude Code sessions, examining git history, conversation logs, code changes, and gathering user feedback to generate actionable retrospective reports with insights for continuous improvement.
49implementing-dapper-queries
Implementing Dapper repository methods and stored procedures for MSSQL at Bitwarden. Use when creating or modifying Dapper repositories, writing stored procedures, or working with MSSQL-specific data access in the server repo.
47classifying-review-findings
Use this skill when categorizing code review findings into severity levels. Apply when determining which emoji and label to use for PR comments, deciding if an issue should be flagged at all, or classifying findings as CRITICAL, IMPORTANT, DEBT, SUGGESTED, or QUESTION.
46posting-review-summary
Use this skill when posting the final summary comment after all inline comments are posted. Apply as the LAST step of code review after all findings are classified and inline comments are complete. Detects context (agent mode sticky comment, GitHub Actions MCP tool, or local file) and routes output accordingly.
44reviewing-claude-config
Reviews Claude configuration files for security, structure, and prompt engineering quality. Use when reviewing changes to CLAUDE.md files (project-level or .claude/), skills (SKILL.md), agents, prompts, commands, or settings. Validates YAML frontmatter, progressive disclosure patterns, token efficiency, and security best practices. Detects critical issues like committed settings.local.json, hardcoded secrets, malformed YAML, broken file references, oversized skill files, and insecure agent tool access.
44analyzing-git-sessions
Analyzes git commits and changes within a timeframe or commit range, providing structured summaries for code review, retrospectives, work logs, or session documentation.
40