Downloads

Download the ColdFusion Code Review Checklist (PDF)

by Aaron Longnion
6 min read

A concise, practical ColdFusion Code review can be the difference between a stable release and a frustrating hotfix sprint. This downloadable resource is a comprehensive, ready-to-use PDF Checklist designed for CFML teams using Adobe ColdFusion or Lucee. It streamlines peer reviews, reduces defects, and establishes consistent engineering Standards without imposing heavy process overhead. Whether you’re formalizing an existing workflow or bootstrapping one from scratch, this Checklist provides a clear path to better Code quality, Security, and maintainability.

Contents show

What You’ll Get

  • A polished, printable PDF (8 pages) with:
  • Review templates:
    • PR Review Notes template for GitHub/GitLab/Bitbucket comments.
    • Sprint Retro Rollup template to track recurring issues.
  • Quick-reference CFML Best practices page (naming, file structure, scopes, reusable components).
  • Links to recommended tools and docs:
    • CFLint config reference.
    • Sample pre-commit hook ideas.
    • CI examples for GitHub Actions, GitLab CI, and Jenkins.
  • Example snippets:
    • Secure cfquery with cfqueryparam.
    • Structured logging conventions.
    • Error handling with try/catch and centralized reporting.

Overview

Who This Is For

  • CFML developers, team leads, QA engineers, DevOps, and security champions who want a repeatable, lightweight process for consistent reviews.
See also  Download Example CFHTTP REST Client Template for ColdFusion

Supported Platforms and Frameworks

  • Adobe ColdFusion 2018/2021/2023
  • Lucee 5.x/6.x
  • Compatible with common CFML frameworks (e.g., ColdBox, FW/1) and libraries.

Why It’s Valuable

  • Eliminates ambiguous “looks good to me” reviews.
  • Promotes security-by-default practices.
  • Encourages Performance Optimization early.
  • Facilitates Onboarding with explicit expectations and examples.

Benefits and Use Cases

  • Faster peer reviews: The checklist reduces back-and-forth by clarifying what to check and why.
  • Fewer production incidents: Proactive checks catch SQL injection, XSS, CSRF, improper scoping, and misconfigurations before merge.
  • Consistent quality: Shared Standards improve code readability and maintainability across modules and teams.
  • Onboarding accelerator: New hires can follow a structured review process without tribal knowledge.
  • Audit-ready: Provides documented evidence of code review rigor aligned with OWASP and secure coding Best practices.
  • Performance gains: Early detection of inefficient queries, unscoped variables, unnecessary session usage, and chatty I/O.

How to Download and Use the Checklist

Step 1: Download

  • Click the Download button on this page to get the PDF: ColdFusion Code Review Checklist (PDF).
  • Save locally or to a shared drive (e.g., your team’s wiki, SharePoint, or repo docs folder).

Step 2: Configure for Your Team

  • Open the PDF and review the severity tags.
  • Mark any non-applicable checks as “N/A” or adjust severities to match your risk profile.
  • If your team uses GitHub/GitLab:
    • Copy the included PR Review Notes template into your repo’s pull request template.
    • Add a link to the checklist in your CONTRIBUTING.md.

Step 3: Use During Code Reviews

  • For every PR or commit requiring review:
    • Skim the “Must-Fix” section first (security and correctness).
    • Proceed through the Security → Performance → Maintainability → SQL → Error Handling → Testing/CI → Deployment sequence.
    • Annotate the PR using the provided comment phrases for consistency.

Step 4: Post-Review Follow-Up

  • Log recurring issues in the Retro Rollup page to inform training and Refactoring priorities.
  • Update the checklist locally when your standards evolve (e.g., new logging or monitoring requirements).

Checklist Categories and Example Items

Security (Must-Fix Priority)

  • Validate and encode all untrusted input for context (HTML, JS, URL).
  • Use parametrized queries:
    • Example: cfqueryparam value="#form.userId#" cfsqltype="cf_sql_integer" rather than string concatenation.
  • Enforce CSRF tokens for form actions and sensitive endpoints.
  • Restrict scope leakage (e.g., avoid implicit variables misuse; prefer explicit scoping).
  • Sanitize file uploads: whitelist extensions and validate MIME types.
  • Secrets management: Do not commit keys/passwords. Load via environment or secure vault.
  • Disable debug output in production; verify secure error templates.
See also  Download the ColdFusion CFScript Style Guide (PDF)

Performance

  • Cache expensive queries and function output appropriately using cachedwithin or framework caching.
  • Avoid N+1 queries and unnecessary loops around DB calls.
  • Set appropriate query timeouts and use indexes in frequently-filtered columns.
  • Prefer structKeyExists() and isNull() checks for clarity and performance.
  • Avoid heavy session usage; reduce session size and lifespan.

Maintainability & Readability

  • Use consistent naming, file structure, and component boundaries.
  • Prefer CFScript or tag-based code consistently within a module; avoid haphazard mixing.
  • Keep functions small and single-purpose; add Javadoc-style docblocks for public APIs.
  • Explicit scoping (var, local, arguments) in functions to avoid scope creep.
  • Remove commented-out dead code and unused imports or tags.

Database & SQL

  • Use cfqueryparam for all dynamic values.
  • Keep SQL in views or DAOs; avoid building queries in controller layers.
  • Verify transaction boundaries with cftransaction for multi-statement operations.
  • Ensure proper isolation levels and optimistic locking where appropriate.
  • Review migrations for idempotency and safe rollbacks.

Error Handling & Logging

  • Wrap risky operations in try/catch; rethrow or log with context:
    • Example: cfcatch.type, request ID, user ID, and correlation data.
  • Use structured logs (JSON if feasible) and centralize via Logstash/Splunk.
  • Avoid logging secrets or PII; mask sensitive fields.
  • Confirm global error handlers are configured (e.g., onError.cfm or Application.cfc handlers).

Testing & CI

  • Unit tests for core logic; Integration tests for key flows.
  • Add linting with CFLint; break builds on Must-Fix findings.
  • Integrate static analysis and basic SAST in CI (e.g., SonarQube, Fortify if available).
  • Enforce code coverage thresholds suitable for your codebase.

Deployment & Configuration

  • Environment-specific configs must not be hard-coded.
  • Disable cfdebug and template caching only where intentional; validate production flags.
  • Verify health checks, monitoring, and alerting are configured.
  • Document rollout plan and rollback steps in the PR.
See also  Download OpenAPI (Swagger) Spec Template for ColdFusion APIs

Best Practices

Team Workflow

  • Establish a Definition of Done that includes the checklist.
  • Use two levels of severity: “Must-Fix before merge” and “Track for refactor.”
  • Rotate reviewer roles to spread knowledge and reduce bottlenecks.

Tooling Integrations

  • CFLint: Add a .cflintrc aligned with the checklist; run in CI.
  • Pre-commit hooks: Block commits with obvious anti-patterns (e.g., cfquery without cfqueryparam).
  • GitHub Actions/GitLab CI/Jenkins: Automate linting, unit tests, and packaging with environment matrix for Adobe CF and Lucee.

Key Takeaways

  • The checklist standardizes CFML code review across security, performance, maintainability, and deployment.
  • Embedded examples and templates speed up reviews and help onboard new team members.
  • Combine the PDF with CFLint, unit tests, and CI gating for measurable quality gains.
  • Prioritize “Must-Fix” security and correctness items to prevent production incidents.
  • Keep the checklist living: adapt severities and examples as your codebase evolves.

FAQ

How is this different from a generic code review checklist?

It’s tailored for ColdFusion/CFML specifics: cfqueryparam, scoping, session usage, Application.cfc conventions, Lucee/Adobe differences, and common CFML security pitfalls. Generic lists rarely cover these nuances.

Can I use this with both Adobe ColdFusion and Lucee?

Yes. The criteria apply to both. Notes highlight minor differences (e.g., admin settings, cache behaviors) where relevant, and you can mark non-applicable items as “N/A.”

Do I need extra tools to benefit from this?

No. The PDF stands alone. However, pairing it with CFLint and basic CI checks provides the best results, catching issues automatically before human review.

Can I modify the checklist for my organization?

Absolutely. The PDF is structured so teams can annotate severities and add project-specific items. Consider maintaining a team version in your repo’s docs/ folder and linking it in your PR template.

Does the checklist include security standards like OWASP?

It maps to common OWASP concerns (injection, XSS, CSRF, sensitive data exposure) and translates them into ColdFusion-specific checks with examples and guidance.

About the author

Aaron Longnion

Aaron Longnion

Hey there! I'm Aaron Longnion — an Internet technologist, web software engineer, and ColdFusion expert with more than 24 years of experience. Over the years, I've had the privilege of working with some of the most exciting and fast-growing companies out there, including lynda.com, HomeAway, landsofamerica.com (CoStar Group), and Adobe.com.

I'm a full-stack developer at heart, but what really drives me is designing and building internet architectures that are highly scalable, cost-effective, and fault-tolerant — solutions built to handle rapid growth and stay ahead of the curve.

View all posts

You may also like