Skip to content

12.2 Checklists

These checklists are practical, ready-to-use quick references. Copy any checklist into a pull request template, a wiki page, a ticket, or a review meeting agenda, and adapt the items to your context. Treat each item as something a person can verify and answer yes or no. A checklist is a memory aid and a shared standard, not a substitute for judgment; delete items that do not apply and add items your domain requires.

Guidance for using these well:

  • Keep checklists short enough that people actually complete them. If a checklist is routinely skipped, it is too long or too generic.
  • Automate any item a machine can verify (formatting, tests, scans) so humans spend attention on judgment items.
  • Version your checklists and review them periodically. A checklist that never changes is probably not being used.
  • Distinguish blocking items from advisory items when the distinction matters for your process.

Code review checklist

For the reviewer examining someone else's change.

  • The change does what its description and linked ticket say it does.
  • The scope is focused on a single logical concern; unrelated changes are split out.
  • The design fits the existing architecture and does not introduce a simpler-to-avoid coupling.
  • Edge cases, error paths, and failure modes are handled, not just the happy path.
  • Tests exist, are meaningful, and would fail if the behavior regressed.
  • Naming, structure, and comments make the code understandable to a future reader.
  • No secrets, credentials, tokens, or personal data are committed.
  • Security-sensitive input is validated, encoded, or parameterized appropriately.
  • Public interfaces, contracts, and backward compatibility are preserved or intentionally versioned.
  • Logging, metrics, and error reporting are adequate to operate the change in production.
  • Documentation, runbooks, and configuration are updated to match the change.
  • Feedback is separated into blocking issues versus suggestions, and phrased about the code.

Pull request author checklist

For the author before requesting review.

  • The PR is small and focused enough to review carefully in one sitting.
  • The description states what changed, why, and how it was verified.
  • The linked ticket, issue, or design doc gives reviewers the necessary context.
  • All automated checks pass locally or in CI (build, lint, format, tests, scans).
  • New and changed behavior is covered by tests.
  • Mechanical refactors are separated from behavior changes.
  • Self-review is complete: you have read your own diff line by line.
  • No debug code, commented-out blocks, secrets, or stray files remain.
  • Database migrations, feature flags, and config changes are documented and reversible.
  • Breaking changes are called out explicitly with a migration path.
  • Screenshots, recordings, or sample output are included where they aid review.
  • The right reviewers and any required role-based approvers are requested.

Definition of Done

The shared standard a work item must meet before it is considered complete.

  • Acceptance criteria in the ticket are all met and demonstrable.
  • Code is peer reviewed and approved by the required reviewers.
  • Automated tests are written, passing, and merged with the change.
  • Code is merged to the mainline and deploys cleanly through the pipeline.
  • No known defects of the agreed severity threshold remain open.
  • Documentation, help text, and runbooks are updated.
  • Observability is in place: relevant logs, metrics, and alerts exist.
  • Security and privacy implications have been considered and addressed.
  • Accessibility requirements for the change are met where user-facing.
  • Feature flags are configured and the rollout plan is agreed.
  • The product owner or stakeholder has accepted the outcome.
  • Any follow-up work is captured as tracked tickets, not left implicit.

Production launch / go-live readiness

Before shipping a significant change or new service to production.

  • Rollout plan is documented, including staged or canary steps and success criteria.
  • Rollback plan is documented, tested, and can be executed quickly.
  • Capacity and load testing show the system meets expected and peak demand.
  • Monitoring, dashboards, and alerts are live and validated before launch.
  • On-call coverage is scheduled and the responders know the system.
  • Runbooks exist for the most likely failure and operational scenarios.
  • Dependencies, integrations, and third parties are confirmed ready and rate limits understood.
  • Security review and required sign-offs are complete.
  • Data migration, if any, is tested end to end with a verified backout.
  • Feature flags allow disabling the change without a redeploy.
  • Legal, privacy, and compliance approvals are obtained where required.
  • Communications plan covers stakeholders, support, and customers.
  • A go/no-go decision is made by named owners against explicit criteria.

Security review / threat-model checklist

For assessing the security posture of a change or system.

  • Trust boundaries and data flows are identified and documented.
  • Authentication is enforced on every entry point that requires it.
  • Authorization checks enforce least privilege for every action and resource.
  • All external input is validated, and output is encoded for its sink.
  • Secrets are stored in a managed vault, never in code or config, and are rotatable.
  • Data is encrypted in transit and at rest as the classification requires.
  • Dependencies are scanned for known vulnerabilities and kept current.
  • Injection, deserialization, and SSRF risks are mitigated for untrusted input.
  • Security-relevant events are logged without recording sensitive data.
  • Rate limiting, quotas, and abuse protections guard exposed endpoints.
  • Error messages do not leak stack traces, internals, or sensitive detail.
  • Threats identified via STRIDE or similar are recorded with mitigations or accepted risk.
  • Security testing (SAST, DAST, or penetration testing) is planned or complete.

Privacy and data-protection (DPIA-style) checklist

For processing that involves personal or sensitive data.

  • The personal data collected is inventoried, classified, and minimized to what is needed.
  • The lawful basis or authority for each processing purpose is documented.
  • Purpose limitation is enforced: data is used only for the stated purposes.
  • Retention periods are defined and deletion or anonymization is automated.
  • Data subject rights (access, correction, deletion, portability) can be fulfilled.
  • Consent, where relied upon, is freely given, specific, and revocable.
  • Third parties and processors are bound by adequate data-protection terms.
  • Cross-border transfers have an appropriate legal transfer mechanism.
  • Access to personal data is restricted, logged, and reviewed.
  • Privacy risks to individuals are assessed and mitigated or escalated.
  • Data breach detection and notification processes are defined.
  • Privacy by design and default choices are documented for the feature.
  • The data protection officer or privacy reviewer has signed off where required.

Accessibility (WCAG) checklist

For user-facing interfaces, aligned to WCAG principles.

  • All content is reachable and operable using only a keyboard.
  • Focus order is logical and a visible focus indicator is present.
  • Text color contrast meets the target ratio (typically 4.5:1 for body text).
  • Images and non-text content have meaningful alternative text.
  • Form fields have associated labels and clear error messages.
  • Headings, landmarks, and structure are marked up semantically.
  • Interactive components expose correct name, role, and state to assistive tech.
  • Content reflows and remains usable at 200% zoom and on small screens.
  • Time limits are adjustable, and motion or auto-playing content can be paused.
  • Color is not the only means of conveying information.
  • Media has captions and, where needed, transcripts or audio description.
  • The interface is tested with a screen reader and automated accessibility tooling.

API design review checklist

Before publishing or changing an API.

  • Resource and operation naming is consistent and predictable.
  • The contract is specified in a machine-readable schema (for example OpenAPI).
  • Versioning strategy is defined and backward compatibility is preserved or managed.
  • Pagination, filtering, and sorting follow consistent conventions.
  • Error responses use consistent structure, codes, and actionable messages.
  • Authentication and authorization are specified for every operation.
  • Input validation and size limits are defined and enforced.
  • Idempotency is defined for operations where retries are expected.
  • Rate limits, quotas, and throttling behavior are documented.
  • Timeouts, retries, and failure semantics are clear to clients.
  • Sensitive data exposure in responses is minimized and justified.
  • Documentation includes examples for each operation and error case.
  • Deprecation policy and sunset timelines are defined.

Architecture decision (ADR) review checklist

For reviewing a proposed architecture decision record.

  • The context and problem being solved are stated clearly.
  • The decision is stated unambiguously as a single choice.
  • At least two realistic alternatives were considered and compared.
  • Consequences, both positive and negative, are documented.
  • Non-functional impacts (performance, security, cost, operability) are addressed.
  • The decision aligns with existing principles and prior ADRs, or supersedes them explicitly.
  • Affected teams and stakeholders were consulted.
  • The reversibility and cost of change are assessed.
  • Assumptions and constraints are made explicit.
  • The status (proposed, accepted, superseded) is set and dated.
  • The decision is discoverable and linked from relevant systems.
  • Any follow-up actions or migrations are captured as tracked work.

Incident response checklist

During an active production incident.

  • Declare the incident and assign a single incident commander.
  • Assess and communicate severity, scope, and customer impact.
  • Open a dedicated communication channel and incident record.
  • Assign clear roles: commander, communications lead, and operations lead.
  • Prioritize mitigation and restoring service over root-cause analysis.
  • Post regular status updates to stakeholders on a set cadence.
  • Capture a timeline of events, actions, and decisions as they happen.
  • Escalate to additional responders or vendors when needed.
  • Notify legal, security, and compliance if data or regulation is involved.
  • Verify the fix and confirm the system has fully recovered.
  • Formally close the incident and communicate resolution.
  • Schedule the blameless postmortem before people disperse.

Postmortem checklist

For the retrospective review after an incident.

  • The review is blameless and focuses on systems and contributing factors.
  • A factual, timestamped timeline of the incident is documented.
  • Customer and business impact is quantified (duration, scope, cost).
  • Detection is analyzed: how and when the issue was noticed.
  • Response is analyzed: what helped and what slowed recovery.
  • Contributing causes are identified, not just a single root cause.
  • What went well is recorded, as well as what went wrong.
  • Action items are specific, assigned to owners, and have due dates.
  • Action items address prevention, detection, and mitigation.
  • Follow-up items are tracked to completion in the normal backlog.
  • The postmortem is shared broadly so others can learn from it.
  • Systemic patterns across incidents are reviewed periodically.

On-call readiness checklist

Before someone takes an on-call shift.

  • The responder has access to all systems, dashboards, and tools they need.
  • Alerting reaches the responder reliably and is tested.
  • Escalation paths and secondary on-call contacts are known and current.
  • Runbooks exist for the most common and most severe alerts.
  • The responder has completed onboarding or shadowing for these systems.
  • Recent changes, ongoing incidents, and known issues are handed off.
  • Alert thresholds are tuned to minimize noise and false pages.
  • The responder knows how to declare an incident and reach the commander.
  • Access to production is possible from the responder's working environment.
  • Communication channels and stakeholder contacts are documented.
  • The on-call schedule is published and coverage has no gaps.
  • Compensation, expectations, and workload limits for on-call are clear.

SLO definition checklist

When defining a service level objective.

  • The user journey or capability the SLO protects is clearly identified.
  • Service level indicators (SLIs) are defined as clear, measurable quantities.
  • SLIs are measured from the user's perspective where possible.
  • The objective target is set at a level users actually need, not 100%.
  • The measurement window (for example rolling 28 days) is specified.
  • The error budget derived from the target is calculated and understood.
  • A policy defines what happens when the error budget is exhausted.
  • Data sources for the SLIs are reliable and instrumented.
  • Alerting is tied to burn rate, not just threshold breaches.
  • Owners and stakeholders agree the SLO is realistic and meaningful.
  • The SLO is documented and visible on a dashboard.
  • A schedule exists to review and revise SLOs as the service evolves.

CI/CD pipeline checklist

For a continuous integration and delivery pipeline.

  • Every commit triggers an automated build and test run.
  • The pipeline fails fast and reports results clearly to authors.
  • Linting, formatting, and static analysis run automatically.
  • Unit, integration, and relevant end-to-end tests run in the pipeline.
  • Security and dependency scanning run on every build.
  • Build artifacts are versioned, immutable, and stored in a registry.
  • Secrets are injected securely and never printed in logs.
  • Deployments are automated and repeatable across environments.
  • Deployment strategy (canary, blue-green, rolling) is defined and used.
  • Rollback is automated or a single documented action.
  • Pipeline permissions follow least privilege and are auditable.
  • Pipeline configuration is stored in version control as code.
  • Build provenance and a software bill of materials are produced where required.

Infrastructure-as-code review checklist

For reviewing infrastructure defined as code.

  • Changes are expressed entirely in code and applied through the pipeline.
  • A plan or dry-run output is reviewed before apply.
  • State is stored securely with locking to prevent concurrent changes.
  • Resources follow naming, tagging, and ownership conventions.
  • Least-privilege IAM roles and policies are used, with no wildcards where avoidable.
  • Network exposure is minimized; no unintended public access.
  • Secrets and sensitive values are referenced from a vault, not hardcoded.
  • Encryption is enabled for storage, databases, and transit.
  • Changes are idempotent and safe to re-apply.
  • Blast radius is understood; destructive changes are called out.
  • Cost impact of the change is considered.
  • Modules are reusable, versioned, and tested.
  • Drift detection is in place to catch out-of-band changes.

AI/ML model release checklist

Before releasing a machine learning model to production.

  • The model's intended use, scope, and limitations are documented.
  • Training and evaluation data provenance, licensing, and consent are verified.
  • Data and model are versioned and reproducible.
  • Performance is evaluated on representative, held-out test data.
  • Fairness and bias are assessed across relevant subgroups.
  • The model is evaluated against the incumbent or a baseline.
  • Failure modes, edge cases, and out-of-distribution behavior are understood.
  • Safety, misuse, and harmful-output risks are assessed and mitigated.
  • Monitoring for drift, data quality, and performance degradation is in place.
  • A rollback or fallback to a previous model or rule-based path exists.
  • Human oversight or appeal is provided for consequential decisions.
  • Privacy review covers training data and inference inputs and outputs.
  • A model card or equivalent documentation is published for stakeholders.

Data pipeline quality checklist

For a data pipeline that feeds analytics or products.

  • Source data schemas are validated and schema changes are detected.
  • Ingestion handles late, duplicate, and out-of-order records correctly.
  • Data quality checks (completeness, uniqueness, ranges) run automatically.
  • Failed records are quarantined and surfaced, not silently dropped.
  • Transformations are tested with representative and edge-case inputs.
  • The pipeline is idempotent and safe to re-run after failure.
  • Freshness and latency of outputs are monitored against expectations.
  • Lineage is documented so consumers know where data comes from.
  • Personal and sensitive data is classified, masked, or restricted appropriately.
  • Backfills and reprocessing are supported and documented.
  • Alerting notifies owners of failures and quality breaches.
  • Retention and deletion policies are enforced on stored data.
  • Downstream consumers and SLAs are documented.

Open source intake and license review checklist

Before adopting an open source component.

  • The component's license is identified and is on the approved list.
  • License obligations (attribution, copyleft, notices) are understood and met.
  • License compatibility with your distribution model is confirmed.
  • The project is actively maintained and has a healthy community.
  • Known vulnerabilities are checked and the version is current.
  • The dependency and its transitive dependencies are inventoried.
  • Security posture and past incident history are reviewed.
  • The component fills a real need without significant duplication.
  • The exit cost and replaceability of the component are considered.
  • The component is recorded in the software bill of materials.
  • A named owner is responsible for tracking updates and advisories.
  • Contribution-back and internal-fork policies are followed if modified.

Vendor / third-party risk checklist

Before onboarding an external vendor or service.

  • The business need and data the vendor will access are clearly defined.
  • The vendor's security posture is assessed (certifications, audits, questionnaire).
  • Data processing terms, ownership, and deletion on exit are contractually clear.
  • The vendor's subprocessors and data locations are disclosed and acceptable.
  • Compliance with relevant regulations is verified.
  • Uptime, support, and SLA commitments are documented.
  • Breach notification obligations and timelines are in the contract.
  • Access is scoped to least privilege and revocable.
  • Business continuity and the impact of vendor failure are assessed.
  • An exit and data-migration plan exists to avoid lock-in.
  • Costs, renewal terms, and price-change clauses are understood.
  • The vendor is added to the risk register with a review date.

Government compliance (ATO / FedRAMP-style) readiness checklist

For systems requiring formal authorization to operate.

  • The system boundary and data flows are defined and diagrammed.
  • Data is categorized by impact level and sensitivity.
  • The applicable control baseline is selected and tailored.
  • A system security plan documents how each control is implemented.
  • Controls are implemented, evidenced, and mapped to the plan.
  • Continuous monitoring and vulnerability scanning are operational.
  • A plan of action and milestones tracks open findings to remediation.
  • Access control, audit logging, and identity management meet requirements.
  • Encryption uses approved algorithms and validated modules.
  • An incident response plan is documented and tested.
  • A contingency and disaster recovery plan is documented and tested.
  • An independent assessment or audit of controls is completed.
  • The authorizing official has the risk assessment needed to grant authorization.
  • Reauthorization triggers and the ongoing authorization cadence are defined.