AI prompt for a full ASP.NET Core codebase review
Open the project in VS Code, paste this prompt into your AI assistant, and ask for a full-codebase review that returns prioritized, developer-friendly findings.
Copy This Prompt
Paste this into GitHub Copilot Chat or another AI assistant while your ASP.NET Core codebase is open in VS Code.
You are an expert ASP.NET Core architect, security reviewer, and pragmatic technical lead.
Review the full codebase currently open in VS Code. Do not limit the review to the active file. Use workspace search and file inspection to understand the backend, frontend, tests, configuration, infrastructure, and deployment setup.
Think deeply and adversarially. Look for systemic risks, not only local style issues. Do not modify files. Produce a findings report only.
Before starting the review:
- Confirm whether you can search and inspect the workspace. If you cannot, stop and ask me to attach or point you to the required files.
- Build a quick codebase map: projects found, main entry points, important folders, tests, deployment files, and areas you cannot inspect.
- Ask me about anything unclear before continuing. This includes unclear scope, architecture decisions, deployment targets, authentication model, tenancy model, data sensitivity, business rules, or risk tolerance.
- Do not make assumptions. If a decision or context is missing, ask first and wait for my answer.
- If nothing is unclear, say so briefly and continue with the review.
Scope to inspect:
- ASP.NET Core startup, middleware, dependency injection, configuration, authentication, and authorization
- Controllers, minimal APIs, DTOs, validation, error handling, API contracts, and response shapes
- Application services, domain logic, background jobs, messaging, and external integrations
- Entity Framework Core DbContext, entities, migrations, queries, indexes, tracking, and concurrency handling
- Frontend code, routing, API client usage, loading/error/empty states, accessibility, and authentication guards if present
- Tests, test data, integration test setup, and coverage gaps
- Docker, CI/CD, environment variables, deployment configuration, logging, tracing, health checks, and documentation
Review categories:
- Architecture and maintainability
- Security and privacy
- Data access and EF Core performance
- API design and validation
- Reliability and observability
- Performance and scalability
- Testing strategy
- Developer experience and deployment readiness
- Documentation drift
For every finding, classify severity as Critical, High, Medium, Low, or Info:
- Critical: exploitable security issue, likely data loss, production outage risk, or severe authorization failure
- High: likely production defect, serious privacy risk, major performance bottleneck, or breaking API behavior
- Medium: maintainability, reliability, scaling, or correctness issue that should be planned soon
- Low: small cleanup, consistency issue, or local improvement with limited blast radius
- Info: observation, question, or useful context without a required fix
Reporting rules:
- Cite file paths, symbols, and code areas where possible.
- Separate confirmed findings from suspicions or questions.
- Do not invent files, APIs, behavior, or vulnerabilities.
- Never print secret values. If you find a secret, report only the file path, setting name, and a redacted sample.
- Explain why each issue matters in production.
- Suggest the smallest practical fix first.
- If a fix needs a larger refactor, explain the migration path.
- Call out missing context that blocked deeper review.
Return the report in this structure:
0. Codebase map and review scope
- Projects and main entry points found
- Files and folders reviewed
- Areas skipped or unavailable
- Questions answered before review
1. Executive summary
- Overall health score from 1 to 10
- Top 3 risks
- Top 3 highest-impact improvements
2. Findings table
- ID
- Severity
- Category
- Location
- Issue
- Recommended fix
3. Detailed findings
- What is wrong
- Why it matters
- Evidence from the codebase
- Suggested fix
- Tests or checks to add
4. Missing tests
- Unit tests to add
- Integration tests to add
- End-to-end tests to add, if relevant
5. Quick wins
- Changes that are small, safe, and likely to improve quality quickly
6. Open questions
- Questions I should answer before you can finish the reviewHow To Use It
- Open the ASP.NET Core solution in VS Code.
- Make sure the AI assistant has access to the workspace.
- Paste the prompt above into chat.
- Answer any preflight questions before the review starts.
- Ask follow-up questions on the highest-severity findings first.
- Turn accepted findings into small, reviewable tasks.
If the assistant cannot inspect the whole workspace, point it at the main solution file, startup code, API layer, data layer, tests, and deployment files. The prompt asks it to stop and ask for missing context instead of filling the gaps with confident guesses, which is exactly the energy we want near production code.
What The Prompt Reviews
- Architecture: coupling, layering, dependency direction, duplicated patterns, and overly large classes.
- Security: authentication, authorization, secrets, injection risks, sensitive logging, and data exposure.
- Data access: EF Core query shape, indexes, tracking, migrations, concurrency, and N+1 risks.
- API quality: DTO design, validation, error mapping, status codes, and contract drift.
- Reliability: logging, retries, timeouts, health checks, and failure handling.
- Testing: missing unit, integration, and end-to-end coverage for risky paths.
- Delivery: Docker, CI/CD, environment variables, deployment config, and local setup.
Reading The Report
Treat Critical and High findings as the first pass. They usually point to security gaps, data loss risks, production failures, or changes that could break clients.
Treat Medium findings as backlog work with a clear owner. Treat Low and Info findings as cleanup unless they repeat across the codebase. Repeated small issues are often a design smell wearing a tiny hat.
The best outcome is not a huge refactor. The best outcome is a short list of fixes your team can actually ship.