Aikido
Start for Free
No CC required
Rules

How to add explanatory comments to functions for safer and more maintainable code

Readability

Published on:
December 8, 2025
Last updated on:
December 8, 2025
Rule 

Functions without explanatory comments.
Functions without comments are hard to 
understand for other developers.

Supported languages: 45+

Introduction

Functions without comments force developers to infer intent from implementation details alone. This slows down code reviews and makes maintenance more error prone. Missing explanations also hide assumptions around validation, input expectations, or security constraints. Clear documentation reduces misuse and helps teams understand code behavior faster.

Why it matters

Security implications: Missing comments hide assumptions around validation, authorization checks, and trusted inputs, making misuse easier and increasing security risks.

Performance impact: Undocumented functions may be used incorrectly, causing repeated expensive operations, unnecessary parsing, or inefficient data handling.

Maintainability: Developers spend more time reading and reverse engineering logic when intent is not documented, slowing down refactoring and onboarding.

Code examples

❌ Non-compliant:

// No explanation of expected input or security assumptions
function normalizeUser(user) {
    if (!user || typeof user !== 'object') return null;

    return {
        id: String(user.id).trim(),
        email: user.email.toLowerCase(),
        roles: user.roles.filter(r => r !== 'guest')
    };
}

Why it’s wrong: The function processes security relevant fields but does not document assumptions about trusted sources, expected structure, or input constraints.

✅ Compliant:

/**
 * Normalize user data from external input.
 * Expects: `user` contains `id`, `email`, and `roles`.
 * Rejects invalid structures and filters unsafe role values.
 * Ensures normalized identifiers and lowercased email for consistency.
 */
function normalizeUser(user) {
    if (!user || typeof user !== 'object') return null;

    return {
        id: String(user.id).trim(),
        email: user.email.toLowerCase(),
        roles: user.roles.filter(r => r !== 'guest')
    };
}

Why this matters: The comment documents intent, expected inputs, and security constraints, making usage predictable and preventing unsafe integration.

Conclusion

Add clear comments to any function where intent, assumptions, or constraints are not obvious from the signature. Document what the function expects, what it returns, and any security relevant behavior. This improves review quality, reduces misuse, and ensures predictable behavior across the codebase.

Jump to:
Text Link
<div class="toc-wrap"><a class="toc" name=":zap:Part I: Sales Cycle with Potential Lead" fs-toc-element="link"></a></div>

Apply this rule on your repo

Try for free
No card required
Book a demo
Share:

www.aikido.dev/code-quality-rules/how-to-add-explanatory-comments-to-functions-for-safer-and-more-maintainable-code

FAQs

Got Questions?

Should I comment every JavaScript function?

No. Comment functions where behavior is not obvious, especially when handling external input, sensitive data, or complex transformations.

What should a good function comment explain?

Intent, expected parameters, return values, side effects, and any assumptions about trusted or validated data.

Do comments help with security audits?

Yes. Clear comments expose assumptions and constraints, making it easier to reason about validation boundaries and potential misuse.

Can comments replace good naming?

No. Use descriptive names and add comments where naming alone cannot express the underlying intent or constraints.

Do comments impact runtime performance?

No. Comments are stripped out during execution and only improve developer understanding and code safety.

Related rules

December 2, 2025
Vulnerabilities & Threats

PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents

AI-driven GitHub Actions expose new prompt-injection supply chain vulnerabilities.

#AI

#SAST

#Vulnerabilities

December 3, 2025
Vulnerabilities & Threats

Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now

Learn how CVE-2025-55182 and the related Next.js RCE affect React Server Components. See impact, affected versions, and how to fix. Aikido now detects both issues.

#Vulnerabilities

December 2, 2025
Vulnerabilities & Threats

Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame

New research into the Shai Hulud 2.0 malware suggests the username UnknownWonderer1 tells us more about the attackers’ endgame.

#Malware

Get secure for free

Secure your code, cloud, and runtime in one central system.
Find and fix vulnerabilities fast automatically.

Start Scanning
No CC required
Book a demo
No credit card required | Scan results in 32secs.