At Something Digital, all developer code goes through a review process before being integrated into any codebases that we manage. This Code Review process sometimes raises questions from clients, prospects, and job candidates alike. In this post, I’ll answer some common questions that come up about our code review process.
Why Do You Do Code Review?
Whether it’s code, an important email, a proposal, or a report; it’s always good to have a second set of eyes review the work. Code Review helps reduce the risk of introducing problematic code that cause immediate issues or problems in the future.
What Are You Looking For During Code Review?
Reviewers use several criteria in their evaluation, and we document them to ensure consistency in the process. Here are several important things we check during code review:
– Clarity: Is the code easy to understand and to determine what it delivers? Difficult-to-understand code is likely to introduce maintainability issues in the future.
– Performance: Are there signs that the code might negatively impact performance? We don’t want new code to slow the page.
– Security: Are there any obvious security issues with introducing the code? For example, do we see opportunities for XSS or SQL injection?
– Standards: With multiple authors contributing to a single code base, it quickly becomes messy if everyone follows their preferred coding styles. For this reason, we’ve standardized on PSR-2 and check that authors follow these standards.
What’s The Difference Between Code Review and Quality Assurance?
The distinction is important—code review is not quality assurance. Code review ensures the code is of high quality, but does not guarantee that code is bug-free or meets precise requirements. Instead, code review compliments quality assurance with a shared goal to deliver a high-quality and maintainable product.
As A Client, How Do I Benefit From Code Review?
There are several ways that clients benefit from code review, including, but not limited to, the following:
1. Code review spreads knowledge. It increases the number of team members who understand your codebase, which is important when your lead engineer is unavailable or on vacation and issue arise.
2. It’s much more likely than standard QA to find performance or security issues.
3. It ensures error handling and other standards are followed, helping comply with PCI requirements. In fact, code review itself is mandatory for PCI compliance.
Do You Use Automated Tools?
Yes! We use Scrutinizer which runs static analysis against each pull request our developers submit, which helps to automate this process.
If you have any questions about our code review process that aren’t specifically answered in this post, we’d love to hear from you!
Written by: Max Chadwick, Senior Programmer