Code review is essential to shipping quality code. However, there's something of a paradox at the heart of code review.
As humans, we naturally miss things, get the wrong idea, or make mistakes when we're coding. Code review is one of several fail-safes during the software development lifecycle that we hope catches issues before they make it into production.
But here's the problem. Code review is also a largely human process that relies on the reviewer's insight and experience. To spot the problems missed by the original developer, a code reviewer must be engaged and energized. Just as we can lose focus when writing code, so it's easy to miss things during code review if the process squanders our attention.
Code review checklists are one way to help because they reduce the reviewer's cognitive load. Combined with tools that automate parts of the code review process, they give human code reviewers the mental room to focus.
Here are two tools that can help automate parts of your process and make code review simpler.
Static application security testing
Automated code review tools come into their own when they reduce the burden on human reviewers. That makes static application security testing (SAST) the ideal complement to human code review.
As the name suggests, SAST code scanning tools review code at rest. In other words, SAST deals with the actual lines of code rather than how they behave when running or what happens when a user interacts with an application.
Typically, teams configure static application security testing tools to look for issues including shared secrets, race conditions, memory leaks, and other security issues such as data validation problems. Individual developers can run a SAST tool at any time. Most often, though, they run automatically as part of a CI/CD pipeline. Or you might have come across SAST on your public GitHub repositories using their CodeQL scanning engine.
As part of a code review, a SAST tool can provide additional input that allows a human reviewer to feel more confident that critical issues are caught. Most importantly, though, it lets the code reviewer focus on those subjective things that an automated tool can't handle ... yet.
Review Maps
As a code reviewer, part of your job is to get inside the thought process of the developer. And it's usually not enough to outright ask someone because who can fully explain the unwitting assumptions behind their thinking?
Instead, as code reviewers we piece together the what, the how, and the why of a pull request primarily by reading the code itself.
Imagine you're in a maze. Your only choice is to focus on the immediate and then deduce the shape of the maze from what you've seen close-up. Then someone hands you a map and the game changes entirely. While there's still some work to do, the map provides the macro view that explains the paths, turns, and walls you encounter.
Now imagine gaining that kind of sudden insight during a code review.
Using a map in a maze is cheating but code review isn't a game. Code review is essential to ensuring code quality. Code review mapping tools, such as CodeSee's, provide that same type of all-at-once overview as a real map. Sure, you'll need to zoom and study to understand some of the detail but code review maps remove the ambiguity that comes from piecing together the impact of a pull request only from the code.
Automated code review tools let humans focus
When it's done well, human code review helps teams bond, grow, and learn together. It might be a stretch but bear with me here: code review is almost like a ritual. Rituals in all cultures help to communicate and reinforce certain ways of doing things. By performing code reviews together, as people, we remind ourselves of the mistakes we tend to make and also of the things we agreed to do.
Automated code review tools give us the space to focus on those aspects of code review that are essentially human. Whether it's through code review maps that help us see the full picture or SAST code scanning that catches things we might not, automating aspects of code review is something that will improve code quality for just about every team.
