{ "slug": "code_review", "term": "Code Review", "category": "general", "difficulty": "beginner", "short": "A systematic peer examination of source code before merging, catching bugs, sharing knowledge, and enforcing standards.", "long": "Code review is one of the most cost-effective quality practices: bugs caught at review are orders of magnitude cheaper to fix than in production. Effective reviews focus on correctness, security, design quality, and knowledge transfer — not style (automate that with linters). Reviewers should ask: Does this code do what it claims? Are edge cases handled? Are there security implications? Is it testable? Timely reviews (within hours, not days) and a respectful culture are essential. Pair programming can replace some async review in high-trust teams.", "aliases": [ "PR review", "pull request review", "peer review", "code inspection" ], "tags": [ "team-process", "quality", "collaboration", "workflow" ], "misconception": "Code review is primarily about catching bugs. Research shows reviews catch fewer bugs than automated testing — their real value is knowledge sharing, consistency enforcement, and collective code ownership.", "why_it_matters": "Code review catches bugs, spreads knowledge, and enforces standards before code reaches production — it is the highest-leverage quality practice a team can adopt. Reviews also document why decisions were made, which is often more valuable than the code itself.", "common_mistakes": [ "Reviewing style and formatting instead of logic and design — automate style with linters, save human attention for intent.", "Approving large PRs without reading them carefully to avoid conflict — large PRs should be split, not rubber-stamped.", "Leaving vague comments (\"fix this\") without explanation or suggestion — reviewers should explain the problem and propose a direction.", "Treating code review as a gate rather than a conversation — the goal is shared understanding, not gatekeeping." ], "when_to_use": [ "Every change to a shared codebase — a second pair of eyes catches bugs, design issues, and missing test cases.", "Enforcing architectural decisions and conventions that cannot be automated.", "Knowledge sharing — reviewers learn the codebase and authors learn from reviewer expertise.", "Security-sensitive changes — a dedicated security review catches vulnerabilities that functional review misses." ], "avoid_when": [ "Using code review as a gatekeeping ritual that blocks merges for trivial style issues — automate style with linters.", "Reviewing 1000-line PRs — large reviews are ineffective; keep PRs small and focused.", "Reviewing without running the code or tests — a review that only reads the diff misses runtime behaviour.", "Nitpicking in a way that demoralises authors — distinguish must-fix blocking issues from optional suggestions." ], "related": [ "static_analysis", "test_driven_development", "pair_programming" ], "prerequisites": [ "pr_description_template", "git_hooks_workflow", "static_analysis" ], "refs": [ "https://google.github.io/eng-practices/review/" ], "bad_code": "// Code review anti-patterns:\n// Reviewer: 'LGTM' after 30 seconds on a 500-line PR\n// No review checklist — misses security, performance, edge cases\n// Author defensive about feedback — treats review as criticism\n// PRs too large — impossible to review meaningfully\n// No review culture — all PRs merged by author without review\n\n// Better:\n// PRs < 400 lines\n// Checklist: correctness, security, tests, naming, edge cases\n// Reviewer explains why, not just what to change", "good_code": "# Security-focused code review checklist (PHP)\n\n# Authentication & Authorisation\n[ ] Session regenerated after login\n[ ] Every endpoint has authorisation check\n[ ] Sensitive actions require re-authentication\n\n# Input Handling\n[ ] All user input validated before use\n[ ] No raw user input in SQL queries\n[ ] HTML output escaped with htmlspecialchars()\n[ ] File uploads: MIME check + random filename + outside webroot\n\n# Cryptography\n[ ] Passwords: password_hash()/password_verify() — not md5/sha1\n[ ] Tokens: random_bytes() — not rand()/uniqid()\n[ ] Sensitive comparisons: hash_equals()\n\n# Error Handling\n[ ] display_errors = Off in production\n[ ] No stack traces in API responses\n[ ] Errors logged internally, not exposed\n\n# Dependencies\n[ ] composer audit passes with no critical CVEs", "quick_fix": "Review for correctness first, then readability — use a checklist: security, error handling, test coverage, naming, and performance implications", "severity": "info", "effort": "medium", "created": "2026-03-15", "updated": "2026-03-25", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/code_review", "html_url": "https://codeclaritylab.com/glossary/code_review", "json_url": "https://codeclaritylab.com/glossary/code_review.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Code Review](https://codeclaritylab.com/glossary/code_review) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/code_review" } } } }