“Computers do what they’re told. If they’re told to do the wrong thing, they’re going to do it, and they’re going to do it really, really well.”
That’s how one Gartner analyst characterized the aftermath of Knight Capital’s notorious glitch-triggered stock fiasco, in 2012. The financial firm’s automated routing software, dubbed SMARS, began gobbling up high-priced stocks and then immediately flipping them at undervalued rates. The episode stretched on for 45 minutes and cost Knight $450 million. Only after the company pulled together $400 million in investment capital was it able to remain afloat.
The domino that triggered it all? Someone at Knight had failed to copy new code to a server. An institutional lack of review safeguards magnified the crisis.
“Knight did not have written code development and deployment procedures … and Knight did not require a second technician to review code deployment in SMARS,” Elizabeth Murphy, then secretary of the Securities and Exchange Commission, wrote in a review.
The disaster became an instant code-review case study for all the wrong reasons. And even though most development errors would never be quite so calamitous, it was also an important reminder that meticulousness matters — and that you should always keep your software toolbox stocked with applications to assist the review process.
Top Code Review Tools to Know
- Visual Expert
- Review Board
Then again, fancy software can’t mask faulty practices.
“The tools are only as good as the users behind them,” Rhea Ghosh, director of engineering at Benchmark Analytics, told Built In in 2020. “The huge mistakes tend to happen because the person doing the review didn’t do so carefully. That just comes down to being diligent.”
The right tools, though, can definitely play a beneficial role.
Here’s a rundown of some notable code-review applications, plus thoughts on various features and drawbacks from Ghosh and a few other software engineering pros.
Top Code Review Tools to Know
How firmly established is GitHub? It now ranks among the top 50 websites worldwide, according to the most recent traffic data from SimilarWeb. The Microsoft-owned repo’s half-billion-plus monthly visits bests the dense traffic at Paypal and CNN.com. So it makes sense that the version-control platform is also incredibly popular for code review, too.
GitHub’s intuitive layout, robust support community and open source bent all add to its attractiveness in terms of review, Ghosh said.
“In my experience, a lot of developers are pretty partial to GitHub because they’ve had one of the best interfaces and one of the best experiences with code review for a long time,” she added.
Ghosh noted that GitHub intuitively displays the full set of changes from all files rather than just zeroing in on the latest tweak.
“Let’s say you’re writing a thesis and sent all your chapters to your advisor,” she analogized. “You could send incremental changes too, but it would [also] show what the [previous] set of changes were.”
GitHub’s importance to the open-source community is sometimes misinterpreted as a bad fit for enterprises. But with offerings like GitHub Enterprise, which enhances the security controls and can be hosted on-premises or via the Cloud, the platform seems bent on shedding that misperception.
“GitHub wasn’t really built for enterprise organizations where different people will need different levels of access and permission,” Ghosh said. “But they’re really making strides in that space.”
GitHub’s internal marketplace, where users can buy apps and extensions, includes a dedicated subcategory for code-review-specific add-ons.
Competition drives innovation, market evangelists say. That’s certainly the case where GitLab is concerned. The GitHub competitor notably offers free private repositories, which can be accessed by an unlimited number of collaborators. That seemingly prompted GitHub to match the offer — although free access there is limited to three collaborators.
“People were moving over, because you don’t want to make all your code open source,” said Ali Karbassi, CEO of educational nonprofit We All Code. “That pushed GitHub’s model a little bit.”
GitLab remains an attractive option, however, in part because it has no limit on collaborators.
Some enterprises might prefer GitLab to GitHub for code review, not because of security concerns, Ghosh said, but because it gives users better control over who can access what.
“If you have a relatively large dev team, I think GitLab makes more sense because you can have a lot more granular permissioning.”
Reviewers can access GitLab, for example, without source code permission.
On the flip side, some developers have faulted GitLab for various UX/UI shortcomings — nothing fatal, but there’s room for improvement. In the past, imperfect information architecture and poor contrast were common gripes, compelling GitLab to make major usability improvements.
“They’re doing great work, but their usability and design side need a little bit more work,” Karbassi said. “It’s just a little bit harder to initially grasp.”
Appearing to have heard the criticism, GitLab has developed a robust UX strategy to improve the site’s usability.
Like GitHub and GitLab, this code-review option is also a source control management platform. And like GitLab, it has a reputation as an intuitive fit for medium-to-large-size organizations, thanks to a similar permissioning flexibility.
Bitbucket also boasts some nifty features that its competitors were either late to adopt or have yet to integrate. The former includes a capability to add screenshots so dev teams can loop in product and UX, as well as less technical folks; the latter includes a tool called the reviewer suggester, which proposes specific reviewers for given pull requests based on criteria like current workload and previous commit contributions.
Appraised Ghosh, “That’s pretty slick.”
Bells and whistles aside, Bitbucket’s biggest draw might be its expediency. It’s an Atlassian product, and many enterprises already use other Atlassian software for project management and product tracking, so it likely feels like a natural progression.
“When companies first want to formalize their product stories and move into a paid tool,” Ghosh said, “[Atlassian project management tool] Jira is often a first tool of choice.”
While out-of-the-box options like GitLab and GitHub also integrate with Jira, they’re trickier to set up. And in the absence of “a really opinionated engineering team,” Ghosh said, “most folks will just go with what’s easiest to integrate.”
It takes a team of diligent coders to perfect and preserve each line of code, so RhodeCode promotes a collective approach.
According to the company’s website, “Large and growing software teams all over the world use RhodeCode to collaborate in a secure, behind-the-firewall environment.” RhodeCode reinforces this statement by allowing teams to align their efforts with commit code commenting, live code chats and shareable code snippets. Teams can also leverage code tools that allocate review tasks to the appropriate personnel, creating more seamless workflows.
While RhodeCode emphasizes collaboration, this doesn’t mean just anyone has free access to a company’s software. Organizations can adapt the platform to their servers and decide who gets to view sensitive information. As a result, teams remain in complete control of their software and hardware.
Remote, decentralized workforces have become more prevalent in a fast-paced, interconnected ecosystem. RhodeCode’s flexible platform then serves as a potential solution for businesses looking to support global employees and systems.
Even though plenty of organizations run their code review process in Bitbucket, Atlassian also offers a dedicated code-review platform called Crucible.
The ramp-up in features includes automatic Jira updates based on review actions; personalized, real-time notifications; and more-in-depth reporting and audit tools. Crucible also supports several version control systems — a selling point for the remaining Git refuseniks out there.
The rub? You’ll feel all those extras in the pocketbook, too. An annual license for a 100-person dev team is $5,500, for instance.
“It’s the kitchen sink, but it can get expensive,” Karbassi said.
But for a deliberate, well-funded enterprise that’s focused more on avoiding embarrassing bugs and glitches than launching new features at rapid-fire clips, it may well be worth the money.
Collaborator by SmartBear
Keeping code neat and organized has become more difficult as software grows in complexity, and companies are taking notice. Referencing SmartBear’s State of Software Quality Report, Frank Kilcommons says, “Quality is a top priority with 75 percent of respondents stating that API quality is ‘very’ or ‘extremely important’ to their organization.”
Teams are finding new ways to tackle this issue with the Collaborator tool from SmartBear. Employees can develop unique workflows with personalized review templates, individual and real-time comments and in-depth audit reports, eliminating the need to retrace steps or hunt down team members for answers.
In addition, Collaborator offers methods that make it easier to meet compliance measures and handle GitHub pull requests.
Software teams too often worry about raising productivity levels while maintaining rigorous attention to detail. Collaborator’s built-in features make juggling these factors more manageable, allowing coders to maximize time and energy.
If organizations want to accelerate collaboration without sacrificing code quality, they may be able to meet their needs with SmartBear’s Collaborator tool.
Gerrit can be thought of as the Brutalist web design of code review — it’s homely, hard to use and its defenders love it. Gerrit diehards are particularly fond of the tool’s one-commit-per-review restriction, which they argue reinforces good development habits. In fact, the focus on a pre-merge workflow is absolute; the tool doesn’t allow post-commit reviews. It’s also free to access and carries name-brand cache, from having been authored and maintained by Google.
But there’s a flipside. Many newcomers feel intimidated by Gerrit's Web 1.0-esque user interface.
“It feels like Linux servers,” Karbassi said. “It's not pretty at all.”
Ghosh is similarly unenthusiastic about its UI and usability.
“It's difficult to navigate and understand,” she said. “It’s surprising that it came out of Google, because it felt so [user-]unfriendly.”
She encountered Gerrit in an organization that was hesitant to go with GitHub due to enterprise security concerns, but Bitbucket would’ve made a better, more intuitive option than Gerrit, she believes.
The time investment needed to master Gerrit might also put off agility-focused startups.
“If you’re a quick-moving startup, you’re probably thinking, ‘We don't have time to set up Garrett. We’d rather pay Atlassian to give us a clean, reliable product,’” Karbassi said.
Sometimes the smallest adjustments make all the difference, so Visual Expert spares no line of code from rigorous testing. The code review tool delivers a comprehensive analysis of code gathered from a customer’s preferred platform.
Once teams enter their lines into the Visual Expert repository, they can review their work to understand their code and make any necessary improvements.
The code analyzer tool especially excels in the area of security. According to the company’s main site, “Visual Expert’s code scan detects vulnerabilities, bugs and maintainability issues.”
Another plus is that teams can harness the capabilities of Visual Expert while working with a variety of platforms. Oracle, PowerBuilder and SQL are all compatible with Visual Expert, establishing it as one of the most versatile code analysis providers.
Visual Expert can also analyze multiple applications simultaneously, allowing teams to review their code from different angles without having to slow down their workflows.
While similar to static code analysis tools like Visual Expert, JArchitect is designed specifically with the Java language in mind.
Java architects rely on it to organize their code with over 80 different metrics, revealing ways to fix and simplify code. Programmers can conduct an up-close review of their lines, spotting everything from minor mistakes to structural issues.
In addition, JArchitect demonstrates advanced anticipation skills with its forecasting features. The code analyzer takes advantage of a data-heavy approach to piece together trends based on code metrics, spot hiccups in code processes ahead of time and estimate costs for fixing code errors.
These traits can help teams develop more efficient workflows. That’s probably why big names like Samsung, IBM and Google have adopted the tool.
As in so much tech, one of the biggest buzzwords in code review is automation. Amazon recently announced its CodeGuru review service, which uses machine learning to find and fix bugs. Kiwi startup CodeLingo and GitHub extension Hound also promise automated reviews. But many argue that the top devs still outperform the machines.
“I haven't found any tools that have been able to solve the code review problem better than human interaction,” software engineer Jim Cookas said in 2020. “There’s a lot of value in in-person code reviews: you get better shared understanding and team visibility of what's being built and how — as opposed to keeping it in an AI black box.”
But what’s the solution when that in-person preference butts against our increasingly remote work environments? For Cookas, who works at the fully remote InVision, the widely used teleconferencing app Zoom offers a great workaround — especially for one-on-one reviews with screen-sharing.
“I’m a big proponent of live and synchronous, and I advocate for code views over Zoom whenever possible,” he said.
Reviewable makes a suite of services designed to help companies focusing on the GitHub and GitHub enterprise platforms. Customized colors, visible and hidden changes and preserved line comments are meant to make code reviews easier to read.
Reviewable also aims makes it easier for teams to distinguish between two versions of the same file while tracking where each team member is along the review process.
The tool’s emphasis on GitHub products does create some challenges though. The specialized nature of the tool may require a bit of a learning curve, and its compatibility with other code hosting platforms is limited.
The focused nature of Reviewable still remains a major advantage and has earned the platform a close association with GitHub in coding discussions. Any coder who needs a faster, simpler way to navigate GitHub projects may find a viable path forward with the Reviewable coding package.
GitHub Code Review Apps
The implementation of automated code review tools is less about replacing human help than augmenting it, advocates stress. Like Hound, extensions such as Sider, Code Climate (also Bitbucket compatible) and Codacy (also GitLab and Bitbucket compatible) will highlight relatively simple errors or style issues, like superfluous spaces, trailing whitespace and code complexity and duplication.
“They won’t give you a full view,” Karbassi said, “and it’s usually a report, not an action — they’re not actually committing your code — but it’ll help clean up some small things.”
Several similar extensions and add-ons available in the GitHub ecosystem aren’t strictly code-review tools, but hybrids of sorts — part review and part stats reporting, or technical debt reporting (Code Climate), or code coverage (Coveralls), or static analysis (DeepScan).
“They’re code review, but they’re in between,” Karbassi said.
Another potential alternative to Gerrit, this MIT-licensed option is also free, web-based and well-trusted. LinkedIn, Yelp and Cloudera are some of the outfits that have used Review Board, according to the company’s site.
Vivien Kuo, a software engineer at Sprout Social, used Review Board at a previous organization. The tool’s standout advantages include the capability to comment on multiple lines of code, plus it had a strong command line function. “We could post and then it would return a link, which would automatically open up in your web browser,” she said. “That’s really nice.”
Two more selling points: It also doesn’t remove previous acceptances if, for instance, you have to make small post-ship changes in Java. And as Kuo noted, it has strong filtering capabilities.
“There’s a slider near the top of the review where — if you have, say, 10 commits on your branch — you can use the slider to look just at the difference between, say, commit nine and 10,” she said.
“You don't want to read over what you’ve already read. You just want to see the new changes. So that’s a really handy feature.”
The major disadvantage is one that’s common among all similar tools: Though users can gather lots of information, they can't merge to master directly through the application.
“It's still just a tool for us to look at [file differences],” Kuo said.