8 Code Review Tools to Know
"Computers do what they're told. If they're told to do the wrong thing, they're going to do it, and they're going to do it really, really well.”
That’s how one Gartner analyst characterized the aftermath of Knight Capital’s notorious glitch-triggered stock fiasco, in 2012. The financial firm’s automated routing software, dubbed SMARS, began gobbling up high-priced stocks and then immediately flipping them at undervalued rates. The episode stretched on for 45 minutes and cost Knight $450 million. Only after the company pulled together $400 million in investment capital was it able to remain afloat.
The domino that triggered it all? Someone at Knight had failed to copy new code to a server. An institutional lack of review safeguards magnified the crisis.
“Knight did not have written code development and deployment procedures … and Knight did not require a second technician to review code deployment in SMARS,” Elizabeth Murphy, then secretary of the Securities and Exchange Commission, wrote in a review.
The disaster became an instant code-review case study for all the wrong reasons. And even though most development errors would never be quite so calamitous, it was also an important reminder that meticulousness matters — and that you should always keep your software toolbox stocked with applications to assist the review process.
Top Code Review Tools
- Code Climate
- Review Board
Then again, fancy software can’t mask faulty practices.
“The tools are only as good as the users behind them,” Rhea Ghosh, director of engineering at Benchmark Analytics, told Built In. “The huge mistakes tend to happen because the person doing the review didn't do so carefully. That just comes down to being diligent.”
The right tools, though, can definitely play a beneficial role.
Here’s a rundown of some notable code-review applications, plus thoughts on various features and drawbacks from Ghosh and a few other software engineering pros.
How firmly established is GitHub? It now ranks among the top 50 websites worldwide, according to the most recent traffic data from SimilarWeb. The Microsoft-owned repo’s half-billion-plus monthly visits bests the dense traffic at Paypal, CNN.com and YouPorn. That's right, it outperforms even free porn. So it makes sense that the version-control platform is also incredibly popular for code review, too.
GitHub’s intuitive layout, robust support community and open source bent all add to its attractiveness in terms of review, Ghosh told Built In.
“In my experience, a lot of developers are pretty partial to GitHub because they've had one of the best interfaces and one of the best experiences with code review for a long time,” she said.
Ghosh noted that GitHub intuitively displays the full set of changes from all files rather than just zeroing in on the latest tweak.
“Let's say you’re writing a thesis and sent all your chapters to your advisor,” she analogized. “You could send incremental changes too, but it would [also] show what the [previous] set of changes were.”
GitHub’s importance to the open-source community is sometimes misinterpreted as a bad fit for enterprises. But with offerings like GitHub Enterprise, which enhances the security controls and can be hosted on-premises or via the Cloud, the platform seems bent on shedding that misperception.
“GitHub wasn’t really built for enterprise organizations where different people will need different levels of access and permission,” Ghosh said. “But they're really making strides in that space.”
GitHub’s internal marketplace, where users can buy apps and extensions, includes a dedicated subcategory for code-review-specific add-ons. (More on those to follow.)
Competition drives innovation, market evangelists say. That’s certainly the case where GitLab is concerned. The GitHub competitor notably offers free private repositories, which can be accessed by an unlimited number of collaborators. That seemingly prompted GitHub to match the offer — although free access there is limited to three collaborators.
GitLab remains an attractive option, however, in part because it has no limit on collaborators.
Some enterprises might prefer GitLab to GitHub for code review not because of security concerns, Ghosh said, but because it gives users better control over who can access what.
“If you have a relatively large dev team, I think GitLab makes more sense because you can have a lot more granular permissioning."
Reviewers can access GitLab, for example, without source code permission.
On the flip side, some developers have faulted GitLab for various UX/UI shortcomings — nothing fatal, but there’s room for improvement. In the past, imperfect information architecture and poor contrast were common gripes.
“They're doing great work, but their usability and design side need a little bit more work,” Karbassi said. “It's just a little bit harder to initially grasp.”
Appearing to have heard the criticism, GitLab recently announced a new initiative to more quickly and effectively improve the site’s UX.
Like GitHub and and GitLab, this third major code-review option is also a source control management platform. And like GitLab, it has a reputation as an intuitive fit for medium-to-large-size organizations thanks to a similar permissioning flexibility.
Bitbucket also boasts some nifty features that its competitors were either late to adopt or have yet to integrate. The former includes a capability to add screenshots so dev teams can loop in product and UX, as well as less technical folks; the latter includes a tool called the reviewer suggester, which proposes specific reviewers for given pull requests based on criteria like current workload and previous commit contributions.
Appraised Ghosh, “That's pretty slick.”
Bells and whistles aside, Bitbucket’s biggest draw might be its expediency. It’s an Atlassian product, and many enterprises already use other Atlassian software for project management and product tracking, so it likely feels like a natural progression.
“When companies first want to formalize their product stories and move into a paid tool,” Ghosh said, “[Atlassian project management tool] Jira is often a first tool of choice.”
While out-of-the-box options like GitLab and GitHub also integrate with Jira, they’re trickier to set up. And in the absence of “a really opinionated engineering team,” Ghosh said, “most folks will just go with what's easiest to integrate.”
Even though plenty of organizations run their code review process in Bitbucket, Atlassian also offers a dedicated code-review platform called Crucible.
The ramp-up in features includes automatic Jira updates based on review actions; personalized, real-time notifications; and more-in-depth reporting and audit tools. Crucible also supports several version control systems — a selling point for the remaining Git refuseniks out there.
The rub? You’ll feel all those extras in the pocketbook, too. An annual license for a 100-person dev team is $5,500, for instance.
“It’s the kitchen sink, but it can get expensive,” Karbassi said.
But for a deliberate, well-funded enterprise that’s focused more on avoiding embarrassing bugs and glitches than launching new features at rapid-fire clips, it may well be worth the money.
Gerrit can be thought of as the Brutalist web design of code review — it’s homely, hard to use and its defenders love it. Gerrit diehards are particularly fond of the tool’s one-commit-per-review restriction, which they argue reinforces good development habits. In fact, the focus on a pre-merge workflow is absolute; the tool doesn’t allow post-commit reviews. It’s also free to access and carries name-brand cache, from having been authored and maintained by Google.
But there’s a flipside. Many newcomers feel intimidated by Gerrit's Web 1.0-esque user interface.
“It feels like Linux servers,” Karbassi said. “It's not pretty at all.”
Ghosh is similarly unenthusiastic about its UI and usability.
“It's difficult to navigate and understand,” she said. “It’s surprising that it came out of Google, because it felt so [user-]unfriendly.”
She encountered Gerrit in an organization that was hesitant to go with GitHub due to enterprise security concerns, but Bitbucket would’ve made a better, more intuitive option than Gerrit, she believes.
The time investment needed to master Gerrit might also put off agility-focused startups.
“If you’re a quick-moving startup, you’re probably thinking, ‘We don't have time to set up Garrett. We’d rather pay Atlassian to give us a clean, reliable product,’” Karbassi said.
As in so much tech, one of the biggest buzzwords in code review is automation. Amazon recently announced its CodeGuru review service, which uses machine learning to find and fix bugs. Kiwi startup CodeLingo and GitHub extension Hound also promise automated reviews. But many argue that the top devs still outperform the machines.
“I haven't found any tools that have been able to solve the code review problem better than human interaction,” software engineer Jim Cookas said. “There's a lot of value in in-person code reviews: you get better shared understanding and team visibility of what's being built and how — as opposed to keeping it in an AI black box.”
But what’s the solution when that in-person preference butts against our increasingly remote work environments? For Cookas, who works at the fully remote InVision, the widely used teleconferencing app Zoom offers a great workaround — especially for one-on-one reviews with screen-sharing.
“I’m a big proponent of live and synchronous, and I advocate for code views over Zoom whenever possible,” he said.
GITHUB CODE REVIEW APPS
The implementation of automated code review tools is less about replacing human help than augmenting it, advocates stress. Like Hound, extensions such as Sider, Code Climate (also Bitbucket compatible) and Codacy (also GitLab and Bitbucket compatible) will highlight relatively simple errors or style issues, like superfluous spaces, trailing whitespace and code complexity and duplication.
“They won’t give you a full view,” Karbassi said, “and it's usually a report, not an action — they're not actually committing your code — but it’ll help clean up some small things.”
Several similar extensions and add-ons available in the GitHub ecosystem aren’t strictly code-review tools, but hybrids of sorts — part review and part stats reporting, or technical debt reporting (Code Climate), or code coverage (Coveralls), or static analysis (DeepScan).
“They’re code review, but they’re in between,” Karbassi said.
Another potential alternative to Gerrit, this MIT-licensed option is also free, web-based and well-trusted. LinkedIn, Yelp and Cloudera are some of the outfits that have used Review Board, according to the company’s site.
Vivien Kuo, a software engineer at Sprout Social, used Review Board at a previous organization. The tool’s standout advantages include the capability to comment on multiple lines of code, plus it had a strong command line function. “We could post and then it would return a link, which would automatically open up in your web browser,” she said. “That’s really nice.”
Two more selling points: It also doesn’t remove previous acceptances if, for instance, you have to make small post-ship changes in Java. And as Kuo noted, it has strong filtering capabilities.
“There’s a slider near the top of the review where — if you have, say, 10 commits on your branch — you can use the slider to look just at the difference between, say, commit nine and 10,” she said.
“You don't want to read over what you’ve already read. You just want to see the new changes. So that’s a really handy feature.”
The major disadvantage is one that’s common among all similar tools: Though users can gather lots of information, they can't merge to master directly through the application.
“It's still just a tool for us to look at [file differences],” Kuo said.
Images via Shutterstock, social media and company websites