Blog DevSecOps The code review struggle is real. Here's what you need to know
Published on: September 3, 2021
4 min read

The code review struggle is real. Here's what you need to know

If it's time for a DevOps Platform, don't forget the role code review plays. Our 2021 Global DevSecOps Survey showed why it's both critical and tricky to get right.

devsecopssurvey.png

Our 2022 Global DevSecOps Survey is out now! Learn the latest in DevOps insights from over 5,000 DevOps professionals.

When making a list of the reasons to consider moving to a DevOps Platform, don't forget about code review, a critical piece of the process that's also an incredible source of frustration and delays to developers and their teams.

In our 2021 Global DevSecOps Survey, respondents told us code quality was the number one reason they chose DevOps. But, when asked what was most likely to delay a product release, code review – vital to code quality – was one of the top four culprits (the others were testing, planning and code development).

The fact that code review is a pain point is hardly surprising, given that it can often require context-switching, communication, collaboration, and of course subject matter expertise. At a time when it's never been more urgent to release secure code as quickly as possible, it's not a stretch to think code reviews can feel like a hard stop to some teams, particularly if the process is not integrated into an existing workflow.

[Here's everything you need to know about a DevOps Platform]

Why code review is painful

In fact, when we asked our survey respondents to tell us in their own words what they struggle with when it comes to code review, they had *a lot* to say on the subject.

"Code reviews can take a long time due to the lack of reviewers."

"Many people find it a chore to review code."

"We have a strict code review process and it often takes several days for the reviewer to respond to requests for review."

"Code review takes time and every developer has to explain how they achieved what they did."

"Developers are sometimes unaware they have to do code reviews. They aren't sure how to perform them and if they are effective. Sometimes they are skipped so the process can go through."

"Finding someone for code review can be hard (1-day average). After that, business tests take time to be completed (2-4 days on average)."

Code review is tricky, but almost 60% of those surveyed said the reviews were "very valuable" in ensuring code quality and security. And it's not like teams aren't actually tackling code review: In 2021 close to 45% of respondents said they review code weekly, and 22% do it every other week – a 14% jump from 2020.

[Your organization needs a DevOps Platform team. Here's why]

But anecdotal data tells a slightly different story, from developers saying their teams do no code review at all, to code reviews so comprehensive they include every merge request, ticket, or pull. Many developers said they review code daily, or even multiple times a day. Survey takers said code reviews were most likely conducted using online chat, with developers showing a strong preference for reviewing code in an IDE rather than a browser.

Better code reviews

At GitLab we pride ourselves in dogfooding our DevOps Platform, so of course we spend a lot of time thinking about how to improve our code review process. We've had a lot of success using smaller merge requests, as just one example.

Our survey takers told us they were on the same continuous improvement journey – many spent the past year [evaluating how to make their code reviews and other DevOps stages more efficient]​​(/blog/2020/09/08/efficient-code-review-tips/). One respondent offered a detailed look:

"We evaluated the team and did value stream mapping and finalized the desired state. In most of the cases we found the team needs an automated pipeline for faster delivery and immediate feedback so that they can act fast rather than later. We also moved security left so that developers can fix security issues fast. And we also made sure developers are doing code review in a collaborative way through pull requests."

Another team focused exclusively on reducing its dependence on code review:

"(We are no longer) relying on code review to have caught all the test scenarios. We now use a coverage scanning tool to tell us if we've got it all."

More code reviews > less code reviews

The struggle is real, but so is the importance. Despite a lot of complaining about code review, developers remained adamant about its importance in DevOps. When we asked devs what they wish they could do more of, code review was at the top of the list, with more than 1000 survey takers indicating they wish they could do way more code reviews than they're doing at present.

In our next blog post, we'll outline five ways GitLab's DevOps Platform has made code reviews easier.

Our 2022 Global DevSecOps Survey is out now! Learn the latest in DevOps insights from over 5,000 DevOps professionals.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert