beawolf - Fotolia
Formal code review is beneficial for many reasons -- but it consumes a lot of resources. Agile, iterative and automated development processes make formal code review difficult, if not impossible.
Automated code review, which ranges from a software-assisted process to one that replaces human experts with AI, aims to make quality enforcement less time-consuming and more easily adopted in a range of organizations. Automated code review usually relies on one of several mechanisms. Organizations could closely watch programmers or email review requests to qualified experts, but capable tooling goes beyond those two methods. Cooperative programming and automated and AI-assisted code review require a nuanced strategy but deliver benefits.
The best approach depends on the organization's software quality strategy, as well as the specific problem these reviews should address, such as compliance with regulations, security or another concern. Code review tools fall into a wide range of categories, everything from project management and workflow enforcement tools to static code analysis and AI-based systems. Understand what kind of code review your organization needs before comparing tools' features.
Get an assist from tools
The most common assisted code review tools aim to improve developer collaboration, targeting peer review. Team collaboration tools can improve communication during development and integrate the code review as a stage in the process, not one that requires extra time and effort. Teams can improve code quality with simple collaboration via project management tools like Basecamp, code repository systems like Git, and issue-tracking tools like Atlassian Jira.
Many code review tools support one or more models of cooperative or collaborative review. To get this capability, evaluate products such as SmartBear's Collaborator and Devart's Review Assistant, or open source options like Codestriker or Gerrit.
Tools can also enforce workflows. Workflow enforcement tools define process-person relationships, and then ensure that necessary exchanges occur. Corporate compliance strategies often involve workflow enforcement, and this practice extends to development to help meet mandatory governance or regulatory frameworks.
Workflow enforcement vendors include popular options such as Integrify, Kissflow and Pipefy, but organizations can also formalize workflows with a combination of interactive development tools and collaboration tools.
Another broadly useful class of code review tools focuses on component, data structure and API management. These tools detect changes and track dependencies in the software, including places where the data structures are published for use by other applications.
Teams can track changes to code, data structures and API specifications that are stored in a version-controlled repository, and assess how those changes affect other systems and components. Integrated development environments include features to handle overall management of APIs, data structures and code dependencies, as long as there's a reference state and development practices are enforced. All popular IDEs have that capability, as do tools that manage the data, code and APIs. Teams that take this approach aim to create a single source of truth -- all the code and all the code's history -- in the repository.
Automate, enforce your standards
With automated code review, rather than assisted review, teams apply static code analysis to assess whether developers adhered to established practices. Don't think of automated code review as a speed round of debugging. These tools don't debug the code; rather, they enforce the organization's specific standards for coding. It's essential to have a comprehensive toolkit that handles most of the code review practices covered here, because compliance standards are highly specialized and might change often within an organization.
The baseline for automated code review is control over the pull-and-commit process associated with the code repository. Automated code review tools analyze the code for common errors and even violations of popular practices. There are many tools available, including several dozen open source options. Commercial products include Codacy, Code Climate and codebeat. Whatever your choice, keep in mind that true automated code analysis will likely have some programming language limitations; many tools work for one language alone.
You can't spell quality without AI
Many development managers see AI as the next frontier of automated code review. AI-based tools, according to many users, come close to matching properly managed formal code review, in rapid development timeframes. Some proponents even think that AI code review is better than formal peer review, as it handles more problems and review factors.
Tools in the AI-based automated code review space include AI Reviewer, DeepCode, Facebook's SapFix and Microsoft's IntelliCode. Some products base their analyses on practices adopted in large public Git repository-hosted projects, so it's important to look at programming language issues. For example, AI Reviewer is specific to the C++ language, at time of publication.
AI tools get the most attention in the automated code review tools marketplace. However, organizations can struggle to use these tools when they already have another toolkit to support a different code review model. Look at the benefits of a new tool alongside the barriers to rapid adoption and acceptance. Make sure you can realize the benefits of what AI offers to code review processes before you commit to it. Otherwise, ease your way into AI features through static code analysis tools.