20 questions for a valuable code review

Published on December 28, 2021 - Tagged: #engineering

This is a foundational series article. Read more here

Follow me on twitter for more posts like this

I recently had an interesting discussion around the value of doing code reviews and the value of mandatory code reviews.

I think code reviews are extremely valuable and should be done by most organisations and teams.

A valuable code review will

  • pass institutional knowledge around the org
  • help all engineers grow their skills
  • maintain quality in the face of all the other time pressures your team faces

But how do you keep a code review valuable?

  1. Automate instead of PR checklists
  2. Focus on code readability and functional correctness

Automate instead of PR checklists

Anything that can be automated must be automated. Engineers are expensive! Don’t waste your time on code formatting or spell checking if at all possible.

It’s OK to have some checklists in a PR template but you should always be actively working to remove checklist items through automation or engineering culture.

20 code readability and functional correctness code review questions

  1. Is the intent clear?
  2. Is there needless duplication?
  3. Could existing code have solved this?
  4. Is this an atomic commit?
  5. Could this be simpler?
  6. Are there obvious logic issues?
  7. Does it need tests?
  8. Are the tests comprehensive and clear?
  9. Are there any security issues or considerations?
  10. Are there any accessibility considerations?
  11. Are there any PII considerations?
  12. Is it instrumented? Are there relevant analytics? Are there relevant production logs?
  13. Are there revert scripts for database changes?
  14. Is the database work ACID? Is it transactioned sensibly?
  15. Does this feature need to be turned off in the future?
  16. Is it easy to turn it off?
  17. How easy is it to delete the feature code as a whole entity?
  18. Does the code respect Command-Query separation?
  19. If DDD - Are there well defined aggregate roots, value objects, enumerations?
  20. Will there be any issues recovering from a transient failure? Is the solution distributed in an unexpected way?

A note on “nits”

In general I do not look for coding style, syntax I don’t like, styling or spelling errors in a code review.

If these things are important to your team then just use your CI system to detect and fix issues automatically.

In typescript/javascript we have ESlint, Prettier and Vale to detect and fix issues automatically. There will be similar tooling for your language and framework of choice.

Consistency IS important. If an entire code base is using some syntax but you prefer a different syntax that is functionally the same, you should use the existing syntax unless the entire team agrees with you and there is a plan to change the code everywhere.

A note on mandatory code reviews

The PR system developed by GitHub was for Open Source contributions by distributed teams. Mandatory PRs might not be relevant for a team with consistent levels of engineering capability and knowledge of the system.

I do feel that if code reviews are mandatory it means they won’t be bypassed when the pressure is on.

When the team under pressure is when you really need code reviews the most. If some software is forcing one positive code review then a single developer can’t be pressured into putting dodgy code out to customers.


Code reviews that focus on finding nits, syntax you don’t like, spelling errors and things like that are not a valuable use of your time. Automate these with tooling instead.

Code reviews that focus on code readability and functional correctness are extremely valuable to the entire organisation, long after you have moved on to another project.

If you don’t enjoy code reviews, try changing their purpose and start evangelising what a good code review looks like.

Darragh ORiordan

Hi! I'm Darragh ORiordan.

I live and work in Sydney, Australia building supporting happy teams that create high quality software for the web.

I also make tools for busy developers! Do you have a new M1 Mac to setup? Have you ever spent a week getting your dev environment just right?

My DevShell tooling will save you 30+ hours configuring your dev environment with all the best modern tools. Get it here


Read more articles like this one...

List of article summaries


PostgreSQL and typeorm - Caching

With most web applications you can drastically increase performance by using caching for data that’s frequently read across network boundaries. This lesson will explore some common caching techniques, you’ll learn how some common tools and libraries provide caching for us.

While caching helps with performance it can also cause some surprises and bugs in applications and i’ll discuss some of those too.


How to run Monica personal CRM on Dokku

I left my home country right after university and I worked and lived in a few countries since then. I’ve met lots of amazing people but I’ve always struggled to remember contact details and important dates for everyone.


Find 20% of missing site traffic with plausible analytics and some proxying

Google Analytics (GA) has been a force in web site metrics since 2005. The metrics have always been incredibly useful but it’s a “free” product so you pay for it by providing all your site data to Google for tracking and advertising.

With Google Analytics your metrics are tightly coupled with tracking and advertising so when ad-blockers kick in to block tracking they also block your metrics!

The good news is that this is all fixable!


Open Telemetry in NestJs (and React)

Open Telemetry is good enough to use in production projects now and most cloud providers and telemetry services have integrated open telemetry into their products.