Code Reviews Are Not Effective at Finding Bugs

If your code review approvals are taking days, you&#x27;re doing it wrong. That&#x27;s not a system problem; it&#x27;s a culture problem (your company doesn&#x27;t factor in review time as part of a developer&#x27;s job), and possibly a signaling problem (the person isn&#x27;t aware that you&#x27;re waiting on them).<p>You can also open up PRs that merge into another PR it depends upon. Once the bottleneck PR gets merged to main, your dependent PRs get rerouted to be PRs that go to main.<p>Then comes the issue of deciding what kind of change should be considered trivial enough to not require code review before merging, and who will make that call on a per-change basis. Number of lines is not a good enough metric, because not all lines can cause the same potential damage.

While I agree, a company making a post that is a subtle advertisement for their software is probably the least trustworthy source for pretty much any take.

The purpose of Code Reviews is not to find bugs. The purpose of code reviews is:<p>- Verify unit tests have been created, have passed, and have sufficient coverage<p>- Ensure the code addresses requirements&#x2F;bugs<p>- Ensure adherence to coding guidelines (I don&#x27;t like coding guidelines, but most teams do)<p>- Ensure documentation is present, if needed&#x2F;required<p>A code review should not take long, and the purpose is not to find bugs.

&gt; <i>Code review should still happen here, just independent of approval.</i><p>If code review is not necessary for approval, then for most engineering teams, it will simply never happen.

Building upon Microsoft&#x27;s earlier analysis (<a href="https:&#x2F;&#x2F;pdfs.semanticscholar.org&#x2F;c079&#x2F;0dc547c56ca48b78bc418b21cc0687513743.pdf" rel="nofollow">https:&#x2F;&#x2F;pdfs.semanticscholar.org&#x2F;c079&#x2F;0dc547c56ca48b78bc418b...</a>), our data, which is composed through an objective risk measure, confirms similar findings about code review efficacy w&#x2F;r&#x2F;t finding bugs.