Profile Applicability:
Level 1
Description:
All comments and discussions raised during the code review process must be addressed and marked as resolved before the code change can be merged. This ensures that feedback, concerns, and requested modifications from reviewers are properly handled, improving code quality and reducing defects.
Rationale:
Requiring resolution of all open comments promotes thorough code reviews and effective collaboration. It prevents unaddressed issues from being merged into the codebase, thereby enhancing software reliability, security, and maintainability.
Impact:
Pros:
Improves code quality through comprehensive review.
Ensures reviewer feedback is incorporated.
Reduces the likelihood of defects and vulnerabilities.
Fosters collaborative development culture.
Cons:
May delay merging if many comments remain unresolved.
Requires consistent discipline from developers and reviewers.
Default value:
Some repositories or workflows may allow merging without requiring all comments to be resolved.
Audit:
Review pull request or merge request settings to verify enforcement of comment resolution. Check code review logs to confirm that all comments were addressed before merges.
Remediation:
Configure repository policies or workflows to block merges with unresolved comments. Educate development teams on the importance of addressing review feedback. Use automation tools to track and enforce comment resolution.
References:
GitHub Pull Request Reviews: https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-request-reviews
GitLab Merge Request Discussions: https://docs.gitlab.com/ee/user/project/merge_requests/discussions/
CIS Controls v8, Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs: https://www.cisecurity.org/controls/maintenance-monitoring-and-analysis-of-audit-logs/