Code Review Best Practices: The Blunder

A new starter, second week on the job, pushed a change with an undefined variable. It passed testing and passed code review. Then the service team's phones started ringing because users couldn't log in. It's easy to blame the new starter or code reviewer, but an undefined variable in a 500 line PR is easy to miss and trivial to catch with static code analysis. We were asking humans to do what CI tests can do.

We're all the GOAT at making mistakes sometimes, so let's make it easier for ourselves.

Blunder Mode

Rubber stamping vs. nitpick purgatory. After a prod bug, people overcorrect. Then the "days without accident" number creeps up and they get lax again. Aim for a middle ground that doesn't swing.

GOAT Mode

Small Pull Requests: Chunk into 2-5 hour tasks, use stacked PRs (one epic with smaller PRs) and feature flags (eg. internal testing groups)
Early Draft: Draft PRs catch major issues while code is still easier to change, before sunk cost kicks in.
Maintainability Test: Three things to check: easy to follow (readability), easy to find (discoverability), following conventions (predictability).
Speed Run: Quick reviews are good for small, low complexity changes on teams with strong QA and automated checks. When it's easy to follow and nothing risky, a quick scan is enough.
Legacy Trap: Review the change, not the surrounding code. Often trying to simplify old confusing code can open a can of worms and increase risk of unpleasant surprises.
5 mins to action feedback should be typical. If feedback regularly takes longer, the reviews might be catching things too late.
Skip re-review: If the only change is adding a comment, and PR checks pass, don't make them wait for another approval.

Who Checks What

The goal isn't less rigour, it's better distributed rigour.

Role	Question	Responsibility
Coder	"Does this match requirements?"	Self-review first and passes PR checks.
QA/Testing	"Is this ready for live?"	Requirements met and working as expected.
Reviewer	"Could I work on this later?"	Scan for red flags and verify maintainability.
Automation	"Beep-boop?"	Static code analysis, test coverage, security scans.

Splitting reviewers by expertise

Here's a real request from our team that worked well:

Afternoon team, wondering if you three would be available to code review this PR [redacted link and PR summary one liner]

@tom @dick If you're able to do a regular PR of the feature

@harry If you're able to have a look at the logic around scoring/template fetching, I've left comments in the PR

Let me know if you guys have any questions Thank you!!

Different people, different focus areas. Nobody has to review the whole thing deeply.

Tools

Run these as part of the pull request, no pass? no merge.

Linting/formatting: Eliminates style debates by making consistency non-negotiable before code hits review.
Static analysis: Catches the bugs your tests forgot to write. That undefined variable from the opening? Mypy, Clippy, Sorbet, PHPStan would have caught it.
Security scanning: SCA scanning tools, infrastructure as code (IaC) security, dependency vulnerabilities.
AI review: Only as good as your instructions. When you get false positives, update the rules instead of ignoring them.
Tests: Only useful when they are run and maintained. Unit, integration, API, frontend & backend - get them in there!

Words

Labels: Use prefixes (suggestion:, nitpick:, kudos:) or severity tags ([Important], [FYI]) so coders know what's blocking vs optional.
Reason: Explain the problem, offer alternatives, let the coder decide. "Can you please rename to make it more self-documenting? Consider calculateTotal() or sumLineItems()."
Before you post: Words hit harder in writing than in person. Read your comment back.
Offline: If you see major problems, then talk in person. Instead of all that back and forth, it's quicker to discuss, and there might be some extra context the reviewer is not aware of yet.

Team

Separation: You are not your code. Critique the code, not the person.
Pushback: Coders have more background and a bigger picture view of the changes. If there's a suggestion you think is not worth the effort, that's time to discuss.
Reciprocity Effect: Be thoughtful in your reviews. It's contagious, in both directions.
Copy Ninja: When you join a team, copy how they do things, even if you disagree. Gain trust first, then slowly suggest changes.
Spread the load: 30 mins per day max on code reviewing. It's not "too busy for code reviews today" because everyone is always busy. It's "I've already done some reviews today, can you please ask someone else."
One day turnaround as a goal: Not a rule, but if PRs are sitting longer, something's off.

Code Reviewing for Blunder Goats

Blunder Mode

GOAT Mode

Who Checks What

Splitting reviewers by expertise

Tools

Words

Team

Related Articles

Code Review for Teams That Ship

Plan Before You Prompt: Templates for Coding Agents

Antifragility Mindset