Best practices for reviewing third-party code contributions

Sara Verdi
Sara Verdi
Graphite software engineer


Note

This guide explains this concept in vanilla Git. For Graphite documentation, see our CLI docs.


Reviewing third-party code is important for maintaining code quality and security when incorporating external contributions into your projects. This guide will explore some best practices for third-party code reviews, and provide a structured approach to handling these reviews effectively.

Reviewing third-party code becomes necessary in several scenarios across the software development lifecycle, primarily when external contributions directly influence the project's codebase. Here are some key situations where third-party code review is essential:

  1. Integrating open source libraries: When your project relies on open-source libraries or frameworks, reviewing their code is vital to ensure they meet your security standards, are up-to-date, and do not have licensing issues that could affect your product.

  2. Accepting contributions from external developers: If your project is open to contributions from the developer community (like many open source projects), each submission must be reviewed to maintain code quality and consistency with your project’s guidelines.

  3. Using code from third-party vendors: For projects that incorporate specialized software components from third-party vendors, such as APIs or plugins, reviewing the code can help assess the security and reliability of these components.

  4. Mergers and acquisitions: When companies merge or acquire other companies, they often need to integrate external codebases. Reviewing this third-party code ensures compatibility and identifies potential redundancies or issues.

  5. Outsourced projects: If parts of a project are outsourced to external contractors, the returning code must be reviewed to verify that it fits the original specifications and adheres to the project’s quality standards.

  6. Compliance and regulatory requirements: Certain industries require code to comply with specific regulatory standards. Reviewing third-party code ensures compliance with these regulations and avoids legal and security issues.

  7. Security audits: Regular security reviews of all incorporated code, including third-party contributions, help identify and mitigate vulnerabilities, protecting the application from potential exploits.

In each of these scenarios, the review process helps maintain a high standard of code quality, ensures security and compliance, and aligns external contributions with the project's overall objectives.

Here are some recommended strategies for reviewing third-party code effectively:

  1. Establish clear contribution guidelines: Before accepting third-party contributions, clearly outline your project's coding standards, commit conventions, and testing requirements. This upfront clarity helps external contributors align their submissions with your expectations, reducing the need for extensive revisions.

  2. Use automated tools to screen submissions: Implement tools that automatically check for common coding errors and compliance with coding standards. Graphite's PR inbox, for example, can be configured to flag PRs that fail to meet specified criteria, helping maintain a high standard of code quality.

  3. Perform thorough security audits: Third-party code should be subjected to rigorous security checks to prevent vulnerabilities. Tools like static analysis and dynamic scanning can identify potential security issues before they are merged into your main codebase.

  4. Leverage code review checklists: Develop a checklist specific to third-party contributions to ensure all reviews cover essential aspects such as licensing issues, code complexity, and adherence to project-specific conventions.

  5. Involve multiple reviewers: External code can benefit from reviews by multiple team members, providing diverse perspectives and reducing the likelihood of oversight.

  6. Prioritize transparent communication: Maintain open lines of communication with contributors to provide feedback, request changes, or discuss potential issues. Transparent communication fosters better collaboration and contribution quality.

  7. Document all decisions: For accountability and future reference, document the rationale behind decisions made during the review process. This documentation is invaluable for future audits and for onboarding new project members.

Graphite's PR inbox is designed to help you with the review process for both internal and external code reviews. Here’s how you can leverage it effectively:

  • Organize PRs efficiently: The PR inbox is a central location for pull requests, and it categorizes them into sections like "Needs your review" or "Waiting for review". This organization helps you prioritize reviews based on urgency or status.

  • Customize review workflows: You can create custom sections with filters based on the specific needs of third-party code reviews. For example, you might have a section exclusively for external contributions that require compliance checks.

  • Collaborate and share feedback: Graphite allows you to share filter configurations with team members, ensuring that everyone follows the same review standards. Additionally, the tool supports fuzzy search across PR titles, descriptions, and authors, making it easier to track and manage contributions.

  • Integrate with existing tools: Graphite seamlessly integrates with GitHub, enhancing your existing workflows and tools. This integration ensures that you can manage external contributions without disrupting your current processes.

Reviewing third-party code requires careful attention to detail and a structured approach to ensure contributions are beneficial and secure. By following these best practices and utilizing tools like Graphite's PR inbox, teams can enhance their review process and maintain high standards for code quality and security.

Graphite
Git stacked on GitHub

Stacked pull requests are easier to read, easier to write, and easier to manage.
Teams that stack ship better software, faster.

Or install our CLI.
Product Screenshot 1
Product Screenshot 2