Skip to content

How-to Guides

Technical References

Code Review /

Code review on VIP Go

We review code on VIP Go to meet the security and performance objectives of our clients. We review security because pushing a site live with insecure code presents a liability to you and your whole user base. We review performance because going live and finding out that your code can’t handle the traffic levels that your site expects puts most of your launch efforts to waste. We also review for development best practices to make sure that your site will continue to live on without significant maintenance costs or major issues when WordPress is upgraded.

VIP may perform a scheduled initial code review of the entire codebase. Once this initial review is complete, we’ll switch to a review workflow for incremental development.

VIP’s review focuses on the performance and security considerations in PHP, custom JavaScript, and SVG files. We do not review HTML, CSS, SASS, many popular third-party JavaScript libraries, or built JavaScript files.

Before the initial code review

Before code is submitted:

  • Remove unused or unnecessary code that does not need to be reviewed from the master branch.
  • Make sure all code has been run through PHP Code Sniffer using the VIP Coding Standards, and that as many blockers as possible have been addressed.
  • Submit the PHPCS output.
  • Be ready to enter a code freeze during the code review process.

This will ensure the speediest review possible, and avoid reviewing known issues or non-production code.

During the initial code review

We offer both automated scans and manual reviews to our customers. This process is the same for both your initial codebase review, and for ongoing PR reviews.

Automated scans

For all customers on VIP Go, when you open a PR in the GitHub the VIP Code Analysis bot will automatically scan your entire codebase against VIP Coding Standards. Please refer to this guide to PHPCS review feedback. We strongly recommend looking at this document before submitting your code to expedite your review process.

If you have questions about how to address specific errors or warnings, you can open a ticket with our team.

Manual code review

Clients with Application Support may also request specific developer feedback on your codebase (including themes and custom plugins) by adding the “[VIP] Review Request” label to your PR in master. Before adding the label, ensure that you’ve addressed as many errors and warnings from the automated scan as possible. Please note that pull requests without the label will not be reviewed.

You can find the labels in the GitHub UI on the right sidebar of your pull request:

Where possible, we recommend keeping PRs small by breaking them down into atomic commits. If the changeset is larger than 1000 lines of code, it will need to be scheduled for a review. The duration of manual code review can vary depending on the complexity of the code, and your Technical Account Manager will help you determine an appropriate timeline for your project.

Here’s a guide to what VIP looks for when performing a line-by-line review of your code. To expedite your review process, we strongly recommend looking at this document before submitting your code.

After the initial code review

After the initial code review, you can continue to follow the same workflow for automated scans on new PRs, or manual code review for new PRs opened in the master branch of GitHub.

Last updated: November 25, 2020