Source Code Review Policy

The purpose of this policy is to establish the minimum requirements for Source Code Review in production applications.

General Requirements

All source code must be reviewed by a minimum of two developers before being deployed on production systems or merged into a production branch within the source code management system.
The reviewer must be an approved developer for the project.
Files included within the CODEOWNERS file must be reviewed by one of the owners listed. In the event of a high impact security/operational issue when a code owner is unavailable, the standard review process may be used temporarily. The reviewing developer should tag the owner for review as soon as possible.
A developer may request a review by a domain expert. In the event a domain expert is requested the change should not be merged before the requested reviewer approves.

Any developer may deny a merge for any security or ethical concern without fear of retaliation from anyone within the organization.

No code will be merged into a production branch that is not passing its automated testing.
Github Security Alerts must be enabled on all repositories and monitored by product owners.
Static analysis tools such as Brakeman and RuboCop should be used when possible.