Code Quality & Governance
Static analysis (SonarQube), coverage gates, peer review standards
Code quality encompasses static analysis, test coverage, peer review standards, and automated enforcement to maintain a codebase that is readable, secure, and correct. Tools like SonarQube, ESLint, Checkstyle, and Semgrep provide automated analysis gates in CI pipelines, preventing regressions from merging. Quality is not subjective when quantified: Cyclomatic Complexity, cognitive complexity, duplicate code percentage, and coverage metrics create measurable baselines that teams can track and improve over quarters.
Key Points
- SonarQube: provides multi-language static analysis with "Quality Gates" — builds fail if new code drops coverage below 80% or introduces critical security hotspots.
- Coverage gates: branch coverage (not just line coverage) above a threshold required for merge — branch coverage catches untested conditional paths.
- Cyclomatic Complexity: number of independent paths through a function — keep below 10; above 15 is a mandatory refactoring trigger.
- Peer review standards: require descriptive PR descriptions, link to tickets, maximum 400 LOC per PR for effective review — larger PRs have exponentially lower review quality.
- Linting and formatting: ESLint/Prettier (JS/TS), Black/Ruff (Python), gofmt (Go) — automated in pre-commit hooks and CI to eliminate style debates.
- Mutation testing: Pitest (Java), Stryker (JS/TS) — introduce code mutations and verify tests catch them; reveals tests that pass trivially without asserting behavior.
- DORA metrics correlation: high code quality correlates with elite DORA metrics — Google's research shows teams with automated quality gates deploy 46x more frequently.
- Code ownership: clear ownership (CODEOWNERS file in GitHub) ensures domain experts review changes to critical paths — prevents knowledge silos.
Real-World Example
Microsoft requires all Azure SDK changes to pass SonarQube Quality Gates with 90% branch coverage and zero new critical/blocker issues. Their internal study showed that every hour invested in code review saved 33 hours of bug-fixing time in production.