QP04 Code Reviews Practices

What this means

SiteShadow flagged signals that code reviews may be bypassed or not required for changes that reach mainline.

Why it matters

Code review is a core control for quality and security.

• Obvious security issues (auth, injection, secret leaks) are more likely to land unnoticed.
• Knowledge silos form when only one person understands critical code paths.
• Higher incident risk due to unchallenged changes.

Safer examples

1) Require PRs and reviews for mainline

Protect main/master; block direct pushes.

2) Use a security checklist for risky changes

Auth, permissions, crypto, file handling, outbound requests, dependency updates.

3) Enforce "two person" rule for sensitive areas

Require additional reviewers for auth/infra/security config changes.

How SiteShadow detects it (high level)

• Looks for repository/workflow signals that merges can happen without reviews.
• Flags high-risk changes landing without supporting process signals (tests, gates, ownership).

References

• OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library