Break Glass, Not Rules: Ensuring Compliance in Emergency Code Changes

Last updated May 30, 2023 By davegaeddert

In the fast-paced world of software development, "break glass" scenarios are common. These are situations where urgent code changes are required, often to fix critical bugs, patch security vulnerabilities, or maintain service uptime. In these situations, it's tempting to bypass the usual checks and balances in the interest of speed.

However, it's crucial to remember that even in the most urgent of circumstances, code review requirements cannot be disregarded. Compliance standards, like SOC2, require stringent adherence to certain procedures and protocols, irrespective of the circumstances. Whether it's data security, accessibility, or system integrity, the importance of meeting these standards cannot be understated.

Ensuring compliance in a "break glass" scenario can be challenging, but it's far from impossible. The key is to balance the urgency of the situation with the need for thoroughness and due diligence. This brings us to a concept that can help strike this balance - post-merge code reviews.

Post-Merge Code Reviews: Balancing Urgency and Compliance

Post-merge code reviews are an effective approach to ensuring code quality and compliance, even in situations that demand immediate action. As the name implies, these reviews take place after the code has been merged into the main branch.

This allows for the rapid implementation of necessary changes while still maintaining a review process. Once the urgency has passed, a detailed review of the changes can be conducted. Any potential issues or non-compliance can be corrected in a follow-up pull request that is less time-sensitive.

This is not a replacement for pre-merge reviews, but rather an additional tool for teams to ensure code quality and compliance in all situations. They add a layer of flexibility to the code review process, enabling teams to respond quickly to urgent situations without sacrificing compliance.

Post-merge Code Reviews with PullApprove

PullApprove facilitates a post-merge review by keeping track of "bypassed" pull requests. "Bypassed" PRs were merged before PullApprove requirements were met.

Depending on your GitHub repo permissions and branch protections, someone can bypass PullApprove by simply merging the PR in GitHub while it is still pending.

Someone can also bypass PullApprove specifically (while still adhering to other GitHub branch protection settings).

After the PR is merged, it will be flagged for a follow-up approval. While it is no longer possible to submit an approving-review in GitHub, a bypasser can manually approve the PR in PullApprove itself once it has been fully reviewed.

That's all there is to it! We're working to formalize more concepts like this that make it easier to balance need for compliance with the need for a good developer experience.

Ready for a better workflow?

PullApprove starts in a read-only mode where you can see how it would work for your company. Anyone with permission to install the GitHub App can give it a try, and you can always uninstall it if you don't like it.