Code Change Reviews

Guide on recording and reporting Code Change Reviews using Ketryx

1. Introduction

1.1. Purpose

Code reviews play a crucial role in the software development lifecycle as they help identify and rectify defects, security vulnerabilities, and other issues in the software code.

This guide is dedicated to providing guidance on setting up code reviews in Ketryx. It aims to address common questions and offer insights into the process of establishing code reviews.

1.2. Tools

Tools used to develop and release a product with Ketryx Lifecycle Management are provided in MAN-01 Ketryx Lifecycle Management. The release process is described in detail in MAN-02 Software Release Process, while setting up code repositories is described in MAN-03 Supply Chain Management.

2. Supported platforms

Ketryx supports Code Change Review (CCR) data fetching for repositories hosted on GitHub and Bitbucket.

If you need support for other platforms like GitLab, Azure DevOps, etc., please contact our support.

3. Setup

Please see our SOUP documentation for more information about adding your repository to Ketryx: MAN-03 Supply Chain Management

3.1. GitHub

If you've added your GitHub repository, but still can't see the CCR Report, follow the below process to make sure you have added an authentication token for your repository in the project settings page.

Open the settings area of the project
Add the repository from which you want to pull the Code Change Reviews
Click Enable repository authentication,
1. set username: name of the token (just for your own reference, can be anything),
2. set password: the actual GitHub token
Click Save

There are several steps to generate a GitHub token (classic), which can be found here. To enable the CCR features, the token needs specific permissions mentioned below.

For Ketryx to fetch Pull Request data from GitHub, authentication needs to happen via a Personal Access Token. Access tokens can be generated at the user level and provide authorization for specific scopes.

This Personal Access Token will serve as the authentication method to fetch both Pull Request data and the Git repository for SOUP dependency analysis from GitHub.

To find out how to generate a classic or fine-grained Personal Access Token, please see our GitHub FAQ entry here.

The Personal Access Token needs certain permissions for the Code Change Review feature to work.

For the classic Personal Access Token, the following scopes are required:

repo
read:user

For the fine-grained Personal Access Token, the following permissions are required:

Contents
Metadata
Pull requests

3.2. Bitbucket access tokens

For Ketryx to fetch Pull Request data from Bitbucket, authentication needs to happen via a Repository Access Token. Access tokens can be defined at the repository, project, or organization level. Any of these work (just note that only the repository level is possible in the free version of Bitbucket). A guide on how to create such a token can be found here.

The same authentication method is used to fetch the Git repository (for SOUP dependency analysis) as well.

The repository access token needs to have at least the following permissions:

Repository: Read
Pull requests: Read

When entering the authentication credentials in Ketryx, set the following:

Username: x-token-auth (as a verbatim value, as documented here)
Password: (the access token)

4. Generating a Code Change Review report in Ketryx

Once set up, the Code Change Review report is available on a project's Code page. To go there, navigate to the project for which a report should be generated. In the Configuration section of the sidebar, press Code. In the upper right hand corner of the page is a download button that will generate the report and initiate a download. Optionally, choose a version for which you want to generate the report for.

Additionally, the Code Change Review report can be generated and approved for a release on a version's Documents page.

5. AI-Assisted Code Review Analysis

New in 2.14.4

Beyond generating formal Code Change Review reports, the Ketryx Assistant can now provide interactive, AI-powered analysis of your pull requests and code changes. This capability complements the automated CCR reporting by offering on-demand insights and recommendations.

What AI-Assisted Analysis Provides

Interactive Workflow

Unlike the static CCR report, AI-assisted analysis supports an interactive workflow:

Request analysis of specific commits, branches, or pull requests
Review findings with detailed explanations
Ask follow-up questions to clarify recommendations
Get suggestions for creating or updating configuration items (requirements, test cases, risks)

Relationship to Formal CCR Reports

The AI-assisted analysis is designed to complement, not replace, the formal Code Change Review report:

Feature

Formal CCR Report

AI-Assisted Analysis

Purpose

Release documentation and audit trail

On-demand insights and recommendations

Format

Structured Excel document

Interactive conversational analysis

Timing

Generated for version releases

Available anytime during development

Compliance

Formal controlled document

Guidance and decision support

Scope

All changes in a version

Specific changes or patterns

AI-assisted analysis uses the same authentication and repository configuration as formal CCR reports. Ensure your GitHub repository is properly configured with authentication tokens as described in section 3.

Best Practices

Use during development to catch compliance issues early before formal review
Request analysis after significant changes to understand downstream impacts
Combine with formal CCR for comprehensive code change documentation
Ask for specific guidance when uncertain about regulatory implications of changes

For more information about the Ketryx Assistant's code analysis capabilities, see the Assistant documentation.

PreviousGitLab NextGoogle Workspace

Last updated 21 days ago

Was this helpful?