What is Velocity Governance?

Velocity Governance is the discipline of observing whether engineering practices keep pace with development velocity. As teams adopt AI and ship faster, Concordance monitors 50 protocols across 6 SDLC phases to ensure quality, security, and compliance don't degrade.

How does Concordance help with CRA compliance?

Concordance maps 50 engineering protocols to all 21 CRA Annex I essential requirements, generating continuous audit-ready evidence from your actual engineering toolchain — GitHub, GitLab, Jira, Linear, and more. No manual documentation required.

How does Concordance help with NIS2 compliance?

Concordance maps 50 engineering protocols to all 10 NIS2 Article 21(2) essential measures, providing continuous compliance evidence from your SDLC. It covers supply chain security, incident handling, risk assessment, and secure development practices.

The Foundation Scan is completely free — scan any public GitHub repository and get engineering practice scores across 50 protocols in under 60 seconds. No sign-up required. Pro plans start at $49/month for continuous monitoring.

How is Concordance different from DORA metrics?

DORA metrics measure deployment frequency, lead time, change failure rate, and recovery time — they tell you how fast you ship. Concordance measures 50 engineering practices across 6 SDLC phases — it tells you if your processes can keep up with that speed. They're complementary: DORA measures velocity, Concordance governs it.

What does Concordance access?

Concordance reads only metadata — PR configurations, CI pipeline configs, branch protection rules, dependency manifests, and workflow signals. It never accesses source code, secrets, or credentials.

Concordance Labs · April 2026

The Team at Concordance

April 2026 · 6 min read

Code Review Quality: Beyond Rubber-Stamp Approvals

The Review Quality Problem

Many teams have code reviews in name only. Pull requests come in, get approved by the same two people every time (within minutes), and merge the next day. The reviews are rubber stamps—checked off because the process requires them, not because anyone is actually examining the code.

Other teams treat reviews as a bottleneck. Pull requests pile up waiting for a single reviewer. The time-to-review stretches from hours to days. Developers context-switch away to other work. The review, when it finally happens, is rushed because both the reviewer and author have moved on.

Both approaches are worse than no reviews at all. The first creates the illusion of quality control while passing bugs and security issues through. The second slows delivery without improving quality.

What Review Quality Actually Means

Code review quality is measured by whether reviews catch issues, not by how fast they happen or how many people sign off. A quality review asks: Is this logic correct? Does this introduce a security vulnerability? Are there edge cases we're not handling? Is the performance impact understood? Will someone six months from now understand why this code was written this way?

The signals of quality reviews are:

Review depth: Comments on logic, not just style. Questions about assumptions and edge cases.
Time-to-review: Reviewed within a day, not stalled for a week. Fast enough to maintain context, slow enough to be thoughtful.
Reviewer diversity: Different people review code, spreading knowledge and preventing single-person blindness.
Requested changes: Some PRs get revisions. If every PR merges on first approval, reviews aren't catching issues.
Comment frequency: Quality reviews have multiple exchanges between author and reviewer. It's a conversation, not a sign-off.

Common Anti-Patterns

Watch for these signs that your code reviews have become theater:

Single-reviewer teams: Only one person approves all code. That person becomes a bottleneck and can't catch issues because they're context-switching constantly.
Auto-approvals: GitHub Actions or bots automatically approving PRs. This is security theater.
Author-assigned reviewers always approve: When the PR author picks who reviews their code, they pick the person most likely to approve it quickly.
Approval without comments: Reviewer reads nothing and hits approve. The pull request says it was reviewed; it wasn't.
Stale reviews: Code changes after initial approval, but the review is never re-validated.
No revisions requested in months: If your team never asks for changes, you're not reviewing—you're blessing.

How to Build Real Reviews

Good code review culture requires three things:

1. Rotate reviewers. Don't let the same two people review every PR. Distribute the review load. This spreads knowledge, prevents bottlenecks, and makes it harder to rubberstamp.

2. Protect review time. Code review should be a job, not something reviewers squeeze in between other work. If a developer is interrupted by 10 Slack messages while reviewing a PR, the review will be shallow. Allocate time.

3. Ask questions. When you see code that seems odd, ask why. "Why are we caching this?" "What happens if this returns null?" "Did you consider SQL injection here?" Good questions force good explanations. If the author can't explain it, maybe it shouldn't merge.

How Concordance Scores It

Concordance analyzes actual review patterns in your repositories. It measures:

How many different reviewers approve your PRs?
What's the average time between PR open and first review?
What percentage of PRs get revision requests vs. immediate approval?
How many comments per review? (Shallow = fewer comments.)
Are stale reviews being dismissed when code changes?

A team with diverse reviewers, quick response times, frequent revisions, and substantive comments scores high. A team with always-the-same approvers, months-long backlogs, and one-line approvals scores low. This isn't a judgment—it's a measurement of how your actual process works.

Related Guides

Measure the quality of your code reviews against best practices.

Run a free Foundation Scan →See how practice scoring works →