[CR1.5: 44] Make code review mandatory for all projects.
Code review is mandatory for all projects under the SSG’s purview, with a lack of code review or unacceptable results stopping a release, slowing it down, or causing it to be recalled. While all projects must undergo code review, the process might be different for different kinds of projects. The review for low-risk projects might rely more heavily on automation, for example, whereas high-risk projects might have no upper bound on the amount of time spent by reviewers. Having a minimum acceptable standard forces projects that don’t pass to be fixed and reevaluated. A code review tool with nearly all the rules turned off (so it can run at CI/CD automation speeds, for example) won’t provide sufficient defect coverage. Similarly, peer code review focused on quality and style won’t provide useful security results.