Code review in defense software is not the same activity as code review in a commercial SaaS shop. The mechanics look similar — a pull request, a reviewer, a comment thread, an approval — but the threat model, the auditability requirements, and the legal exposure are different. A reviewer in a cleared program is not just catching bugs; they are producing accreditation evidence, enforcing classification boundaries, and acting as one half of a two-person rule on code paths that may end up running inside a NATO mission system.
This article is an engineering walkthrough of how cleared-program teams structure code review: who routes to whom, what the PR template looks like, how static analysis fits in without leaking source, how CWIX freezes and integration windows reshape the review gate, and how the documentation trail satisfies an auditor years after the merge.
1. Why Defense Code Review Differs
The first principle: in defense software, the adversary threat model assumes insiders. A commercial review process optimizes for catching honest mistakes by a trusted team. A defense review process must also raise the cost of a deliberately malicious change by a cleared developer with legitimate commit access. That changes how you read a diff. A subtle constant flip in a cryptographic comparison, a quiet broadening of a network ACL, a new outbound URL slipped into a config — these are the patterns a defense reviewer is paid to notice, not just typos and missing tests.
The second principle: source code in cleared programs is itself classified, or at minimum controlled. The repository's branch protections, the reviewer's clearance level, the network the review takes place on, and the tooling allowed to read the diff are all part of the classification handling chain. A review performed in a tool that ships diffs to an uncleared SaaS backend is a spill. The platform choice is a security control, not an IT preference.
The third principle: every review is auditable evidence. AQAP 2110 assessors, DCMA software auditors, and accreditation officials will, years later, ask: who approved this change, against what checklist, with what evidence of test coverage, on what date relative to the security baseline? The PR thread is the answer. If the thread is empty — "LGTM, merging" — there is no answer.
2. Reviewer Routing — CODEOWNERS for Classification
The mechanical backbone of a cleared-program review process is a CODEOWNERS file that encodes classification, not just team ownership. A commercial CODEOWNERS line says "this directory is owned by the platform team." A defense CODEOWNERS line says "this directory contains code that touches classified-network interfaces; reviewers must hold at least SECRET clearance and one of them must be on the cross-domain solution team."
Concretely, this is enforced through three layers. First, the CODEOWNERS file routes PRs to clearance-tagged GitHub or Azure DevOps teams (for example, @org/cleared-secret-reviewers, @org/nato-interop-reviewers). Second, those teams are populated only via a controlled provisioning script that cross-references the corporate clearance roster — being added to the team is itself an auditable event. Third, branch protection rules require approval from the routed team, not just any reviewer with write access. A reviewer outside the cleared team cannot satisfy the protection rule even if they hit "Approve."
For higher-impact directories — cryptographic primitives, classification-marking logic, cross-domain guard code — the policy is "two cleared eyes." Branch protection requires at least two approving reviewers from the cleared team, both of whom have explicitly reviewed within the last 24 hours (stale approvals are dismissed on push). This is the mechanical implementation of the two-person rule in source control.
3. Security Checklists in PR Templates
The PR template is where review discipline becomes legible to auditors. A defense PR template is not the three-line "what / why / how" of a SaaS shop. It is a structured checklist that the author fills in and the reviewer verifies, line by line, with the comment thread as the evidence record.
A working template covers: STIG cross-references (which DISA STIG controls does this change touch, and does the change preserve compliance?), OWASP ASVS items for any application-layer change (input validation, output encoding, session handling at the verification level the program is accredited to), classification of any data the change processes, test coverage delta with explicit numbers, and a declaration of whether the change touches export-controlled cryptography or interop interfaces.
The checklist-as-code pattern is the right implementation: the PR template lives in .github/PULL_REQUEST_TEMPLATE.md (or the Azure DevOps equivalent), is version-controlled, and changes to it themselves require review. The accreditation officer can produce, on demand, the exact checklist version that was active when a given PR was merged. That traceability is what turns a checklist from a hygiene habit into accreditation evidence.
4. Static Analysis as a Reviewer Aid
Static analysis in a defense pipeline is not a replacement for human review; it is a force multiplier that lets the cleared reviewer spend their attention on the patterns only a human can catch. The standard stack: Semgrep with custom rules tuned to the program's threat model, GitHub CodeQL queries for taint analysis on data flows that cross classification boundaries, and a language-specific deep analyzer (Coverity, SonarQube on-prem, or equivalent) for memory-safety and concurrency bugs in C/C++ or Rust unsafe blocks.
The custom-rule layer is the part that matters most. A stock OWASP ruleset will catch generic SQL injection. A program-specific Semgrep rule catches "any function that emits to the outbound interop socket without first running through the classification-marker validator." Those rules are themselves reviewable artifacts that the accreditation team can inspect.
The "AI-assisted review without leaking source" reality is worth naming directly. Cleared programs cannot pipe their diffs into a public LLM endpoint. The viable paths are: an on-prem inference deployment on the program network, a sovereign cloud LLM hosted inside the accredited boundary, or no LLM at all on classified branches. The CTO who quietly enables a SaaS code-review copilot across a cleared repository has just authored a spill report. The right architecture isolates AI assistance to controlled enclaves and treats the model itself as an accreditation-scope component.
5. CWIX-Bound Review Gates
For any program touching NATO interoperability — coalition C2, federated logistics, link-layer adapters — the annual CWIX (Coalition Warrior Interoperability eXercise) cycle reshapes the review calendar. PRs that touch interop code are subject to two extra gates that commercial teams never see.
First, any change to a NATO STANAG-aligned interface (STANAG 5066, 4774/4778 confidentiality labels, Link 16/22 adapters, FMN spiral interfaces) routes to a mandatory STANAG-domain reviewer in addition to the standard cleared reviewer. That reviewer's job is to verify the change against the active STANAG edition and the program's interoperability test plan. An approving signature here is what later allows the integration team to claim conformance.
Second, integration tests must pass against the program's coalition test harness before merge, not just the unit test suite. A green unit test run with a red coalition harness is a blocking failure, not a "we'll fix it later."
The no-merge-during-CWIX-freeze pattern is the third gate. In the four to six weeks bracketing the CWIX event, the interop branch is frozen for everything except CWIX-scope fixes signed off by the exercise lead. Commercial teams find this disruptive; cleared teams plan their roadmap around it. The freeze is non-negotiable because a last-minute merge that breaks a coalition partner's integration at Bydgoszcz costs the program credibility that takes years to rebuild.
6. Two-Person Rule for Sensitive Code
Some code paths warrant a higher bar than even the cleared-team default. Cryptographic primitives — key derivation, random number generation, signature verification — get two cleared reviewers with explicit cryptographic competence noted in their reviewer profile. Key-handling code (any function that touches a private key, a session key, or a key-wrapping key in cleartext) gets the same. Classified-data paths — code that marshals data tagged as classified across a process boundary — gets the same.
The discipline is not just "two people approve." It is two people who can each independently explain to the accreditation officer why the change is safe. A rubber-stamp second approval is worse than a single approval because it manufactures false assurance. Programs enforce this culturally by rotating who is the "primary" reviewer on sensitive PRs and by requiring each reviewer to leave a substantive comment, not just a thumbs-up.
The same higher-bar rule applies to SBOM-affecting changes: adding a new third-party dependency to a cleared program is a two-cleared-eyes event because supply-chain risk is in scope.
Key insight: The two-person rule does not slow cleared programs down — what slows them down is treating every PR as if it were a key-handling change. The discipline is selective rigor: aggressive routing of high-impact files, lightweight review for the rest. CODEOWNERS is how you express the selectivity in code.
7. Documentation Trail for Auditors
The PR description is accreditation evidence. Years after the merge, the program will be audited — by DCMA, by an accreditation renewal, by a government customer's independent verification team, or by the program's own quality team preparing for an AQAP surveillance visit. The auditor will ask: show me every change to module X between dates Y and Z, with the reviewer, the checklist version, the test evidence, and the security justification. The audit answer is a search query against the PR history. If the PR descriptions are empty, the answer is "we cannot produce that record" — which is itself a finding.
The searchable-history requirement drives three concrete practices. First, PR titles follow a convention that includes the affected component and the classification scope, so a grep over the git log yields useful results. Second, PR descriptions reference the change request, the test plan section, and the STIG or STANAG control touched — those references are themselves grep-able. Third, the platform is configured to retain PR comment threads for the program's full retention window, which for many cleared programs is the operational life of the system plus a multi-year tail. A SaaS code platform that purges old PR threads is not acceptable for a cleared program; on-prem or sovereign-cloud hosting is the answer.
The same retention discipline applies to CI logs that prove a test passed at the time of merge. A reviewer who says "tests passed" without a linked CI run identifier has produced an unverifiable claim.
8. Review-Culture at Scale
The hardest part of cleared-program review discipline is not the tooling — CODEOWNERS, branch protections, PR templates are mechanically straightforward. The hardest part is the culture: maintaining the discipline across a team of fifty cleared engineers under delivery pressure, year after year, without the discipline eroding into rubber-stamping.
Onboarding cleared reviewers is the first leverage point. New reviewers shadow senior reviewers for their first ten PRs, leaving co-signed comments. They are not added to the CODEOWNERS team until a senior reviewer signs off on their calibration. The investment is non-trivial — two to three weeks of senior reviewer time per new hire — but it is the cost of preserving the bar.
Calibration sessions are the second leverage point. Quarterly, the cleared reviewer pool meets to review a sample of recent PRs together, surface disagreements about what should have been flagged, and update the team's review playbook accordingly. This is how a team's tacit knowledge becomes explicit and transferable, and how the playbook stays current as threat models evolve.
The "fast reviews vs careful reviews" tension is real and cannot be wished away. Cleared-program teams resolve it by being explicit about which PRs get which treatment. A dependency bump that passes the SBOM gate and touches no cleared code can get a fast track. A change to the classification-marker validator gets the full two-cleared-eyes, multi-day cycle, full stop. The team's review SLA is bimodal by design, not a single average that pretends every change is the same.
None of this works without leadership backing. The first time a program manager pressures the reviewer pool to "just approve it, we're late on the milestone," the discipline starts dying. Programs that survive accreditation are the ones where the engineering lead has the standing to say "no" to that pressure — and where the customer's program officer understands that the review gate is what makes the deliverable accreditable in the first place. A cleared team is not just a roster of clearances; it is a culture of review that the clearances make possible.