Rolling Commit Reviews

A rolling commit review is designed for projects with active development cycles where a traditional code freeze is impractical. Instead of auditing a single frozen snapshot, Sigma Prime reviewers assess scoped changes incrementally — typically PR by PR — while developers continue implementation and mitigation work in parallel. The engagement ends with an integration review of a final assessed commit and a written report covering the full reviewed scope.

Where it fits.

This model works best when the reviewed scope is tracked explicitly through PRs, commits, or specifications. It lets developers and auditors work in parallel, reducing idle time between finding and fixing issues.

  • 01

    Scope and kickoff. Sigma Prime and the client define the initial audit scope: specification documents, implementation PRs or commit ranges, expected follow-up PRs, exclusions, and key threat-model and deployment assumptions.

  • 02

    Initial commit review. A baseline commit is selected and reviewed similarly to a freeze commit. Issues are shared with the client immediately once validated with a recommendation.

  • 03

    Incremental reviews. Discrete units of work, typically PRs, are reviewed as the client approves them as ready. PRs added during the engagement are scoped in by agreement.

  • 04

    Vulnerability management. Issues are reported through Slack, Linear, GitHub, or equivalent once actionable, classified with developer feedback, and mitigations are reviewed as they land.

  • 05

    Final commit review. Once all scoped PRs and mitigations have merged, we perform an integration and QA pass on a single final assessed commit: fixes still hold, mitigations merged as expected, and no obvious regressions between reviewed PRs.

How the rolling model differs from a freeze commit audit.

Developers are encouraged to patch issues while reviewers continue their review. To minimise context switching, patched issues are typically reviewed when the assigned engineer completes their current PR review. All issues, including low and informational findings, are reported as they are confirmed.

Because development continues during the engagement, some repeated work is inherent: later PRs may modify or remove code already reviewed. Intermediate findings made irrelevant by later changes are still recorded in the report with a resolution explaining why they no longer apply.

The audit opinion applies to the scoped work and the final assessed commit recorded in the report. PRs added late, closed without merging, or changed after review receive reduced coverage unless explicitly re-scoped.

How a rolling commit review works.

Findings flow continuously

Candidate issues may be discussed informally before being promoted to confirmed findings. Once an issue has enough evidence to be actionable it is reported, developer feedback is gathered, and it is classified as valid, invalid, design-accepted, duplicate, or needing more evidence. Mitigation commits are reviewed when available, and the issue is marked resolved or closed once the fix — or the client’s won’t-fix rationale — has been reviewed.

The final report covers the full reviewed scope

The report identifies the initial scoped commit, the final assessed commit, the scoped PRs and specifications, and every finding reported during the rolling review with its resolution status. Resolved findings reference the fix that was reviewed; closed or accepted-risk findings include the client’s rationale where appropriate.

Trade-offs to be aware of

  • Repeated or redundant work: overlapping PRs and removed code require additional scoped effort relative to a freeze commit audit.

  • Redundant issues: intermediate commits may contain issues later made irrelevant; these remain in the report with an explanation.

  • Scope estimation: because development is not fixed, effort estimates need additional buffer relative to the freeze commit model.

  • Reviewing PRs with significant outstanding development leads to redundant work — PRs are reviewed once the client approves them as ready.

Related research and guidance.

Frequently asked questions.

  • When should we choose a rolling review over a fixed-scope audit?

    When a long code freeze is impractical because development is active, and the work can be tracked explicitly through PRs, commits, or specifications. If your codebase can be frozen for the review window, a fixed-scope audit gives tighter coverage per unit of effort.

  • Do we still get a report?

    Yes. After the final commit review, the report records the initial and final assessed commits, the scoped PRs, and the status of every finding reported during the rolling review.

  • How are issues reported during the engagement?

    Issues are shared as soon as they are validated with a recommendation, through Slack, Linear, GitHub, or an equivalent agreed channel — they are not held back for the report.

  • What happens to findings on code that later changes?

    They stay in the report with a resolution explaining why they no longer apply. This keeps the record of the reviewed scope complete.

Other engagements you might be considering.

Talk to us about a rolling commit review.

If your team ships continuously and a code freeze is impractical, tell us about the codebase, the tracked PR set, and your release cadence.

Request a scoping call