Relates to

GovCMS, Drupal
Discovery & strategy, Technical advisory
Web development

What is GovCMS?

GovCMS is a whole-of-government open source web content management system designed by government for government and hosted on a secure public cloud. Find out more about GovCMS

Why you might need a code review

There are many reasons you might need a code review, such as:

  • Maintenance liability: Your code is poorly constructed and difficult to maintain and/or extend/enhance.

  • Undocumented: Your site and the code behind it has been built without any documentation and you need to understand how it's built for: BAU management, security reviews and patching, or undertaking enhancements.

  • Developers have moved on: Your developers (in-house or external vendors) have left and you need someone to review and understand/document your code.

  • Poor performance: Your site is performing poorly and a code review will help you identify bottlenecks/issues/pain-points and plan step-by-step resolution(s).

  • Deprecated code: Your site code needs an upgrade, your site may have been built some time ago and coding techniques and standards have progressed, so new modules or functionality are not currently compatible.

  • Fragmented: Your site has been built function-by-function and so there is little overall cohesion and structure to the code causing potential instability or incompatibility with other modules or functions.

  • Security vulnerability: Your site has a security vulnerability and you need to review the code to identify any issues and establish an effective mitigation resolution/strategy.

Benefits of a code review

Benefits of a code review include:

  • Clean and best practice code, which leads to better site performance across a variety of areas.

  • Documented code to allow developers to understand the site design, architecture, and available functionality to allow and plan enhancements.

  • Performance following best practice coding and functional structures to create a faster more efficient site for users

  • Maintenance is manageable with a known codebase to ensure security vulnerabilities are patched and improved overall health of the system.

  • Compliance standards are being met such as WCAG compliance, DTA design systems and digital service standards (DSS).

  • Security risk profile is known and mitigation strategies in place where required for cyber safety.

Engagement process

Our engagement process is outlined below:

  1. Review questionnaire or brief: Agency to complete a light questionnaire (or send Salsa a high level project brief) reflecting basic requirements and/or project key business drivers.

  2. Intake and alignment: Salsa conducts a free 30-45 minute intake phone call to align on scope, expectations and overall engagement requirements based on the questionnaire or brief.

  3. Project setup

  4. Environment setup and assessment tooling

  5. Conduct code/module review

  6. Produce code/module checklist report covering issues, criticality and recommendations

  7. Produce optional cost estimates for remediation

  8. Report handover and optional stakeholder presentation


As part of the code review, you’ll receive:

  1. Checklist report including criticality indicator for critical, high priority, medium priority and low priority findings

  2. Issue identification and/or potential areas of attention

  3. Recommendations and/or suggested remediations

  4. High level costings on implementing suggested recommendations/remediations (optional)


The code review delivers:

  • Performance improvements with an efficient code base using clean and best practice coding standards to create a faster, more efficient site for users.

  • Roadmap for enhancements and continuous improvement with well-documented code for developers to plan enhancements with a good understanding of the site design, architecture, and current functionality.

  • Well-maintained and healthy system, robust from security vulnerabilities being regularly patched for version and security updates.

  • Compliant, meeting or exceeding required compliance standards including WCAG AA, DTA design systems, and digital service standards (DSS).

  • Improved security with a known risk profile that addresses and contains mitigation strategies against potential cyber attacks.

Fixed price packages





Up to 500 lines of code per module

Up to 2,000 lines of code per module

Up to 5,000 lines of code per module

One-off setup

6 hours @ $195 +GST

$1,170 +GST

Code review

Up to 500 lines of code:

4 hours

@ $195 +GST

$780 +GST

per scripted module

Up to 2,000 lines of code:

16 hours

@ $195 +GST

$3,120 +GST

per scripted module

Up to 5,000 lines of code:

40 hours

@ $195 +GST

$7,800 +GST

per scripted module

Total hours




Total cost

$1,950 + GST

$4,290 + GST

$8,970 + GST

What you get

Our code review packages provide you with a report that identifies all the code issues and gives you recommendations and costings to fix them.

You’ll also have access to:

  • The digital agency that’s the official service provider of the entire GovCMS platform and program

  • A highly qualified and experienced digital agency that has delivered over 30 GovCMS projects since 2015

  • GovCMS product and project delivery specialists with extensive experience in code review, covering both frontend and backend development

  • GovCMS technical solution architect to provide a high level of technical governance and oversight to your project

Our team goes through your code focusing on:

  • How well-organised and structured is the code?

  • Are Drupal coding standards being followed?

  • Is the Drupal API being used according to best practices (i.e. avoiding querying directly to the database)?

  • The use of Javascript and CSS libraries, well-formed markup (W3C validator) and accessibility (WCAG 2.0 AA).

  • Is the right use of PHP logic adopted in template files?

  • Reviewing audit log files (Drupal watchdog, Apache and PHP logs) for compromised code that leaves warnings and notices.

The assessment includes:

  1. Coding standard compliance check

  2. Code security check for vulnerabilities

  3. Coding patterns

  4. Code performance analysis

  5. Business logic validation check

  6. Cross-browser checks for client-side business logic

  7. Module/code testing in test environment

Get in touch

Click the button below or call us on 1300 727 952 for an obligation-free chat about your agency’s needs.

Contact us