Bring Code Quality and Security to your CI/CD pipeline

Rate this content
Bookmark

In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.

This workshop has been presented at DevOps.js Conf 2022, check out the latest edition of this JavaScript Conference.

FAQ

SonarQube is a self-managed tool that requires you to host it yourself, offering full control over the tool's management and data. SonarCloud, on the other hand, is a cloud-based service hosted by Sonar, requiring no setup for infrastructure, and it's free for open source projects.

Sonar products, such as SonarCloud, can be integrated into your project's Continuous Integration (CI) pipeline to automate code quality checks, detect bugs, and ensure security compliance. This can be done using tools like GitHub Actions to trigger SonarCloud analyses with each code commit.

SonarCloud automates code quality and security checks, providing detailed reports on bugs, vulnerabilities, code smells, and code coverage. This helps improve code maintainability and reliability, and it supports a wide range of programming languages and integrates with various CI/CD tools.

SonarLint can operate in connected mode with SonarCloud, enabling it to synchronize the rulesets and issues between the IDE and the cloud service. This ensures consistency in code quality checks both locally in the IDE and in the CI/CD pipelines.

Yes, SonarCloud can analyze pull requests and provide feedback on new code changes. It reports issues such as bugs, vulnerabilities, and code smells specifically in the context of the proposed changes, helping to ensure that new contributions do not introduce quality regressions.

Quality Gates are conditions or thresholds set in SonarCloud to determine if a project meets the required standards for code quality and security. If a project passes the Quality Gate, it is considered suitable for deployment; if not, it highlights areas that need improvement before proceeding.

SonarLint is an extension for Integrated Development Environments (IDEs) such as VS Code, JetBrains IDEs, Eclipse, and Visual Studio. It provides instant feedback on code quality and potential bugs directly in the IDE, helping developers to identify and fix issues as they code.

Elena Vilchik
Elena Vilchik
76 min
29 Mar, 2022

Comments

Sign in or register to post your comment.
Video Summary and Transcription
The Workshop introduces Sonar products for code quality and security, including SonarLint, SonarQube, and SonarCloud. It covers setting up SonarLint, configuring rules in SonarCloud, and connecting SonarLint to SonarCloud. The Workshop also explains how to configure GitHub Actions for running tests and generating coverage, and how to use SonarCloud's quality gate and new code analysis. Sonar Cloud supports multiple languages and platforms and has a strong community support system.

1. Introduction to Sonar Products and Plan

Short description:

I will first present myself and Tibor, developers from Sonar. We'll discuss using Sonar products for code quality and security in your project CI. The plan includes eight models for setting up project quality analysis. Sonar provides code quality tools, including SonarLint for instant feedback while coding, SonarQube as a self-managed tool, and SonarCloud as a cloud-based tool.

I will first present myself. Myself and Tibor, so we are both developers from the Sonar Source company or now we call it Sonar and we are both developers of the JavaScript analyzers and today we will be speaking about how you can use the products developed by Sonar for bringing code quality and security into your project CI. We will see this with the Sonar cloud and Sonar Linux. I'm not sure if you heard of this product but definitely you will learn about it soon.

I will show you the plan. Let's say it's one hour and a half but that's a rough estimation. Maybe it will be faster. It depends on how things are going. So here is the plan. I will not just go over it but you have an understanding that there will be eight models. Each model is a baby step on setting up the pipe of your project quality analysis and we will go one by one.

I will stop sharing these slides. Now let's start slowly with the products which we're going to discuss today. So Sonar is a company which provides code quality tools. This is, let's say, an ecosystem. SonarLint is an extension for the IDE, which gives you instant feedback while you're coding. SonarQube is a self-managed tool, so you will need to host it yourself. And SonarCloud is a cloud-based tool which is hosted by Sonar. So you just buy a subscription there or it is free for open source projects and you just use it. So today for the simplicity, we will use SonarCloud, of course, so that we don't need to take care of setting up the SonarQube.

2. Forking the Project and Setting Up SonarLint

Short description:

Let's start by forking the simple small project from MDN. Fork it into your organization and clone it locally. Open the project in VS Code and focus on the 'source/app' file. Install the SonarLint extension and address the reported code problems. You can configure the SonarLint rules and disable any unnecessary ones. Finally, find the rule about shorthand syntax.

So let's start and I will ask you in the next slide, on the slide number six. There is a link. So this is, I have it open already, that's the fork of the simple small project. This is a project from MDN, I forked it and I changed it a tiny bit to have it more appropriate for our purposes. So, could you please now fork this repository to your organization? So you have this fork button over here. I will not do it, because I have already have two. You fork it into your organization where you have rights. And so you press here and you should see the organization here and you need to press it. As soon as you have forked it, please open it, so you should see your, I don't know, John slash todo react. And now you should, you can clone this project locally. You can copy the SSH link to it. And you can clone the repository locally with git clone and insert this link. So I just have my some empty directory which I created for our workshop for devop.js and I just clone it in there. So we have cloned the wrapper and now let's go to VS Code.

So VS Code is one of the ideas which is supported by Sonor lint. I picked it up because it's the most common idea for the JS development. Also JetBrains ideas are supported, Eclipse, Visual Studio. I think that's it. So let's open our project into this. We'll just use the menu here. Open folder. And I will open this project here. So let's open the file source. I don't know where I got the file name. So let's open the file source slash app. So this will be the file we will be focusing today. So you might ignore the rest. So that's a Simple React project, which does the addition of to-do items, so your, I don't know, daily tasks or whatever. So it's a small demo project based on YouTube's yarn. So you can install yarn dependencies, while it's not in fact so much required now. And now let's install the Sunerlint extension.

So in this extensions tab in VS Code, where these four squares, you can just type Sunerlint and it's on the top and you will click on the install button. And it is installing and here it is. And instantly we are getting some underlined code. So this is sunerlint telling us that there are some problems in the code, or things to improve for the maintainability purposes. For example, there is a commented code here which might be confusing for maintainers. Here you have an import from React two times so you can merge these imports to be more concise, etc. So we have different issues here. In the VS Code at the bottom you have this warning, at the bottom in this tab you see the Sonor Lint reporting you the problems in the code. So there are warnings. Okay, I'm not sure what does this icon meaning. In Sonor Lint you can configure the rules. So if you open this explorer tab, the first tab where you see the files at the bottom there is a Sonor Lint rules tab. It's not super handy but that's what VS Code gives us. So you have the list of rules here and for them, those rules which are activated have on and those which are deactivated have off. So we have this default set of rules, which is running by default, which we expect will satisfy everybody, but for sure you might want to disable something. For example, here we have like, okay you don't need to create this variable, just directly return this rule or this expression. So you might want to disable the variable, the rule and you just can click it from here. Also for each rule you have a description. You can also access it from this bulb, and you have here description of the rule and examples examples of good and bad code, and the last thing we're gonna do now is let's find in this list of the rules the rule about shorthand syntax.

Watch more workshops on topic

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
Why is CI so Damn Slow?
DevOps.js Conf 2022DevOps.js Conf 2022
27 min
Why is CI so Damn Slow?
Slow CI has a negative impact on productivity and finances. Debugging CI workflows and tool slowness is even worse. Dependencies impact CI and waiting for NPM or YARN is frustrating. The ideal CI job involves native programs for static jobs and lightweight environments for dynamic jobs. Improving formatter performance and linting is a priority. Performance optimization and fast tools are essential for CI and developers using slower hardware.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
End the Pain: Rethinking CI for Large Monorepos
DevOps.js Conf 2024DevOps.js Conf 2024
25 min
End the Pain: Rethinking CI for Large Monorepos
Today's Talk discusses rethinking CI in monorepos, with a focus on leveraging the implicit graph of project dependencies to optimize build times and manage complexity. The use of NX Replay and NX Agents is highlighted as a way to enhance CI efficiency by caching previous computations and distributing tasks across multiple machines. Fine-grained distribution and flakiness detection are discussed as methods to improve distribution efficiency and ensure a clean setup. Enabling distribution with NX Agents simplifies the setup process, and NX Cloud offers dynamic scaling and cost reduction. Overall, the Talk explores strategies to improve the scalability and efficiency of CI pipelines in monorepos.
Atomic Deployment for JS Hipsters
DevOps.js Conf 2024DevOps.js Conf 2024
25 min
Atomic Deployment for JS Hipsters
This Talk discusses atomic deployment for JavaScript and TypeScript, focusing on automated deployment processes, Git hooks, and using hard links to copy changes. The speaker demonstrates setting up a bare repository, configuring deployment variables, and using the post-receive hook to push changes to production. They also cover environment setup, branch configuration, and the build process. The Talk concludes with tips on real use cases, webhooks, and wrapping the deployment process.
How to Build CI/CD Pipelines for a Microservices Application
DevOps.js Conf 2021DevOps.js Conf 2021
33 min
How to Build CI/CD Pipelines for a Microservices Application
Top Content
This Talk discusses the benefits of microservices and containers for building CI-CD pipelines. It explains how container technology enables portability and scalability. The challenges of microservices include network communication and testing in isolation. The Talk introduces Tacton, a cloud-native CICD pipeline for Kubernetes, and highlights the use of GitOps and Argo CD. It also discusses the importance of maintaining referential integrity between microservices and the evolving role of operators in the DevOps world.