Great tools for .NET quality in your CI build

[SeanKilleen]

An answer to a question from a colleague:

SonarQube is often a go-to for me as well. Their .NET core-backed global tool is pretty good for getting it to run in a CI/CD process.

If you don't have something outputting code coverage, .NET's "dotnet test" command plays pretty well with Coverlet, which I think is something the .NET team uses themselves

Another option for some cases is NDepend: https://www.ndepend.com/ -- it's a great tool for essentially spelunking your architecture. Originally meant to be a GUI application but you can buy a build server license for around $600 IIRC. NDepend lets you set some really great custom rules and you can execute those as part of your build too for some nice architecture-level coverage (making sure things reference the right assemblies, making sure there aren't too many classes over x amount of lines, etc. etc.

Lastly -- if you get some benchmarks in place with Benchmark .NET (which I love), you can integrate that well with most build systems and see how you're trending or fail if things get much slower.

If the team tends to make use of ReSharper, I believe there's also a CI-integrated component there that can check the ReSharper configured rules, etc.

And for code style, there's also "dotnet format": https://github.com/dotnet/format

For security scanning, Veracode is the old-school choice, but I used a competitor called Checkmarx and it was awesome for CI pipeline integration. Way better than veracode in terms of feedback loops. If you're doing anything with containers, check out TwistLock, Anchore, and Snyk.

And for ensuring your packages are up to date, if you use GitHub for hosting your code, definitely enable Dependabot. It's free and creates PRs for you. Combined with a test suite that gives you confidence, I love reviewing the release notes right in the PR and clicking merge.

Roslyn analyzers