/code_quality

run code quality and security audit report with one command

Primary LanguageRubyMIT LicenseMIT

CodeQuality

Run code quality and security audit report with one command code_quality.

Gem Version Build Status HitCount

Principle

If you can’t measure it, you can’t improve it.

Installation

gem install code_quality

Or add this line to your application's Gemfile:

group :development do
  gem 'code_quality'
end

And then execute:

$ bundle

Usage

To generate security audit and code quality report:

code_quality

or run as a rake task: rake code_quality, Read More

will output report like:

# Code Quality Report

Generated by code_quality (v0.1.3) @ 2018-01-12 16:32:20 +0800

## bundler audit - checks for vulnerable versions of gems in Gemfile.lock

......

Code Quality Report Example

Code Quality Report Details Example

Two major audit tasks

There are 2 types of audit tasks: security_audit and quality_audit, each sub task can be run separately.

In summary:

  • run code_quality security_audit to get security audit report
  • run code_quality quality_audit to get code quality report

[Tips] Run code_quality -T to display all tasks.

Report result using Markdown format

You can output report using code_quality > code_quality_report.md then open it with a Markdown editor.

Security Audit

Use bundler-audit for patch-level verification for ruby projects which using bundler, use brakeman to detect security vulnerabilities for Rails applications.

usage:

# run security audit tasks
code_quality security_audit

output example:

options for security_audit:

# e.g.: code_quality security_audit bundler_audit_options="--ignore CVE-2015-9284"
# options:
#   bundler_audit_options: pass extract options, e.g.: bundler_audit_options="--ignore CVE-2015-9284 --verbose"

work with CI

Recommend setting up this task as part of a CI pipeline. For example, adding a job to stage "test" for Gitlab-CI:

# .gitlab-ci.yml
code_security_audit:
  stage: test
  script:
    - gem install code_quality
    - code_quality security_audit

Gitlab-CI pipeline example:

Then Gitlab sends notification with the failure info, for example:

[Tips] Code analyzers are your friends for writing secure code, since they're diligent and they don't get tired, thirsty, hungry, or bored.

Each sub task can be run separately

# bundler audit - checks for vulnerable versions of gems in Gemfile.lock
code_quality security_audit:bundler_audit

# with bundler_audit cli options
code_quality security_audit:bundler_audit bundler_audit_options="--ignore CVE-2020-5267 CVE-2020-10663"
# brakeman audit - checks Ruby on Rails applications for security vulnerabilities
code_quality security_audit:brakeman

# with brakeman cli options
code_quality security_audit:brakeman brakeman_options="--skip-files app/views/"
# show helpful URLs
code_quality security_audit:resources

Code Quality Audit

Base on these ruby code analysis gems, you can choose suitable ones for your project:

  • use rubycritic static analysis gems such as Reek, Flay and Flog to provide a quality report and get an evaluated score of your Ruby code.

  • use rubocop to audit coding style and get refactor suggestion.

  • use metric_fu to get many kinds of code metrics from Flog, Flay, Saikuro, Churn, Reek, Roodi, Code Statistics, and Rails Best Practices. (and optionally RCov)

In summary:

  • run code_quality rubycritic to get an evaluated score and code smells
  • run code_quality rubocop to audit coding style and get refactor suggestions
  • run code_quality metric_fu to get many kinds of code metrics, including rails best practice suggestions, recommend to use for rails project

usage:

# run all code quality audit tasks
code_quality quality_audit

output example:

[Tips] You don't have to run all audit tasks, some code metrics are the same using by rubycritic and metric_fu. You can choose them based on your needs, the more tasks will take longer running time, unless you don't care about time-consuming problem.

Run audit task with audit value option

Audit task will return non-zero exit status and showing failure reason when passing an audit value option and the value is lower than the result in report, for example:

# audit with lowest_score option
code_quality quality_audit:rubycritic lowest_score=94.5

output example:

Each audit task accepts different audit value options

options for rubocop
# e.g.: code_quality quality_audit:rubocop rubocop_max_offenses=100
# options:
#   config_formula: use which formula for config, supports "github, "rails" or path_to_your_local_config.yml, default is "github"
#   cli_options: pass extract options, e.g.: cli_options="--show-cops"
#   rubocop_max_offenses: if config rubocop_max_offenses then audit it with detected offenses number in report, e.g.: rubocop_max_offenses=100

output example:

options for metric_fu
# e.g.: code_quality quality_audit:metric_fu metrics=stats,rails_best_practices,roodi rails_best_practices_max_offenses=9 roodi_max_offenses=10
# options:
#   metrics: default to run all metrics, can be config as: cane,churn,flay,flog,hotspots,rails_best_practices,rcov,reek,roodi,saikuro,stats
#   flay_max_offenses: offenses number for audit
#   cane_max_offenses: offenses number for audit
#   rails_best_practices_max_offenses: offenses number for audit
#   reek_max_offenses: offenses number for audit
#   roodi_max_offenses: offenses number for audit

output example:

options can be joint together
# run all at once
code_quality quality_audit lowest_score=90 rubocop_max_offenses=100 metrics=stats,rails_best_practices,roodi rails_best_practices_max_offenses=10 roodi_max_offenses=10

work with CI

Configure audit value options that matching to your own ruby/rails project, for example:

# .gitlab-ci.yml
code_quality_audit:
  stage: test
  script:
    - gem install code_quality
    - code_quality quality_audit lowest_score=93 rails_best_practices_max_offenses=10

[Tips] Don't rely on your diligence, just let CI doing the boring/repeating/time-consuming jobs can make you more enjoyable in programming.

code quality audit task report

Code quality audit task report will be saved to tmp/code_quality/quality_audit/, and will be auto open in web browser.

rubycritic report example:

rubocop report example:

metric_fu report example:

metric_fu analyzed file report example:

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/rainchen/code_quality.

License

The gem is available as open source under the terms of the MIT License.