Originally posted on dev.
TL;DR: By following best industry practices like linting, unit testing, static code analysis and continuous monitoring of the software.
The software development process has changed a lot in last few years. Many of the modern tools & frameworks has built-in support to ensure that the code is clean, maintainable and readable. But any developer can make mistakes while coding a feature on mind and that’s totally fine. We all have gone through that stage & we learnt through making mistakes.
In this article I am going to share some of the basic to advanced levels of checks which I learnt through working on Enterprise software applications. These are some of the best practices that you can follow or explore.
One of the basic setup that gives many advantages in long run is code linting. It leaves very minimal space to a developer to write unconventional or unreadable code. You can also ensure the rules of your coding conventions that your team might have agreed upon.
My team uses TSLint on our Angular project (that comes by default with the framework) to have standard clean coding conventions. The typical TSLint config of our project might look something like below image.
The biggest layer in the testing pyramid which tells us to test every unit of your code. If you spend enough time writing meaningful & good quality unit testing logic, it will give you sweet fruitful results that can lead to bug free development experience.
We use Istanbul tool’s code coverage thresholds with lines rule of > 85%. We also make sure that any new code addition through merge requests should also match up to the expectations. (How? Read the next parts.)
Husky 🐶 is one of the best git hook tool that you can add to your project. It gives you ability to fail first i.e., fail in your development environment. You can add many kind of hooks some of them which we use are
- Checking commit messages to follow specific format set by team
- Checking lint/format issues
- Running unit test cases when pushing code to remote repository
On every merge request, a CI/CD pipeline triggers to check code’s overall linting, formatting & running unit test cases. This ensures the integrity is maintained while adding a new component/feature. There are other pipelines scheduled like deployment on merge, weekly sonarqube checks (read more below), monthly vulnerblity test through Veeracode etc.
The Jenkins pipeline runs through groovy scripts and send out the result reports to team’s mailing list.
The Sonarqube platform gives a continuous static code analysis quality assurance. Any technical or non technical person can go through various reports of Sonarqube like app security, code smells, tech debts, etc and get a overview of the current state of code.
It also helps to detect the missed Test coverages, Duplications, Cyclomatic complexity on the go. The weekly Sonarqube pipeline helps us to have quality gate which needs to be cleared before going to production live.
Well this might be optional for many but for the enterprise level scaled applications, it needs to be shielded with all levels of securities in place.
Veracode security inspections is a must to have for us. We have monthly pipeline which uploads zipped version of code and runs the scan in veracode platform.
We also use BlackDuck, WhiteHat for more in-depth testing of our applications that determines every layer is covered with all the best protocols that are followed.