I started using DeepCode.AI a few months ago, initially just sporadically for GitHub projects to get a feeling of the product and eventually leveraging their Visual Studio Code extension for real-time feedback in my IDE.
Now, I just went one step further: Integrating their code analysis into our CI/CD pipeline. DeepCode offers a CLI with a fairly simple command:
1 |
deepcode analyze [OPTIONS] |
So basically all you need to do is adding that command, for example in your CI/CD pipeline.
Configuring GitLab Runners
Since we use custom Gitlab Runners on GitLab.com for our build pipeline, I decided for a custom stage in my .gitlab-ci.yml
, making it easy to convert this into a GitLab CI template or simply making it a bit more re-usable.
1 2 3 4 5 6 |
DeepCode: stage: deepcode image: python:3-buster script: - pip install -q deepcode - deepcode -a $API_KEY analyze --path ./src --path ./tests --with-linters -txt |
First, ensure you have a build image with python 3.6+ installed. Install the deepcode python package. Get the DeepCode API Key from their UI, and plug that into your pipeline, for example via GitLab environment variables.
Adding AWS KMS
In case you run your GitLab runner on AWS, you could use AWS KMS to encrypt credentials such as the DeepCode API Key:
1 2 3 |
aws kms encrypt --key-id REPLACE_THIS_WITH_YOUR_KMS_KEY_ID \ --plaintext fileb://<(echo 'REPLACE_THIS_WITH_YOUR_API_KEY') \ --query CiphertextBlob --output text |
The .gitlab-ci.yml
file can now be enhanced with the decryption step of the encrypted DeepCode API Key. This eliminates the need of using environment variables or other customization in your GitLab project.
This is the .gitlab-ci.yml
build step I ended up using:
1 2 3 4 5 6 7 8 9 10 |
DeepCode: stage: deepcode image: python:3-buster script: - pip install -q deepcode - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - unzip -q awscliv2.zip - ./aws/install - API_KEY=$(aws kms decrypt --ciphertext-blob fileb://<(echo 'encrypted-text' | base64 -d) --query Plaintext --output text | base64 -d) - deepcode -a $API_KEY analyze --path ./src --path ./tests --with-linters -txt |
Doing this was already worth the effort. In one of our projects it found a potential UnhandledPromiseException
from a promise chain, which was easy to fix. But such bugs will now be stopped before code gets merged.