Using DeepCode.AI in your CI/CD pipeline

I started using DeepCode.AI a few months ago, initially just sporadically for GitHub projects to get a feeling of the product and eventually leveraging their Visual Studio Code extension for real-time feedback in my IDE.

Now, I just went one step further: Integrating their code analysis into our CI/CD pipeline. DeepCode offers a CLI with a fairly simple command:

deepcode analyze [OPTIONS]

1	deepcode analyze [OPTIONS]

So basically all you need to do is adding that command, for example in your CI/CD pipeline.

Configuring GitLab Runners

Since we use custom Gitlab Runners on GitLab.com for our build pipeline, I decided for a custom stage in my .gitlab-ci.yml, making it easy to convert this into a GitLab CI template or simply making it a bit more re-usable.

DeepCode:
  stage: deepcode
  image: python:3-buster
  script:
    - pip install -q deepcode
    - deepcode -a $API_KEY analyze --path ./src --path ./tests --with-linters -txt

DeepCode:

stage: deepcode

image: python:3-buster

script:

- pip install -q deepcode

- deepcode -a $API_KEY analyze --path ./src --path ./tests --with-linters -txt

First, ensure you have a build image with python 3.6+ installed. Install the deepcode python package. Get the DeepCode API Key from their UI, and plug that into your pipeline, for example via GitLab environment variables.

Adding AWS KMS

In case you run your GitLab runner on AWS, you could use AWS KMS to encrypt credentials such as the DeepCode API Key:

aws kms encrypt --key-id REPLACE_THIS_WITH_YOUR_KMS_KEY_ID \
  --plaintext fileb://<(echo 'REPLACE_THIS_WITH_YOUR_API_KEY') \
  --query CiphertextBlob --output text

aws kms encrypt --key-id REPLACE_THIS_WITH_YOUR_KMS_KEY_ID \

--plaintext fileb://<(echo 'REPLACE_THIS_WITH_YOUR_API_KEY') \

--query CiphertextBlob --output text

The .gitlab-ci.yml file can now be enhanced with the decryption step of the encrypted DeepCode API Key. This eliminates the need of using environment variables or other customization in your GitLab project.

This is the .gitlab-ci.yml build step I ended up using:

DeepCode:
  stage: deepcode
  image: python:3-buster
  script:
    - pip install -q deepcode
    - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
    - unzip -q awscliv2.zip
    - ./aws/install
    - API_KEY=$(aws kms decrypt --ciphertext-blob fileb://<(echo 'encrypted-text' | base64 -d) --query Plaintext --output text | base64 -d)
    - deepcode -a $API_KEY analyze --path ./src --path ./tests --with-linters -txt

DeepCode:

stage: deepcode

image: python:3-buster

script:

- pip install -q deepcode

- curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

- unzip -q awscliv2.zip

- ./aws/install

- API_KEY=$(aws kms decrypt --ciphertext-blob fileb://<(echo 'encrypted-text' | base64 -d) --query Plaintext --output text | base64 -d)

- deepcode -a $API_KEY analyze --path ./src --path ./tests --with-linters -txt

Doing this was already worth the effort. In one of our projects it found a potential UnhandledPromiseException from a promise chain, which was easy to fix. But such bugs will now be stopped before code gets merged.