Tuesday, April 16, 2013

Automated CloudSpokes Code Testing & Analysis with Thurgood

For the past couple of months we've been running "Thurgood" in stealth mode. What is Thurgood you ask? Thurgood is our new tool to provide automated build, quality and security analysis of submitted challenge code. Thurgood taps into numerous services including Cloudbees, Checkmarx, JSLint, PhantomJS, Checkstyle, and more based upon the platform and/or type of code. The results of nearly all of the events are visible from a secure, challenge specific Papertrail account for ease of viewing.

Our goal with Thurgood was to implement an automated build process where you, as a participant, could submit your code "early and often" to make sure it is of high quality. Thurgood provides you with information so you can determine if you want to tweak your submission based upon security reviews, add additional test coverage or resubmit if you've forgotten files that caused your build to fail.

When you submit your code for a challenge, it automatically goes through the process below based upon the type of code you submit.



Let's walk through the process of submitting your code for a Salesforce.com challenge. Once submitted, your code is uploaded to cloud storage and sent to the queue for processing depending upon the type of language. Thurgood reserves a development environment, downloads your code, generates the necessary build files and commits all of these required files to git.

Once the code is committed, the post-receive hook notifies Jenkins (running on Cloudbees) of the new code. Jenkins downloads your code from git, runs various Checkmarx security and vulnerability scans, runs ANT to deploy your code, runs all unit tests and finally undeploys all of your code. The results of the Checkmarx scans (PDF, CSV and XML files) are upload to S3 while the debug log of the build and unit tests are sent to Papertrail.

Back at CloudSpokes, you'll be able to download the generated Checkmarx scan results and log into your challenge's Papertrail account to view the process in detail. You can see if your code passed all tests, contains any security violations and was built successfully. We hope that this tool will make you a better and more profitable developer.

No comments:

Post a Comment