M6 - Security Weakness Identification with Continuous Integration

Description

Continuous Integration (CI) is a software development practice that regularly and automatically integrates code changes from multiple contributors into a shared repository. The primary goal of CI is to ensure that new code additions or modifications do not introduce new issues or break existing functionality. This is achieved by frequently building, testing, and validating the codebase, allowing development teams to detect and address issues early in the development cycle. Continuous Integration (CI) promotes collaboration, rapid feedback, and high-quality, stable software delivery.

Use an existing tool and Git Hooks to activate a static analysis tool for a popular repository.

Courses Where This Module Is Integrated

• Software Quality Assurance (Auburn University, Spring 2023, Fall 2023)

• Mobile Security (Tuskegee University, Fall 2022)

Activities 

Pre-lab Content Dissemination 

Pioneered by Martin Fowler (https://martinfowler.com/), continuous integration (CI) is the practice of automatically integrating code changes. A few key principles of CI are: 

• maintain a single source repository

• automate the build

• every commit should build mainline on an integration machine

• keep the build fast

• make it easy for anyone to get the latest executable

• everyone can see what's happening 

As part of this workshop, we will see how we can use an existing CI tool called GitHub Actions(https://docs.github.com/en/actions) and Codacy (https://github.com/marketplace/actions/codacy-analysis-cli) to not only integrate code changes with CI but also check for quality concerns with static analysis. 

In-class Hands-on Experience 

• Create an account on GitHub if you haven't already 

• Fork the repository `https://github.com/paser-group/COVID19` and clone it. See Here how to fork and clone a repository from GitHub.

• Detailed demonstration can be found here with GitHub Actions or follow the instructions in the following link: https://github.com/marketplace/actions/codacy-analysis-cli.

• Create a minor change in any file.

• Commit and push the file on your forked repository. Keep track of the commit message. 

• See the changes in the `Actions` tab within your repository 

• Find the build by the commit message you used while committing 

• See the changes 

The video recording needed for this hands-on experience is available here.

Post Lab Experience

• Repeat all the steps from the in-class experience for the repository `https://github.com/akondrahman/IaCTesting`. This will include forking `https://github.com/akondrahman/IaCTesting`, cloning, adding codacy with GitHub Actions, making changes in a  file, committing and pushing, and finding the build in the `Actions` tab of your repository.

• Find the URL to your CI run and record it in a TEXT file. Also, capture 5 snapshots of the CI run. 

• Complete the survey here: https://auburn.qualtrics.com/jfe/form/SV_cAOhdjfti78MVls