Git, according to some surveys, is now the most widely used source control management (SCM) for software development. Git implements a distributed version control system (DVCS) that enables developers to work completely disconnected and allows for better merge support compared to centralized version control. Git is freely available, although several vendors have provided wrappers for it with rich user interfaces and advanced configuration and management options. GitHub, for example, provides a cloud-based web user interface, desktop and mobile integration, and additional features such as a wiki, task management, and bug tracking. They have over 9 million users with 21 million repositories, making it the largest code hosting service in the world. Companies like BitBucket, Kiln, GitLab, and others are also cause for the rise of Git usage. Even Microsoft has adopted Git, making it on option for those running Team Foundation Server (TFS).
With our recent release of Code Dx we made it super easy to analyze a Git repository for quality and security issues. Here’s how:
Step 1: Create a new project
For this example, we’ll use a purposely vulnerable Ruby on Rails application by OWASP called RailsGoat. We’ll first create a new project.
Step 2: Configure Git
Now that the project has been created we need to point it at the Git repository. Click the Git Config button from the Projects page.For RailsGoat, the code is hosted on GitHub, so we can simply use that URL. Code Dx looks for the master branch, which is typically the default. You can switch to another branch here if you’d like.
Code Dx also detects this is a public repository so credentials are not needed. If credentials were required Code Dx would allow you to enter HTTP or SSH credentials as described in our help.
Clicking OK will start the clone of the repository to the Code Dx server.
Step 4: View, triage, and fix the findings
Once the analysis is complete, the results can be triaged and reviewed in the Code Dx web interface or our IDE plugins.
This blog describes getting source code from a Git repository into Code Dx and is really geared toward someone who wants to do periodic manual audits. What if you’re not using Git, and instead using something like Subversion, Mercurial, or Team Foundation Version Control (TFVC)? In that case, you can download the source outside of Code Dx, zip it up, and upload the zip file in Step 3. Alternatively, and really useful for a more continuous assurance approach, is to use our Jenkins, IDE plugins, or our REST API. Let us know if there’s another SCM that you’d like to see integrated. We’d love to hear your feedback.