Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

Git, according to some surveys, is now the most widely used source control management (SCM) for software development. Git implements a distributed version control system (DVCS) that enables developers to work completely disconnected and allows for better merge support compared to centralized version control. Git is freely available, although several vendors have provided wrappers for it with rich user interfaces and advanced configuration and management options. GitHub, for example, provides a cloud-based web user interface, desktop and mobile integration, and additional features such as a wiki, task management, and bug tracking. They have over 9 million users with 21 million repositories, making it the largest code hosting service in the world. Companies like BitBucket, Kiln, GitLab, and others are also cause for the rise of Git usage. Even Microsoft has adopted Git, making it on option for those running Team Foundation Server (TFS).

With our recent release of Code Dx we made it super easy to analyze a Git repository for quality and security issues. Here’s how:

Step 1: Create a new project

For this example, we’ll use a purposely vulnerable Ruby on Rails application by OWASP called RailsGoat. We’ll first create a new project.git-new-project

And give the project a name. In this case we’ll use RailsGoat.git-create-project

Step 2: Configure Git

Now that the project has been created we need to point it at the Git repository. Click the Git Config button from the Projects page.git-git-configFor RailsGoat, the code is hosted on GitHub, so we can simply use that URL. Code Dx looks for the master branch, which is typically the default. You can switch to another branch here if you’d like.

git-git-config-dialogCode Dx also detects this is a public repository so credentials are not needed. If credentials were required Code Dx would allow you to enter HTTP or SSH credentials as described in our help.

Clicking OK will start the clone of the repository to the Code Dx server.

git-cloneStep 3: Start an analysis

Next you can click the New Analysis button to run Code Dx’s bundled tools against the source code. Code Dx will automatically sync up with the latest version of the repository and gives you the option to specify a branch or tag. For this project, Code Dx detected both Ruby on Rails and JavaScript source code. Many of the bundled tools work on source code; however, currently one tool for Java and three for .NET require bytecode (e.g., class files, JARs, WAR, DLLs). If you would like those tools to run, you can add those files at this time. Since this is just a Ruby on Rails and JavaScript based project, we can skip that step.git-begin-analysis

Step 4: View, triage, and fix the findings

Once the analysis is complete, the results can be triaged and reviewed in the Code Dx web interface or our IDE plugins.

git-view-resultsHow else can you get source code into Code Dx?

This blog describes getting source code from a Git repository into Code Dx and is really geared toward someone who wants to do periodic manual audits. What if you’re not using Git, and instead using something like Subversion, Mercurial, or Team Foundation Version Control (TFVC)? In that case, you can download the source outside of Code Dx, zip it up, and upload the zip file in Step 3. Alternatively, and really useful for a more continuous assurance approach, is to use our Jenkins, IDE plugins, or our REST API. Let us know if there’s another SCM that you’d like to see integrated. We’d love to hear your feedback.