Thoughts on technology and innovation
Ted Husted, Release Engineer
As the maker of two managed packages, we have a vested interest in developing the very best code we can. According to Economics of Software Quality (by Caspers Jones), the most effective software quality assurance tools are (1) static program analysis and (2) peer review.
The peer reviews we cover during BitBucket pull requests and periodically with formal code inspections. For static analysis, we use CodeScan.
How do you rate?
CodeScan plugs into the truly excellent and free SonarQube server. The package applies a set of quality rules. When a rule is broken, SonarQube creates an issue that can be assigned and resolved (or marked "Won't Fix"). Through the SonarQube user interface, developers can drill-down and see each issue in the context of our source code. By analyzing the size of our code base and the extent of found issues, SonarQube determines our technical debt and generates an overall quality score.
With CodeScan and a BitBucket plugin (also available for GitHub), we are able to scan each new pull request as it comes down the pipeline. In this way, we can focus first on the new code that we write, and ultimately circle back to issues in the pre-existing code.
But, wait, there's more
In additional to conventional scanning, CodeScan also offers a more Salesforce-y approach. The plugin can pull the source directly from the org for analysis, so you don't have to have Git in play. You can also analyze the code, run Apex tests, and commit the changes to Git all at once.
You do need to standup your own SonarQube server to use CodeScan (for the time being). If you are used to doing everything in the cloud, this task might be an impediment.
If you have any questions about CodeScan, or Salesforce DevOps, feel free to ping me in the DreamOps Success Group.
Ted Husted is a Kaizen Squad developer on the Nimble AMS product crew. "We make the good changes that create a great product."