Run code quality and security audit report with one command
If you can’t measure it, you can’t improve it.
gem install code_quality
Or add this line to your application's Gemfile:
group :development do gem 'code_quality' end
And then execute:
To generate security audit and code quality report:
or run as a rake task:
rake code_quality, Read More
will output report like:
# Code Quality Report Generated by code_quality (v0.1.3) @ 2018-01-12 16:32:20 +0800 ## bundler audit - checks for vulnerable versions of gems in Gemfile.lock ......
Two major audit tasks
There are 2 types of audit tasks:
quality_audit, each sub task can be run separately.
code_quality security_auditto get security audit report
code_quality quality_auditto get code quality report
code_quality -T to display all tasks.
Report result using Markdown format
You can output report using
code_quality > code_quality_report.md then open it with a Markdown editor.
# run security audit tasks code_quality security_audit
options for security_audit:
# e.g.: code_quality security_audit bundler_audit_options="--ignore CVE-2015-9284" # options: # bundler_audit_options: pass extract options, e.g.: bundler_audit_options="--ignore CVE-2015-9284 --verbose"
work with CI
Recommend setting up this task as part of a CI pipeline. For example, adding a job to stage "test" for Gitlab-CI:
# .gitlab-ci.yml code_security_audit: stage: test script: - gem install code_quality - code_quality security_audit
Gitlab-CI pipeline example:
Then Gitlab sends notification with the failure info, for example:
[Tips] Code analyzers are your friends for writing secure code, since they're diligent and they don't get tired, thirsty, hungry, or bored.
Each sub task can be run separately
# bundler audit - checks for vulnerable versions of gems in Gemfile.lock code_quality security_audit:bundler_audit # with bundler_audit cli options code_quality security_audit:bundler_audit bundler_audit_options="--ignore CVE-2020-5267 CVE-2020-10663"
# brakeman audit - checks Ruby on Rails applications for security vulnerabilities code_quality security_audit:brakeman # with brakeman cli options code_quality security_audit:brakeman brakeman_options="--skip-files app/views/"
# show helpful URLs code_quality security_audit:resources
Code Quality Audit
Base on these ruby code analysis gems, you can choose suitable ones for your project:
use rubycritic static analysis gems such as Reek, Flay and Flog to provide a quality report and get an evaluated score of your Ruby code.
use rubocop to audit coding style and get refactor suggestion.
use metric_fu to get many kinds of code metrics from Flog, Flay, Saikuro, Churn, Reek, Roodi, Code Statistics, and Rails Best Practices. (and optionally RCov)
code_quality rubycriticto get an evaluated score and code smells
code_quality rubocopto audit coding style and get refactor suggestions
code_quality metric_futo get many kinds of code metrics, including rails best practice suggestions, recommend to use for rails project
# run all code quality audit tasks code_quality quality_audit
[Tips] You don't have to run all audit tasks, some code metrics are the same using by rubycritic and metric_fu. You can choose them based on your needs, the more tasks will take longer running time, unless you don't care about time-consuming problem.
Run audit task with audit value option
Audit task will return non-zero exit status and showing failure reason when passing an audit value option and the value is lower than the result in report, for example:
# audit with lowest_score option code_quality quality_audit:rubycritic lowest_score=94.5
Each audit task accepts different audit value options
options for rubocop
# e.g.: code_quality quality_audit:rubocop rubocop_max_offenses=100 # options: # config_formula: use which formula for config, supports "github, "rails" or path_to_your_local_config.yml, default is "github" # cli_options: pass extract options, e.g.: cli_options="--show-cops" # rubocop_max_offenses: if config rubocop_max_offenses then audit it with detected offenses number in report, e.g.: rubocop_max_offenses=100
options for metric_fu
# e.g.: code_quality quality_audit:metric_fu metrics=stats,rails_best_practices,roodi rails_best_practices_max_offenses=9 roodi_max_offenses=10 # options: # metrics: default to run all metrics, can be config as: cane,churn,flay,flog,hotspots,rails_best_practices,rcov,reek,roodi,saikuro,stats # flay_max_offenses: offenses number for audit # cane_max_offenses: offenses number for audit # rails_best_practices_max_offenses: offenses number for audit # reek_max_offenses: offenses number for audit # roodi_max_offenses: offenses number for audit
options can be joint together
# run all at once code_quality quality_audit lowest_score=90 rubocop_max_offenses=100 metrics=stats,rails_best_practices,roodi rails_best_practices_max_offenses=10 roodi_max_offenses=10
work with CI
Configure audit value options that matching to your own ruby/rails project, for example:
# .gitlab-ci.yml code_quality_audit: stage: test script: - gem install code_quality - code_quality quality_audit lowest_score=93 rails_best_practices_max_offenses=10
[Tips] Don't rely on your diligence, just let CI doing the boring/repeating/time-consuming jobs can make you more enjoyable in programming.
code quality audit task report
Code quality audit task report will be saved to
tmp/code_quality/quality_audit/, and will be auto open in web browser.
rubycritic report example:
rubocop report example:
metric_fu report example:
metric_fu analyzed file report example:
After checking out the repo, run
bin/setup to install dependencies. Then, run
rake spec to run the tests. You can also run
bin/console for an interactive prompt that will allow you to experiment.
To install this gem onto your local machine, run
bundle exec rake install. To release a new version, update the version number in
version.rb, and then run
bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the
.gem file to rubygems.org.
Bug reports and pull requests are welcome on GitHub at https://github.com/rainchen/code_quality.
The gem is available as open source under the terms of the MIT License.