Static Code Analysis Within CI/CD Pipelines

Intermediate

26 students completed the lab in ~36m

Total available time: 1h:0m

Be the first to rate this lab!

Lab Overview

Static analysis tools can perform a variety of checks to improve the quality of your code without needing to execute the code. Examples of checks performed by static analysis tools include the following:

  • Consistent code style
  • Identifying resource leaks
  • Incorrect usage of APIs
  • Security vulnerabilities

You will see how integrating static code analysis within a three-stage AWS CodePipeline CI/CD pipeline can prevent vulnerabilities from making it into production. The Lab uses a sample application written in JavaScript and uses ESLint for static analysis. The process for integrating other static analysis tools into a CI/CD pipelines for projects written in other languages is similar.

Lab Objectives

Upon completion of this Lab, you will be able to:

  • Understand the benefits of static code analysis
  • Integrate static code analysis into an AWS CodePipeline continuous deployment pipeline
  • Perform static analysis of JavaScript code using ESLint

Lab Prerequisites

You should be familiar with:

  • Basic continuous integration concepts
  • Working at the command line in Linux
  • JavaScript programming experience is beneficial, but not strictly required

Lab Environment

Before completing the Lab instructions, the environment will look as follows:

After completing the Lab instructions, the environment should look similar to:

Follow these steps to learn by building helpful cloud resources

Logging in to the Amazon Web Services Console

Your first step to start the Lab experience

Opening the AWS Cloud9 IDE

Open the AWS Cloud9 browser-based Integrated Development Environment (IDE)

Inspecting the Sample Application Code

Perform a brief review of the sample application code used in the Lab

Demonstrating the Application's Vulnerability

Demonstrate how to exploit the intentional vulnerability in the application

Preventing the Vulnerability With Static Analysis in the CI/CD Pipeline

Enable ESLint static analysis in the continuous deployment pipeline's build stage to detect the vulnerability

Fixing the Vulnerability Detected By Static Analysis

Modify the source code to fix the vulnerability detected by ESLint in the build stage

Verifying the Application Vulnerability is Fixed

Verify the fixed version of the application passes the build stage and the vulnerability is fixed