What is Static Analysis Within CI/CD Pipelines?

Thanks to DevOps practices, enterprise IT is faster and more agile. Automation in the form of automated builds, tests, and releases plays a significant role in achieving those benefits and creates the foundation for Continuous Integration/Continuous Deployment (CI/CD) pipelines. However, is it possible to integrate security into the mix without slowing down the process? One way IT teams can integrate security into the DevOps pipeline is by making sure that released code is safe from the very start. The concept of integrating security as a first-class citizen into a DevOps process is known as DevSecOps, and is a best practice for security-sensitive businesses.

Cloud Academy recently released a new set of DevOps labs highlighting some best practices for automation in CI/CD pipelines. In this post, I’ll show you how you can use static analysis in CI/CD pipelines to improve the quality of your code to reduce issues now and in the future.

What is static analysis?

Static analysis is a method of analyzing code for defects, bugs, or security issues prior to pushing to production. Often referred to as “linters,” static analysis tools remove the unnecessary fluff from your code and perform some automated checks to improve code quality. Static analysis tools can check for:

  • Inconsistencies in code style conventions and standards. It can be as simple as enforcing consistent indentation and variable names or as complex as enforcing compliance with the MISRA or CERT Secure Coding Standards
  • Resource leaks such as a failure to release allocated memory, which can eventually lead to program crashes or failure to close files
  • Incorrect usage of Application Programming Interfaces (APIs)
  • Common security vulnerabilities such as those identified by the Open Web Application Security Project (OWASP) or Common Weakness Enumeration (CWE)

What kinds of static analysis tools are available?

The static analysis tools available can be categorized by the capabilities they support, including:

Programming languages: Tools may support single or multiple languages. If your codebase spans multiple languages, a single tool like Coverity which supports 14 languages including JavaScript, .NET, Java, and Python may be the most thorough option for discovering bugs across languages.

Real-time tools: Instantaneous analysis tools are ideal for checking code in development environments as it’s being written. Here, the tradeoff is speed over more thorough, time-consuming checks. Many of these are open source, which allows for easier adoption and customization.

Deep analysis tools: On the other end of the spectrum, deep analysis tools can take much longer and are likely to identify issues that a real-time tool would miss. Enterprise-grade tools in this area often have hefty licensing fees and they may bring more issues to light than you have the bandwidth to address. Many of these tools may be configured to report only the most important issues,.

Compilers: Although not a dedicated static analysis tool, compilers may also be used to improve the quality of your code. You can use configuration flags to adjust the number of checks they perform.

Integrating Static Analysis within CI/CD

Among the many benefits of using static analysis tools, the one that is most beneficial to organizations is the ability to discover bugs before they are released into the wild (and when they are less costly to fix). Within the DevOps practice of CI/CD, static analysis tools provide additional benefits.

Tools that take a long time to run tend to be ignored during development. Even if static analysis isn’t always a long process, it’s still not the best use of a developer’s time. Integrating analysis tools within CI/CD ensures that they are used consistently and automatically while offering an extra level of analysis to make sure that nothing is able to sneak through.

There are different options for how to integrate static analysis tools in your environment. One approach is to run it early in the pipeline along with other automated tests. At this point, you’ll be able to fix any issues before the peer code review and it speeds up the overall process. In turn, developers spend less time reviewing and have more time to develop new code.

If you have large code bases, running a deep analysis on every commit may take too much time. Instead, you can use a less thorough analysis configuration on development branches and perform more expensive scans on a schedule or when integrating into upstream branches. The goal is to discover bugs as early as practically possible and it’s up to you to choose the system that works best for your team. Tools like Klocwork have fully embraced CI/CD workflows and can incrementally analyze the code changes on each commit.

Higher-end static analysis tools can also track bugs over time. This can help you select which issues to work on in the current release cycle as source code is continuously being integrated. Issues reported in longstanding legacy code that haven’t caused problems are probably not worth the time investment to resolve them in the immediate term. Instead, use precious developer time to focus on more recent issues.

Another practical constraint is the budget available for static analysis. Rather than obtaining a license for each developer, run the analysis tools on a set number of build machines (or a single machine if possible).

You can experience how static analysis works in CI/CD by completing the Static Code Analysis within CI/CD Pipelines lab on Cloud Academy. This new Hands-on Lab uses an AWS-centric continuous deployment pipeline for deploying a Node.js application. The application is initially released to production without performing static analysis. You learn how to perform an injection attack on the deployed application and then use static analysis to identify the security issue. Finally, you integrate static analysis into the AWS CodeBuild build stage in the pipeline to prevent the vulnerable code from being deployed before you implement a fix. Here is the final environment:

Cloud9 EC2 Environment

Static Analysis of Infrastructure as Code within CI/CD

Infrastructure as code (IaC) offers many benefits to developers including no configuration drift, easily reproducible environments, and simplified collaboration with version control. Did you know that static analysis can also be used to enforce code standards and identify security vulnerabilities for your infrastructure? By using static analysis for infrastructure code, you automate the process and receive earlier feedback compared to infrastructure tests that require actually deploying the infrastructure, a potentially time-consuming operation.

There is usually some form of static analysis built in to most any IaC framework that you may be using. There may be commands to check syntax, ensure that valid parameter values are used, and automatically style the code. You may also be able to perform dry-run deployments to inspect what changes would take place in the environment or to detect errors before actually deploying any infrastructure changes.

You could complement these commands with your own custom analysis code to check for anything you care to verify, such as ensuring certain ports are not open to the public internet. Fortunately, there are usually open source static analysis tools that already provide common checks. For example, cfn_nag can be used to check for security issues in AWS CloudFormation templates, the native IaC framework for AWS. Other examples of cfn_nag checks include:

  • Ensuring IAM policies are not overly permissive
  • Ensuring encryption is enabled on services that provide it
  • Ensuring security groups are not overly permissive

If an open-source IaC static analysis tool doesn’t offer a check that you want, it may be easier to add it to the existing code base than starting from scratch.

You can experience first-hand how to instrument IaC static analysis within a CI/CD pipeline in Cloud Academy’s Hands-on Lab: Static Analysis and Alerting for Infrastructure as Code. The lab uses Terraform as the IaC framework and Jenkins for its continuous integration pipeline. You will learn about the built-in static analysis capabilities in Terraform as well as two open-source static analysis tools that improve on Terraform’s native capabilities. New infrastructure code is continuously integrated by pushing to a Git repository. You will also learn how to configure Amazon SNS notifications based on the results of the static analysis. This is the final environment for the lab:


Cloud9 EC2 Environment - Final lab environment

Complementing Static Analysis

While static analysis tools are continuously improving, they are not a panacea for all of your code quality and security needs. Instead, think of them as one part of a more comprehensive solution for improving the quality and security of your application and infrastructure code. Occasionally you will still need to employ traditional application unit and integration tests, or even tests for your infrastructure frameworks. You’ll be able to test the Serverspec infrastructure testing framework for yourself in our Hands-on Lab, Infrastructure Testing with Serverspec.Infrastructure Testing with Serverspec
Security is another important category of automated testing frameworks. Learn how to Protect Your Code Against Attacks with Gauntlt in this Hands-on Lab. With Gauntlt, you can write automated tests for several popular security analysis tools, and it can easily be extended to others.
With Gauntlt you can write automated tests for several popular security analysis tools
Ensuring secure applications is an important aspect of security. Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protocols is the standard for securing communications on the web. Learn about Best Practices for Deploying SSL/TLS and tools for testing SSL/TLS deployments in this Cloud Academy lab.

Open SSL

 

Avatar

Written by

Logan Rakai

Logan has been involved in software development and research for over ten years, including four years in the cloud. At Cloud Academy, he is adding to the library of hands-on labs.


Related Posts

Alisha Reyes
Alisha Reyes
— August 5, 2020

New Content: Alibaba, Azure AZ-303 and AZ-304, Site Reliability Engineering (SRE) Foundation, Python 3 Programming, 16 Hands-on Labs, and Much More

This month our Content Team did an amazing job at publishing and updating a ton of new content. Not only did our experts release the brand new AZ-303 and AZ-304 Certification Learning Paths, but they also created 16 new hands-on labs — and so much more! New content on Cloud Academy At...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Alisha Reyes
Alisha Reyes
— July 2, 2020

New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More

This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Alisha Reyes
Alisha Reyes
— June 11, 2020

New Content: AZ-500 and AZ-400 Updates, 3 Google Professional Exam Preps, Practical ML Learning Path, C# Programming, and More

This month, our Content Team released tons of new content and labs in real cloud environments. Not only that, but we introduced our very first highly interactive "Office Hours" webinar. This webinar, Acing the AWS Solutions Architect Associate Certification, started with a quick overvie...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Luca Casartelli
Luca Casartelli
— June 1, 2020

DevOps: Why Is It Important to Decouple Deployment From Release?

Deployment and release In enterprise organizations, releases are the final step of a long process that, historically, could take months — or even worse — years. Small companies and startups aren’t immune to this. Minimum viable product (MVP) over MVP and fast iterations could lead to t...

Read more
  • decoupling
  • Deployment
  • DevOps
  • engineering
  • Release
Luca Casartelli
Luca Casartelli
— May 14, 2020

DevOps Principles: My Journey as a Software Engineer

I spent the last month reading The DevOps Handbook, a great book regarding DevOps principles, and how tech organizations evolved and succeeded in applying them. As a software engineer, you may think that DevOps is a bunch of people that deploy your code on production, and who are alw...

Read more
  • DevOps
  • DevOps principles
Michael Dehoyos
Michael Dehoyos
— May 13, 2020

Linux and DevOps: The Most Suitable Distribution

Modern Linux and DevOps have much in common from a philosophy perspective. Both are focused on functionality, scalability, as well as on the constant possibility of growth and improvement. While Windows may still be the most widely used operating system, and by extension the most common...

Read more
  • DevOps
  • Linux
Avatar
Logan Rakai
— April 7, 2020

How to Effectively Use Azure DevOps

Azure DevOps is a suite of services that collaborate on software development following DevOps principles. The services in Azure DevOps are: Azure Repos for hosting Git repositories for source control of your code Azure Boards for planning and tracking your work using proven agil...

Read more
  • Azure
  • DevOps
Simran Arora
Simran Arora
— October 29, 2019

Docker vs. Virtual Machines: Differences You Should Know

What are the differences between Docker and virtual machines? In this article, we'll compare the differences and provide our insights to help you decide between the two. Before we get started discussing Docker vs. Virtual Machines comparisons, let us first explain the basics.  What is ...

Read more
  • Containers
  • DevOps
  • Docker
  • virtual machines
Avatar
Adam Hawkins
— October 24, 2019

DevOps: From Continuous Delivery to Continuous Experimentation

Imagine this scenario. Your team built a continuous delivery pipeline. Team members deploy multiple times a day. Telemetry warns the team about production issues before they become outages. Automated tests ensure known regressions don't enter production. Team velocity is consistent and ...

Read more
  • continuous delivery
  • continuous experimentation
  • DevOps
Avatar
Adam Hawkins
— September 13, 2019

How Google, HP, and Etsy Succeed with DevOps

DevOps is currently well developed, and there are many examples of companies adopting it to improve their existing practices and explore new frontiers. In this article, we'll take a look at case studies and use cases from Google, HP, and Etsy. These companies are having success with Dev...

Read more
  • Continuous Learning
  • DevOps
  • Velocity
Chris Gambino
Chris Gambino
— August 28, 2019

How to Accelerate Development in the Cloud

Understanding how to accelerate development in the cloud can prevent typical challenges that developers face in a traditional enterprise. While there are many benefits to switching to a cloud-first model, the most immediate one is accelerated development and testing. The road blocks tha...

Read more
  • deploy
  • deployment acceleration
  • development
  • DevOps
Avatar
Adam Hawkins
— August 9, 2019

DevSecOps: How to Secure DevOps Environments

Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...

Read more
  • AWS
  • cloud security
  • DevOps
  • DevSecOps
  • Security