How to add static code analysis with CodeScan to your DevOps pipeline so you can move fast without breaking things.
Today we want to talk about an exciting partnership we are launching with CodeScan - the world’s leading static code analysis platform for the Salesforce ecosystem. Like Blue Canvas, CodeScan is a purpose built DevOps solution that integrates specifically with Salesforce. This means that it has a number of benefits that you won’t get with a more generic solution. With the launch of our new API, it’s now easier than ever to integrate tools like CodeScan with your Blue Canvas pipelines.
Static code analysis has been around for a long time. There are a number of tools out there that you can use, many of which are free and open source like PMD and others which are commercial like Checkmarx. So why use a Salesforce-specific static code analysis tool? For one, CodeScan is an ideal solution for Salesforce teams because it natively supports 100% of Salesorce languages like Apex and Lightning Web Components, and additionally supports Metadata. They focus on these languages exclusively, making them first class citizens on the platform. PMD has an Apex rule set but it isn’t that well maintained.
Another thing that makes CodeScan so popular is that they have a ruleset that has been honed and refined over nearly a decade spent working with the largest Salesforce orgs such as Johnson and Johnson and IBM/Morgan Stanley. These rules are incredibly valuable and it simply would not be possible to build as robust a ruleset on one’s own.
After the SolarWinds hack was announced, DevOps teams are doubling down on discovering and fixing security vulnerabilities. CodeScan allows you to continuously monitor your Salesforce code for vulnerabilities and maintain a high level overview of how secure your application is today. Additionally, CodeScan grades your security against industry’s best practices, according to OWASP, CWE, and SANS standards. With this visibility into your code, you can understand the trend over time - is your code base getting more or less secure?
Adding security scanning with CodeScan into your Blue Canvas DevOps pipelines can reduce the risk of vulnerabilities being introduced into your code base, so you can sleep better at night.
Imagine each developer receiving a security report card automatically whenever they raise a pull request. With the Blue Canvas and CodeScan integration, developers will be blocked from deploying their changes until they get a passing security grade.
In addition to security, CodeScan also helps reduce technical debt. With CodeScan and Blue Canvas you can create quality gates for your deployments that require all new code changes to be scanned and evaluated according to the 350+ rules that CodeScan offers. If the code does not pass the test, then the deployment is blocked and the code returns to development until it is fixed, scanned, and passed. If you’re looking for a long term project, CodeScan can pick up any technical debt in your old code and help you refractor old problems.
Many leaders in fast moving Salesforce environments don’t have a lot of visibility into their code. However, the health of your code base has a strong predictive effect on whether you will meet your goals in a given year. An unhealthy, buggy code base riddled with technical debt will make it very hard for your team to accomplish their objectives. The CodeScan dashboard view has reporting to make it easier for the leaders of Salesforce teams to see how healthy the code base is and in which direction it’s trending. It can help answer important questions like: Are we going to be able to ship this major CPQ initiative on time? Or: Should we hunker down and invest in paying down technical debt this quarter so that we can move faster over the next 4 quarters?
At the end of the day integrating a static code analysis tool into your DevOps pipeline is about keeping velocity high while maintaining quality. The beauty of static code analysis is that unlike functional testing (with say Selenium) you do not have to write and maintain tests - so you can start today. CodeScan has a ruleset ready for you and it can be leveraged to provide truly continuous status reports on the health of your code base. It can also help you proactively manage towards better code quality by introducing quality gates.
How to use Git and Blue Canvas to refresh metadata and compare differences between Salesforce Orgs.
Answering the question: "How long does it take to implement?" can be clarifying.