This topic describes how to design a code detection strategy tailored to your business scenario.
Code detection uses the Alibaba Cloud DevOps Flow resources for execution. The number of concurrent runs and the duration of each run are based on the resources. You can perform code detection tasks within the allocated resource quota. If usage exceeds this quota, enable billing on a pay-as-you-go basis to acquire additional resources. For more information, see Pay-as-you-go rules.
Step 1: Create a detection strategy
Log on to Alibaba Cloud DevOps Codeup. In the left-side navigation pane, choose .
Configure a detection strategy.
Codeup provides built-in detection strategies for reference. You can configure a custom strategy by copying an existing strategy or creating a new one.
Built-in strategies
You can copy an existing detection strategy or create a new one based on your requirements, as shown in the following figures:
Copy an existing strategy
Select a recommended detection strategy to copy.
Create a new detection strategy
Step 2: Adjust the strategy
After you select a detection strategy, you can adjust the existing rules and strategy configurations.
The strategy creator or Codeup organization administrator can edit and delete the strategy. Others can only view and copy the strategy.
Adjust the detection strategy.
For example, Codeup provides the following built-in detection strategies. In this example, Java is used.
Sensitive information detection
Dependency vulnerability detection
Source code vulnerability detection
Alibaba coding guidelines-based Java code scan
Patch recommendation
Java security check
For information about how to add more detection strategies, see the Built-in strategies section of this topic.
Codeup allows you to modify the severity level for each rule. It also provides specific rules for the detection parameters, such as setting restrictions on the detection range by using regular expressions. You can disable rules that are not applicable and re-enable those that are disabled.WarningThe following effects result from disabling a rule:
Issues identified by the rule are automatically closed after the next detection.
The corresponding rule is not executed when the current detection strategy is applied.
Associate the detection strategy with the detection task.
Create a new detection task.
All modifications to the detection strategy are recorded in the change history of the strategy for traceability and review.
Adjust the detection strategy settings.
On the Settings tab of the detection strategy details page, specify the Strategy Name, Strategy Description, and File Whitelist parameters. Then click Save.
Files on the whitelist are automatically excluded from detection, so no detection is performed on them.
ImportantWhen you delete a strategy, make sure that the strategy is not associated with any detection tasks. If it is, first detach the strategy from the detection task, and then delete the strategy to avoid affecting active detection tasks.
Step 3: Associate the detection strategy with a code repository
After you associate the detection strategy with a code repository, a detection task is created. A code repository can have only one detection task, which can be executed multiple times across different branches.
Log on to Codeup. In the left-side navigation pane, choose . On the page that appears, click Create Detection Task.
In the dialog box that appears, specify the parameters.
In addition to manual triggering, the detection task supports automatic trigger methods, including trigger by commit and merge request trigger. When you select the Triggerred by Commit option, you must specify the required branches, with support for regular expression matching. If you select the Merge Request Trigger option, the task detects the code that merges from the source branch to the destination branch each time a merge request occurs in the repository.
Step 4: View the detection results
View the detection results based on the detection task.
On the Detection Tasks page, click the task name you want to manage. On the page that appears, click the Overview tab and view the latest successful full detection results and problem list for the current branch.
Overview:
Detection results: displays the passed status, number of problems, and quality gate thresholds.
Problem overview: displays the number of unresolved and resolved problems.
Problem severity distribution: the distribution of warning, critical, and suggestions.
Problem type distribution: the distribution of security and specification problems.
Problem distribution across users: lists the number of problems introduced by different users.
Distribution of rules with most critical problems: displays the ranking of rules with the most critical issues.
Problem trend: displays the problem trend at each level.
Problem list
The problem list is sorted by severity level and resolution status. Click the Problems tab on the code detection task details page. On the Problems tab, click a problem that you want to manage. In the panel that appears, click Ignore to skip problems that are not of concern, and they are not reported on that branch.
Running history
Code detection runs on Alibaba Cloud DevOps Flow. For a detection failure, click View Log in the Actions column to access Flow. Then view the error log to identify and resolve the problem.
If the latest detection fails, the detection task details retain the most recent successful results. You can receive notifications regarding the failure, including the time of occurrence, with an option to access the execution logs to identify and quickly resolve the problem.
View the detection results in a code repository commit and a merge request.
Commit detection results
In the commit and branch view, if a commit has code detection results, you can view the result via the card in a list. Click to view details of the problem.
Merge request detection results
When you select the Merge Request Trigger option, you can see the results of the automated detections on the merge request list and in the merge details section.
After completion, click View Details to see detected problems on the File Changes tab of the current merge request, with direct links to the problem lines in the code.
FAQ
1. How do I set detection as a merge request checkpoint?
Setting code detection as a checkpoint for merge requests can streamline the code review process. By using the automated code detection feature, the problems for coding standards and security vulnerabilities can be quickly identified.
In the context of a merge request, in addition to manual reviews, you can set up code detection as a checkpoint before finalizing any changes. If the detection result does not meet the established criteria, no one is allowed to merge the request. This approach helps ensure that only high-quality code can be integrated into the production branch.
Step 1: Set the detection quality gate
First, set the detection quality gate for the commit or merge request that you want to manage.
Click Settings in the upper-right corner of the code detection task details page. In the Task Settings dialog box, click Merge Request Quality Gate. For critical problems, the Quality Gate parameter retains the default value of On. Specify the Warning problems and Suggestions parameters as needed.
Step 2: Set the protected branch rule
Next, click Set Merge Request Checkpoint as shown in the previous figure or click Settings in the left-side navigation pane. If you choose Settings, click Branches and click Create Protected Branch Rule on the Settings page.
In the Create Protected Branch Rule panel, specify the Branch parameter, turn on Automated Status Check Passed Before Merge in the Merge Rule section, and then select the Code Detection Task option.
How do I delete code detection checkpoints?
If a code detection task is set to a checkpoint, the checkpoint remains effective even if the task is manually deleted. This ensures that unverified code is not merged into protected branches.
As a result, any old or deleted code detection tasks within the merge request become inactive. To resolve this, an administrator must create a new code detection task in the current repository. The new task automatically replaces the old task and serves as an active checkpoint for merge requests.
2. How do I calculate the resource usage of code detection?
Code detection uses the Flow resources for execution. The number of concurrent executions and runtime depend on the available pipeline resources. When usage remains within the allocated resources, the detection tasks can be carried out normally. If resource limits are exceeded, you can choose to be charged on a pay-as-you-go basis to acquire additional pipeline resources for execution.
Log on to Flow. In the left-side navigation pane, click Resource Usage to view the detailed storage usage of the current month.
3. How do I disable code detection?
On the repository details page, click Settings. In the Task Settings dialog box, click Delete to delete the detection task of the repository. The associated pipeline is automatically removed.
