CodeScan integration with AutoRABIT

AutoRABIT , an automated Release Management solution built for the Salesforce platform, delivers fast CI/CD solutions for DevOps teams.

This helps us to offer essential solutions to the Salesforce DevOps ecosystem. AutoRABIT’s release management solution partnered with our CodeScan automated code review and standardization enables developers on the Salesforce platform to deliver new customer experiences with better quality, greater velocity, and increased security.

To integrate all the functionalities included in your CodeScan account with AutoRABIT, you need to integrate CodeScan as a plugin with your AutoRABIT account which involves a few steps in your CodeScan as well as AutoRabit account.

Below are the instructions on how to integrate AutoRABIT with CodeScan.

Create a CodeScan Token

Note: Click here to see the documentation on how to create a token.

Copy the token. This token will be used while storing your credential with AutoRABIT.

Store your CodeScan's credential in AutoRABIT

• Login into your AutoRABIT account.
• Go to the Admin module and click on Credentials as pointed in the image below.

• Next, click on Create Credential from the right navigation bar.

• On the next pop up screen, give a Credential name.
• Choose the Credential Type as ' User name with Password '.
• Choose your Credential Scope
  • Global: Credential can be accessed within the team
  • Private: Credential for private usage
• Enter your CodeScan account's username. For password, use the copied token as mentioned in Step1: Create a CodeScan Token
• Please double check that you use your CodeScan username instead of the email address that you use to log in to CodeScan.
• Click Save.

Integrate AutoRABIT with CodeScan

• Go to Admin > My Account section.
• Go to the Plugins section.
• Check the CodeScan/Lint checkbox under Static Code Analysis.

• Fill in the below details:
  • Enter the CodeScan hosted URL.
  •  For CodeScan cloud version use https://app.codescan.io .
  • Choose the Host Type i.e., Cloud or On-premise . For CodeScan hosted on Cloud, you need to add the Organization Key.

• Select your Credential from the drop-down.
• Click Test Connection to check if the connection has been authenticated or not. A success message is displayed, after the authentication is completed.
• Click Save.

• Click on Save once again and you are all set with CodeScan integration.

Setting CodeScan Global Criteria Settings

• Go to Admin > My Account section.
• Next, navigate to the Validation Criteria-Static Code Analysis section.
• Select the Enable checkbox.
• Enable the CodeScan checkbox and assign the Quality Gate status for all your projects. By default, it is set to ERROR , however, you can choose the criteria of your own. If the Quality Gate matches with the status assigned to the projects on your CodeScan tool, the validation process gets failed and the build aborts.

• Click Save.
• Next, go to the next section i.e., Commit Validation - Approval Settings. In this section, you can allow CodeScan tools to identify potential software quality issues before the code moves to production and abort the commit process if the Quality Gate set earlier matches with the status in CodeScan application.
• Select the checkbox: Enable criteria based Review Process.
• Enable the Should pass validation criteria for Static Code Analysis checkbox, select the below checkboxes:
  • CodeScan
  • Auto reject commit process if the criteria are not met.

• Click Save.
• Similar to CodeScan criteria globally configured in AutoRABIT for Commit operation, you can even set the same for Merge Process.
• Go to next section: Merge Settings
• Select the “Enable criteria based Review Process” checkbox.
• Under Should pass validation criteria for Static Code Analysis, select the “CodeScan” checkbox.

• Now, click on Save.

Running CodeScan SCA in AutoRABIT

After integrating AutoRABIT with CodeScan plugin, select CodeScan as Static Code Analysis tool to detect bugs, code smells and security vulnerabilities before the code moves to the production on AutoRABIT.

During Deployment Process

• On the Deployment Settings screen, choose CodeScan/Lint as a SCA tool.

• AutoRABIT has a provision for you to freeze or stop the deployment if the build doesn't meet the global criteria set under My Account > Validation Criteria-Static Code Analysis settings .
• Select the recipients for the SCA alerts. To do so, enter the recipient's email address who all be notified about the alert in SCA Mail Notification field.

• Once the deployment is done, you can find the detailed SCA Report for the deployment process under Deployment History.

During Merge Process:

While merging Salesforce records between two Version Control branches, you can allow CodeScan to check for any bugs, code smells and security vulnerabilities.

• In the New Merge screen, go to the Prevalidate Merge section.
• Select CodeScan/Lint as a SCA tool.
• To run CodeScan on all of the Apex Classes, Triggers, Apex Pages & AuraDefinitionBundles, select the checkbox highlighted in the red box below.

• Proceed ahead with the Merge process.
• Find the detailed SCA Report under Commits screen.

During Commit Process:

While performing a validation deployment before actually committing the changes, you
can allow CodeScan to check for any bugs, code smells and security vulnerabilities.

• In the Submit for Validation screen, go to the Validation Reports section.
• Select CodeScan/Lint as a SCA tool.
  

• Here, you will have provision to set the condition for running CodeScan SCA tool, i.e, running for all the Apex Classes, Triggers, Apex Pages & AuraDefinitionBundles components or stating the time period from where it will run.

• Proceed ahead with the Prevalidate Commit process.
• Find the detailed SCA Report under Commits screen.

During CI Job:

While carrying out the CI Job process, you can configure CodeScan to check for any bugs, code smells and security vulnerabilities.

• In the Create CI Job screen, search for the Run Code Analysis Report checkbox under the Build section.
• Enable the checkbox: Run Code Analysis Report.
• Select CodeScan/Lint as a SCA tool.

• Here, you will have provision to set the condition for running CodeScan SCA tool, i.e, running for all the Apex Classes, Triggers, Apex Pages & AuraDefinitionBundles components or from the full source or stating the time period from where it will run.
• Also, you can set the priority, which means if the priority set is not achieved, the current build is unstable.

• Find the detailed SCA report in CI Job Results screen under Build Details section.
  

CodeScan SCA Results

During the implementation phase of a Security Development Lifecycle (SDL), Static Code Analysis is usually performed as part of a Code Review.

● CodeScan being a Static Analysis tool continuously detects and reports on data flow problems, software defects, language implementation errors, inconsistencies, dangerous usage, coding standard violations, and security vulnerabilities.

● AutoRABIT generates a detailed SCA Result report and the Lint runs by default every time you run a static code analysis. Lint analyzes source code to flag programming errors, bugs, stylistic errors, and suspicious constructs.

● Lint Report will only display information about AuraBundle components.

These reports will have information about the files that were reviewed and its related violations.

Click on each file to view its related violations that will appear at the bottom right side of the page.

If you click on any violation, it will take you to the respective line (in the black screen on the right side) where such violation occurred.

Click on the link at the bottom of the page as in the image below which will redirect you to CodeScan Analysis Dashboard page to compare the SCA report in your CodeScan account.