Build a static analysis development pipeline

As a developer or software engineer, having enough time to work on cleaning up technical debt and fixing vulnerabilities is difficult. It generally requires that your project manager understands the risks and why prioritising the clean-up of technical debt is important. Thereby ensuring that your workplace isn’t the next company to be lambasted in the media for being the target of a cyberattack (or worse, leaking PII client data in a massive security breach). Project managers as a whole have a hard time comparing the risks of an attack to the benefits of a new feature. The feature is quantifiable, while the risk of getting hacked is not (especially if you don’t have the tooling to realise that you’ve been attacked).

This tutorial covers how you can integrate static analysis into your source-code management to identify, quantify, and prevent vulnerabilities in your code while improving general code readability and maintainability. This will enable project managers to obtain insights into any extant vulnerabilities or technical debt in the code, while simultaneously helping developers and engineers write better code. We’ll be focusing on Python, but there are alternatives to any tooling used for every language. The tutorial will also be using GitLab as the source-code host and CI/CD solution. This is to make things approachable without the cost or complexity of closed source platforms.

Because this tutorial isn’t about GitLab’s built-in one-click solutions (although these can be a good place to start if you don’t have time