👨‍💻Static Code Analysis w/JetBrains

Qodana banner

In a recent article I've made I showed how to Integrate Github Actions with SonarQube for static code analysis and now continuing with the fascinating world of code analysis it's time to do the same with one of it's competitors. This time I am going to show you up how to spin up a Docker lab with TeamCity and run some static code analysis with Qodana (JetBrains static code analysis tool) from it, to the same repository we scanned last week which is django-DefectDojo.

Disclaimer:

I'm assuming if you are reading this article you know what Docker is and know a bit of how to use it, case you don't please refer to this page.

---

Why should I scan my code?

Scanning your code with tools like Qodana or SonarQube is crucial for maintaining a secure, high-quality, and efficient software development process. These tools go beyond simple error-checking, offering a comprehensive analysis of your codebase. By addressing issues related to code quality, security vulnerabilities and maintainability, developers can ensure that their applications not only meet industry standards but also perform optimally. Adapting these tools into your continuous integration pipeline enables automated code analysis with every commit, catching potential bugs early and streamlining the development workflow. Ultimately, the insights provided by these scanning tools empower development teams to produce software that is not only robust and secure but also easier to understand and maintain over time.

---

Simple but efficient setup

version: '3'

networks:
  internal-network:
    driver: bridge

services:
  teamcity-server:
    image: jetbrains/teamcity-server
    container_name: teamcity-server
    networks:
      - internal-network
    privileged: true
    ports:
      - "8111:8111"
    user: "0"

  teamcity-agent:
    image: jetbrains/teamcity-agent
    environment:
      - SERVER_URL=http://teamcity-server:8111
      - DOCKER_IN_DOCKER=start
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock #README
      - /opt/buildagent/work:/opt/buildagent/work 
      - /opt/buildagent/temp:/opt/buildagent/temp
      - /opt/buildagent/tools:/opt/buildagent/tools
      - /opt/buildagent/plugins:/opt/buildagent/plugins
      - /opt/buildagent/system:/opt/buildagent/system
    depends_on:
      - teamcity-server
    networks:
      - internal-network
    hostname: teamcity-agent
    container_name: teamcity-agent
    user: "0"

Below we have a docker-compose.yml where you have defined both the resources needed for the teamcity-agent and teamcity-server to be able to run on a Ubuntu Server with docker daemon installed. You just need to copy the code to a local docker-compose.yml file and run from the same folder:

docker compose up -d

Now you should go to your web browser and open the host ip address with port 8111 to start configuring the scans.

If you want to teardown the resources please remember to delete folder in /opt/buildagent and run the following command:

docker compose down # To stop containers
docker compose rm # To remove them

Why on a Ubuntu Server?

That's simply because one of the containers we are spawning for this exercise, the agent, which is the place where our tasks are going to be running, needs to spawn a container from itself to perform a scan, it would try to run Qodana as a docker container itself. That's why we mounting to it the docker daemon from our host (#README).

the three containers running on a scan

If you want to know more please read this article.

There are other ways to add TeamCity agents to the console and if you want to know more about it please read TeamCity docs about it.

Some setup at the beginning...

We can add the project we want to scan from our repository URL, for that you can follow this article. The only thing we need is a token to access in this case GitHub with repo access.

teamcity project setup

Once we have that synced, we can skip the automatic build step detect and manually add one called Qodana:

add qodana step

And inside that step we should set up values, such as the following:

set up codana default values

Please note that we are using a custom linter there, because if you do not have a Qodana cloud license, that's the only way you can scan your code, with the community image.

jetbrains/qodana-python-community:2023.2

As simple as that now we can run a scan to the codebase and see the results as the following:

Compared to the output we got from SonarQube we can tell that the analysis Qodana did was not as depth as Sonar's but yet it showcases the point for some code smells in python as the following:

python duplicated key in dict problem

Same as SonarQube, Qodana gives you the possibility to run scans directly from command line with a simple CLI tool, you can check it out here.

And it also gives you the possibility to open that error in Github (VCS) or even to open your JetBrains IDE if you have JetBrains toolbox installed in your computer so you can go directly and remediate the issues found.

---

Conclusions

By installing that set up you would have a running TeamCity instance and agent running in your local network, which can be more than fun to explore.

I strongly recommend you to see this video from Nana Janashia channel which showcases some of its functionalities more deeply.

Thanks for reaching this far :)