From his experience in working as chief technology officer of a startup, Bryan Helmkamp saw a recurring problem and set out to fix it.
“The code would be hard to manage and teams couldn’t ship features in a timely way, which created pressure and ultimately that just made the code worse,” he explained.
One of the solutions to this problem is the practice of static analysis, which, at its most basic, is a review of the code before it is compiled. He created his New York City-based company Code Climate to make static analysis better aligned with developer workflows.
Static analysis, he explained, can provide useful information to developers about how their code is structured, issues that might arise and how it could be better. It provides these insights before the code reaches production.
But “If you run static analysis on your command line, it could generate a high amount of data. If you’re a developer and you get an analysis that says you have 3,426 issues with your code base, you’re going to close that report and move on to something else because you feel like you can’t actually do anything about that,” he said.
“So we set out to close that gap, to bring that analysis in an approachable way into team workflows.” It’s focused on doing so in a way that’s clear, timely and actionable.
Static analysis can take various forms.
They all begin by parsing the source code into an abstract syntax tree or AST, which is just an internal representation of the code as the computer understands it.
You could do something as simple as looking as the size of the source code. The size of a class or a function is highly correlated with how easy that code is to understand and maintain over time. Functions that are hundreds of lines long tend to maintenance hotspots.
Code Climate can draw attention to those areas during the development and code-review process. Static analysis also provides more complicated tasks such as helping to detect potential security vulnerabilities using algorithms to determine how data flows through the system.
“A security vulnerability is usually not on a single line of source code in a single file. It may be that some data is collected from an end user in a file over here, then it’s passed through a few pieces of code, resulting in, say, a call to a database in a different place. Because the user data was used in the database call, that could be a potential SQL injection vulnerability,” he said.
Focused on Workflow
When the company started in 2011, there were few static analysis tools that were easily accessible for cloud environments, he said.
Today, though, there are a number of entrants in the marketplace, including SonarSource, which began in the Java ecosystem and now supports more than 25 languages; and Coverity (recently acquired by Synopsys), which is focused on C, C++, and Java.
The New York startup recently raised a $4.5 million A round, following a $2 million seed round in 2014.
Helmkamp calls workflow integration its biggest differentiator. Code Climate offers hosted and on-prem versions.
“Rather than expecting people to spend all their time in the Code Climate web application, we focused on bringing static analysis and test coverage to where developers are working,” he said.
It recently launched an extension for Chrome that takes static analysis and test coverage information for a team and brings it directly into the GitHub interface, so they don’t even have to click to a separate website. It also connects directly with Bitbucket Server (formerly Atlassian Stash) installations.
It offers an open, extensible platform allowing anyone to write their own engine, a module for a programming language or framework. While that feature has always been open source, its core app was closed source. However, it plans to offer a free community edition for that application shortly.
Code Climate integrates with popular analysis engines such as Brakeman Pro, ApexMetrics, Tailor, ShellCheck and others. Users can receive notifications through Slack, HipChat, or tools and catalog potential improvements in Jira.
It’s all built with Docker containers and distributed as Docker engines.
“We’ve been heavily into the Docker stack for a few years now, and we’ve been very happy with that,” he said. The back end is implemented primarily in Ruby and uses Apache Kafka for microservices to move data around. It uses Replicated for the on-prem version behind a firewall
Helmkamp previously discussed with The New Stack four techniques it uses for deploying production websites.