If you are using Github for your source control tool of choice, but you are not making good use of either Github actions or any of the Github marketplace applications then your code is not as EPIC as it could be, FACT!
Back in the day, setting up a Ci/Cd pipeline could be a daunting task. Trying to get a pipeline to do what you wanted could take forever. If you wanted to automate certain tasks within that workflow it would often be up to you to build that functionality out. In 2022, Github changed the game. There are loads of free integrations that you can quickly install with a click-of-the-button, that will instantly improve your development workflow
Within this tutorial, I will share 6 apps that I think you should enable on all of your projects. Implementing all these tips will take you around 10-15 minutes of time to implement. After installing these applications you will get automatic refactoring, automatic code reviews, automatic security audits, automatic image compression, and more. The best bit, these tools are all free for non-commercial use💰💰💰
If you want to learn how to level up your solutions code quality, read on 🔥🔥🔥
Dependabot
The first tool in this list is called Dependabot and it will help you to level up your security game. Dependabot will automatically monitor your project and if it finds a dependency that has a security vulnerability, it will automatically raise a pull request to patch that package to the latest version.
Let us talk truth here, updating and bumping packages is boring. Dependabot will sit in the background and create pull requests whenever key packages with your project get an update. Out of all the applications listed in this guide, I have personally used Dependabot for the longest. It is free and its created by Github so you know you can trust it. I can not think of a good reason not to enable it!
After you enable Dependabot you may bump into one annoyance, email overload. Dependabot will send you an email whenever it finds an outdated package. Here is an example of the type of email you will receive:
If like me you have hundreds of repositories, getting an email for every single package will fill your inbox up with notifications fast. This is why I recommend you disable notifications. You can do this within the Security section, like this:
After disabling notifications, your life should be less spammy!
Codiga
The next application, Codiga, will add automatic code reviews to your workflow. No matter if you are a junior or senior developer, code reviews have been improved to level up the quality of your codebase. Granted not everyone enjoys the code-review process. Being told your code is shit can not be pleasant at times. Also, if you are working as a lone wolf, how do you get help? To top it off, whenever you are in a rush to ship code, why are all your team members on lunch and you get blocked?!?!?! This is where Codiga comes into play.
Codiga will provide you with automated code reviews and code analysis. One thing I also like about Codiga is that it tries to Gamify the code-review process. Players can win badges and compete using leader boards. Would you not like to prove you write the best code in your team? From my personal experience, anytime you can move a process to a game it goes down way better with a team!
After installing Codiga, you need to enable it to run against one or more of your projects. Once enabled, Codiga will provide you with a dashboard where you can see metrics about your solutions' code quality. You get things like quality score, duplicate code warnings, long and complex function warnings and more:
If you are looking for an automated code review tool, I recommend you give Codiga a chance. It is free to use on public repositories, it has a slick UI and a bunch of cool features!
WakaTime
If you own a FitBit because you like monitoring how many steps you make each day, you will love WakaTime. WakaTime is a developer-focused automatic time tracking app. After you enable WakaTime, you will get a weekly email that will summarise which projects you have worked on and for how long. You will even get a breakdown of the files and programming languages you have used.
WakaTime is not just a Github marketplace app, it also has an integration for VS-Code, Visual Studio and pretty much every other IDE out there. Just to prove I am a WakaTime fan, I mentioned it in 12 Amazing Visual Studio 2022 Extensions That Will Boost Your Productivity and 21 Amazing Visual Studio Code Extensions 2022 Edition.
To allow WakaTime to monitor your GitHub usage, all you need to do is enable the app and then log in with your GitHub account and authorise access. Once registered successfully, you can then log into the dashboard to see real-time metrics about your GitHub usage. As its free, what is not to love!
Imgbot
If you are a web designer, you will understand the importance of performance. No matter how optimal your code might be, a single massive unoptimized image on your page will kill your page load times.
The way to avoid these monster images is to run everything through an image compressor. For example, the images that you see on this page have been run throughFaststone Image Resizer.
One very dull and often overlooked task is making sure that all the images you check into your source-control have been compressed. I can hold my hands up to this violation. I am definitely guilty of forgetting to compress images when I am coding and adding a new image onto a page.
The fix is to automate this process and this is where Imgbot can help save the day. Once enabled, Imgbot will scan your repositories for images. If it finds unoptimized images, it will automatically create a pull request and optimize them. All you need to do is merge the PR and all your repos images will be optimised 💥
CodeQL
So far we have been looking at marketplace applications, it is now time to look at a handy GitHub action. When building an application, it is great to know that the NPM packages that your project references do not contain malicious or hackable code. The same is true for the code that you are writing, how do you know that the code you just wrote is not susceptible to some hack that you are not aware of?
This is where CodeQL comes into play. Once enabled, CodeQL will add a check to your build process. Once triggered, the check will scan your code for known vulnerabilities. If it finds an issue, it will fail the build and then tell you which line has failed and why.
If you are new to GitHub Actions, they get enabled by adding a .yml file into a folder within your solution here:
.github ➡️ workflows
After you enable CodeQL, you should see that a file called codeql-analysis.yml will get created here automatically!
Snyk
Snyk (pronounced sneak) is another security scanning tool similar to CodeQL. Once enabled, Snyk will provide you access to a dashboard where you can review its security analysis of your code. The report will list anything that it thinks could be a vulnerability and needs refactoring.
I have been using Snyk for several years, however, with the release of CodeXL I find it less useful than I used to. I personally prefer having access to the data as to why the build failed within the GitHub UI rather than an external dashboard. The other difference between Snyk and CodeQl is that you will get a weekly summary of all the issues within your codebase:
It is worth noting that you can run Snyk and CodeQL in parallel with no problems. As Snyk is free for public repositories, there is no harm in having both scanners running instead of one! Double bubble baby!
Depfu
The final application that I recommend you check out is called Depfu. Depfu is another dependency scanner that is similar to Dependabot. Once enabled, Depfu will help you to keep your NPM dependencies up-to-date. It will create automatic pull requests to bump your solution. It will then be up to you to decide when to merge those pull requests into your codebase. An example of one of these PRs is shown below:
There is a reason why I have included a second similar application to Dependabot in this list. I have found that Depfu often raises PRs that Dependabot doesn't. Depfu can be run in parallel with Dependabot, so there is no party foul for enabling both at the same time.
Installing all of these extensions will take you less than 20 minutes in total. They will all help you to up your code quality game. Give them a try and let me know what you think, Happy Coding 🤘
