A core tenet of any Operations Team is that you must enable developers to change their code with confidence. For the developer this means they have the flexibility to try new things or to change old, broken code. Unfortunately, however, with every code change comes the risk of breaking production systems, which is something Operations has to manage. A great way to balance these needs is to continuously test new code as close to the point of change as possible by reacting to code commits as they happen.
At &yet the majority of the code that is deployed to production servers is written in NodeJS, so that's the example I'll use. NodeJS uses npm as its package manager, and one aspect of npm is its ability to define scripts that are to be run at various stages of the package's lifetime. To make full use of this feature we need a way to run the defined scripts at the point that a developer is commiting code, as that is the best time to do validation and testing of the newly changed code.
Fortunately an npm package exists that will do just that - precommit-hook. It installs the required pre-commit hook into your project's .git metadata such that just before git actually performs the commit, it will run the defined set of scripts or run the lint, validate, and test scripts by default. We can use this to run any check we need, but for now I will describe how to run a script to scan the project's dependencies for any known security vulnerabilities using retire.js.
First we need to add retire.js
to the project's package.json and add a reference to it so the pre-commit hook will run it:
{
"name": "example app",
"description": "an example",
"version": "1.0.0",
"devDependencies": {
"retire": "~0.3.2",
"precommit-hook": "~1.0.7"
},
"scripts": {
"validate": "retire -n -j"
}
}
The precommit-hook
will install itself into git and will trigger the running of retire -n -j
during the commit process, which will then scan the project for any known vulnerabilities. Another variation on this theme would be to run the validate
script during the build/test portion of a Continuous Integration process, but that would take a much longer blog post to describe. Using precommit-hook
is a great way to show both it and retire.js
in action.
(By the way, for a more in-depth look at what retire.js
can do, head on over to the ^Lift Security article on retire.js.)
It is always a good thing when you can enable developers to do their work while also ensuring that the Operations Team can continue on their path. Tools like precommit-hook
and retire.js
enable both teams to be confident that they are heading in the right direction.
Enjoying the Tao of Ops as much as we are? Then why not sign up for our mailing list for other good stuff?