Source Code Quality¶
We consider code quality to be very serious. We set our standards way above the “good enough” level to deliver a very high quality product.
CI/CD¶
We have implemented a CI/CD (Continuous Delivery / Continuous Integration) pipeline based on Jenkins(https://www.jenkins.io/) where version control, build, tests and deploy are mainly automated.
Pair Programming & Code Reviews¶
Each line of our code is often produced by not only one but two engineers, ensuring design decisions are always subject to debate and approval.
We reinforce this by protecting our master branches and ensuring every new code snippet is reviewed by at least one other member of the team in a Pull Request. These discussions are logged for documentation and new member training purposes.
During these code reviews, we’re particularly attentive to some basic concerns that every developers should know such as the top 10 security risks published by the OWASP.
Testing Policy¶
Unit and integration tests are systematically carried out on code that is produced.
Each push of new code is tested against our test portfolio in a new docker container.
Merging development branches into our main branch is not allowed if the tests fail.
Automated tests are performed each night.
Deploy¶
Security Dependencies Policy¶
With each monthly release we update our dependencies in order to integrate their latest security patches.
We use Github and pyup.io to track and report vulnerabilities in our code dependencies.
Both services track public vulnerabilities listed on MITRE’s Common Vulnerabilities and Exposures (CVE) site.
When they receive notification of a newly-announced vulnerability, a security alert is sent to us with the details (which part is affected, how to correct it…).
For each alert we receive, a bug ticket is created in our backlog and is attributed a high priority.