When a team uses DeepSource to manage its code quality and security, several important metrics related to the code health of the team are recorded implicitly in the product over time. Insights from these metrics are valuable for the team to understand how their code health is evolving and how to take action to improve the areas that require attention.
Several teams also use DeepSource to make sure their source code is secure and doesn’t have common security vulnerabilities. In this use case, DeepSource becomes part of their security compliance practice, and security-related reporting becomes a part of their compliance reporting.
Early in 2022, we built a robust way to report and visualize these insights in DeepSource that would enable teams to understand their code health better and take concrete actions to improve.
https://youtu.be/BRmtz4AEEPw?si=C6_Ekf1UC3YGJhDA
<aside> 🚧 Read the announcement blog post for Reports here ↗️
</aside>
DeepSources captures two first-order objects related to a repository: issues in the code and metrics about the code. Several second-order insights can be derived from qualitative and quantitative analysis of these objects on a repository that can give users a higher-level view of their code health. For instance, counting the number of security issues in a repository (quantitative analysis) enables a team to understand where they need to focus their efforts to improve security. Similarly, showing if any hard-coded credentials are exposed in the code (qualitative analysis) helps them understand what kind of threats their code is exposed to.
A report is a second-order derivative based on a qualitative or a quantitative measure of a first-order object.
Each report contains the following data points:
<aside> 🚧 Note : The video you see above 👆 pertains to the initial release of reports in mid-2022. The screenshots of reports you’ll find below come from a polishing sprint we embarked on in mid-2023.
</aside>
To start, we added 2 security reports, corresponding to the codebase’s conformation with standards like OWASP Top 10
and CWE/SANS Top 25
. Later, we also plugged in the report for conformance with the MISRA C standard
.
Most reports are available both at the repository level, as well as the organization/team level. In team-level reports, we also enabled ways to show the user which repositories contain issues that are contributing to the codebases failing the conformance checks.