jacoco-badge-generator VS snyk

jacoco-badge-generator - Coverage badges, and pull request coverage checks, from JaCoCo reports in GitHub Actions

I just released jacoco-badge-generator 2.10.0, which can be run as a GitHub Action or as a command-line utility as part of CI/CD workflows for Java projects, as well as for projects in other JVM languages such as Kotlin, to parse JaCoCo test coverage reports, generate instructions coverage and branches coverage badges for project READMEs, serve as pull-request checks (e.g., validate minimum coverage thresholds), among other functionality.

I just release version v2.9.0, which enhanced the existing functionality associated with using the jacoco-badge-generator GitHub Action with multi-module projects. Specifically, prior to this release, for a multi-module project, the paths to all of the JaCoCo csv reports had to be listed in the inputs to the action. Now, as of v2.9.0, you can use a glob pattern to specify the paths to the JaCoCo csv reports. This can actually now also work for the more common single module project, but the glob functionality is likely most useful in the multi-module case. Note that the CLI mode already implicitly supported globs since your shell will expand any globs you specify on the command line. But as a GitHub Action this previously was not the case as GitHub Actions doesn't expand globs in the inputs to an Action. The jacoco-badge-generator v2.9.0 now handles glob expansion internally.

Vincent Cicirello - Open source GitHub Actions for workflow automation

I maintain several GitHub Actions implemented in Python as container actions. One of these, jacoco-badge-generator, produces coverage badges from JaCoCo test coverage reports. Additionally, it outputs the test coverage percentages to the workflow job summary. This example is based upon the approach I use in jacoco-badge-generator.

Check out all of our GitHub Actions: https://actions.cicirello.org/

I maintain several GitHub Actions, all of which are implemented in Python as container actions. This post explains how to test a GitHub Action using a GitHub Actions workflow, including using the workflow as a required check on Pull Requests. Although some of this post is specific to testing an action that is implemented in Python, much of the post is more generally applicable to testing actions regardless of implementation language.

The jacoco-badge-generator generates badges, but does not commit them. In this step, I just use a simple shell script to commit and push the badges. This step is conditional and runs only if the event that started the workflow is not a pull request (see the if: ${{ github.event_name != 'pull_request' }}). In other words, it runs on push and workflow_dispatch events. The coverage badges should be consistent with the state of the default branch, so committing badges that correspond to the coverage of a pull request that may or may not be merged doesn't make sense. If it is merged, the push event will then cause the workflow to run again, at which point the coverage badges will be committed. This step begins by changing the current directory to the directory where the badges branch was checked out. And it commits and pushes only if an svg or json file changed. The badges are SVGs, and recall the earlier step where I configured the jacoco-badge-generator to additionally generate a simple JSON file containing the coverage percentages.

There are two primary ways of implementing a GitHub Action: JavaScript Actions and Container Actions. The latter of which enables implementing Actions in any language via a Docker container. My language of choice for implementing GitHub Actions is Python. The purpose of most of these actions is to produce files (e.g., jacoco-badge-generator produces test coverage badges as SVGs, and generate-sitemap produces an XML sitemap) or to edit files in some way (e.g., javadoc-cleanup can insert canonical links and other user-defined elements into the head of javadoc pages). However, all of these also produce workflow step outputs. For example, generate-sitemap has outputs for the number of pages in the sitemap, and the number of pages excluded from the sitemap due to noindex or robots.txt exclusions; and jacoco-badge-generator has workflow step outputs for the coverage and branches coverage percentages if a user had some reason to use those in later steps of their workflow.

Vincent Cicirello - Open source GitHub Actions for workflow automation

Snyk CLI was introduced to the World Wide Web and security enthusiasts on October 2, 2015, as v0.0.0-pre-alpha release. In the past eight years, we released Snyk CLI nearly two thousand times — and more than eleven hundred of those releases happened in the last three years. That’s one release every thirty-two hours, signifying our customers’ growing needs as well as the pace at which we operate to meet those needs at an enterprise scale. With increasing demand, the complexity, reach, and impact of our fast-paced code changes increased, too.

There are a number of ways that you can install the Snyk CLI on your machine, ranging from using the available stand-alone executables to using package managers such as Homebrew for macOS and Scoop for Windows.

There's tons of tools to solve each of these problems Snyk for vulnerability scanning, tons of license checker plugins (like we use license-webpack-plugin which generates the license text for everything we distribute and fails a build if a license doesn't have one of our allowlisted licenses.

oh, such companies already exist: For example Snyk

Snyk provides security score and vulnerability count badges, which you can link to the relevant pages, as in these examples:

If you app is dockerized I would recommend adding something like Snyk to make sure your image is safe.

Note: I remind you that we support multiple strategy for vulnerabilities like Sonatype or Snyk.

My name is Adam, and I am a software engineer working at Snyk for the past 2.5 years. Over the past year, I have been leading a few projects that spanned multiple teams. My colleague is a tech lead at Snyk, and he’s been coaching people on how to lead projects effectively for a few years now.

So I'm curious, how are businesses building iOS apps securely? Could a tool like Snyk replace a manual audit, or is it a good idea to have an initial manual audit of our desired environment?

Ideally, software can quickly go from development to production. Continuous deployment and delivery are some processes that make this possible. Continuous deployment means establishing an automated pipeline from development to production while continuous delivery means maintaining the main branch in a deployable state so that a deployment can be requested at any time. Predecos uses these tools. When a commit goes into master, the code is pushed directly to the public environment. Deployment also occurs when a push is made to a development branch enabling local/e2e testing before push to master. In this manner the master branch can be kept clean and ready for deployment most of the time. Problems that surface resulting from changes are visible before reaching master. Additional automated tools are used. Docker images are built for each microservice on commit to a development or master branch, a static code analysis is performed by SonarCloud revealing quality and security problems, Snyk provides vulnerability analysis and CodeClimate provides feedback on code quality while Coveralls provides test coverage. Finally, a CircleCI build is done. Each of these components use badges which give a heads-up display of the health of the system being developed. Incorporating each of these tools into the development process will keep the code on a trajectory of stability. For example, eliminating code smells, security vulnerabilities, and broken tests before merging a pull-request (PR) into master. Using Husky on development machines to ensure that code is well linted and locally tested before it is allowed to be pushed to source-control management (SCM). Applying additional processes such as writing tests around bugs meaning reintroduction of a given bug would cause a test to fail. The automated tools would then require that test to be fixed before push to SCM meaning fewer bugs will be reintroduced. Proper development processes and automation have a strong synergy.