By Wes Dean
Introduction
One of our fundamental principles at Flexion is to “Never Compromise on Quality.” We know that poor quality slows us down and that shortcuts can make things worse. Unlike with an artisanal loaf of bread or a bespoke hand-crafted cherry cabinet, it’s tough to know if the ingredients going into a piece of software are high-quality and secure. So, we’re constantly looking for tools and techniques to help us up our game and deliver better solutions.
One of the tools we’re using is MegaLinter, an open-source tool powered and sponsored by the fine folks at OX Security. Beyond using the existing code, we modify MegaLinter to serve clients better. Then, we add these uniquely developed code contributions back into the base, leading the way in modifications that serve the greater community.
Here are five ways we use MegaLinter to help us deliver higher-quality work faster. These include our cutting-edge enhancements to leverage MegaLinter to better serve the Centers for Medicare & Medicaid Services (CMS).
1. Scout out security problems
MegaLinter is a static code analysis tool. That means it looks at the source code and notes anything suspicious. For example, if we use an unsafe coding practice or if a database is accessible to the world, MegaLinter points it out so that we can fix it before deploying or publishing it.
MegaLinter also includes tools that look for security concerns and informs us when something isn’t right.
For example, it can tell us when resources being deployed to Amazon Web Services (AWS) are open to the public or if a Docker image is not following established best practices.
MegaLinter does this by running several specialized tools (e.g., Semgrep, Trivy, Syft Analytics, KICS, Checkov, and many more) and collating the results into a streamlined report.
For examples of how to set up these individual components, check out these links on MegaLinter:
- Semgrep on MegaLinter
- Trivy on MegaLinter
- Syft on MegaLinter
- KICS on MegaLinter
- Checkov on MegaLinter
2. Root out hidden credentials
One of our first steps is to examine a project’s source code, usually by running MegaLinter. MegaLinter includes tools that look for hidden credentials like passwords, certificates, and application programming interface (API) keys, allowing us to zip through (in seconds!) tens of thousands of lines of code and find hidden credentials in all kinds of places (documentation, source code, configuration files, hidden commits, old branches, etc.).
Imagine if one of your passwords was hidden deep in a huge file accidentally posted to the web. MegaLinter finds situations like this so we can remove the information and keep safety and security top of mind.
For MegaLinter-specific documentation examples, check out these links for:
3. Squash vulnerabilities and update dependencies
Most software is built on top of libraries, packages, and modules developed and maintained by developers worldwide. A basic web application may import hundreds or even thousands of external components. Problems and vulnerabilities are discovered and fixed as time passes, creating a continual cycle of updating applications to use the safest, most secure components.
MegaLinter comes to the rescue by including tools that examine the components our software is built on — the dependencies — to discover if there are newer, safer versions we can use. When updates are found, MegaLinter catches them and lets us know about the newer versions. We even combine MegaLinter with other tools (e.g., Renovate and Dependabot) to automate this patching process for us.
For MegaLinter-specific documentation examples, check out these links for:
4. Crush technical debt
Ugh. Technical debt. It can be soul-crushing to deal with cut corners, shortcuts, and “I’ll get that tomorrow” notes where “tomorrow” never comes. Cleaning up a mess just so you can get to work is like cleaning the pots, pans, and dishes before you can start cooking a meal.
MegaLinter goes through our code to find those messes and lets us know what needs to be cleaned up before the job’s done. This helps us to be kind to our future selves while helping us ship source code so beautiful that it can bring a tear to your eye.
See the list of 100+ supported linters embedded in MegaLinter.
5. Help our developers develop
Many of the tools MegaLinter uses can actually do a lot of work for us. Coding styles are enforced, typos are caught, and development antipatterns are called out. You know how if you misspell a word when you’re doing a web search and the search engine asks, “Did you really mean…?” It’s like that but for our source code.
Instead of developers spending time indenting source code or adding spaces around parentheses, developers can focus on developing and let MegaLinter take care of the busy work. Many of the folks at Flexion have been working in this industry for decades, and we each have our own quirks and muscle memory artifacts; some of us put spaces around commas, and some don’t. You know what? It doesn’t matter. We can give MegaLinter a set of rules about commas and spaces and indenting and let it work all of that out for us.
See how MegaLinter can apply fixes provided by linters.
Bonus: Lint our prose
In addition to cleaning up source code, MegaLinter has a few other tricks up its sleeve! Did you know that MegaLinter can scan prose, such as documentation? Flexion contributed functionality to MegaLinter that can check spelling, help with grammar, adjust capitalization (that’s MegaLinter with a capital M!), and look out for words or phrases that need to be updated. In fact, MegaLinter can work with guidelines advocated by PlainLanguage.gov to make sure what we write is accessible to as many people as possible.
Our team is committed to finding the best open-source software to serve clients best. And as we have with MegaLinter our expertise enables us to raise the bar for CMS and the community at large, so we “Never Compromise on Quality.”
Try MegaLinter for your technical prose!
If you’d like to discuss a partnership with Flexion to up your DevSecOps game, please contact us.
Wes Dean, a Senior DevSecOps Engineer at Flexion, brings his extensive experience in the UNIX and Linux world since the early 1990s to his role. He supports a variety of U.S. Federal agencies, helping them work safer, faster, more efficiently, and more securely. Wes’s unique position as a member of the CMS Open Source Program Office Advisory Board’s CMS Source Code Stewardship Taskforce underscores his expertise and credibility. He is also a staunch supporter of MegaLinter and a contributor to the tool’s prose scanning functionality, among other improvements.