"DeepSource is a great product which complements projects looking to embrace CI and source code quality as part of a larger DevOps strategy. It's been very easy and a pleasure to use this product. All round, we are very happy with DeepSource."

— Lewis John McGibbney, NASA Jet Propulsion Laboratory

Background

Podaacpy is a Python utility library for interacting with NASA JPL’s Physical Oceanography Distributed Active Archive Center (PO.DAAC) — an element of NASA’s Earth Observing System Data and Information System (EOSDIS) which provides science data to a wide community of users for NASA’s Science Mission Directorate. Podaacpy library provides intuitive Python interfaces to interact with all of PO.DAAC’s webservices.

Prior to DeepSource, it used Travis CI to keep a check on quality with individual hooks such as read the docs to build documentation, source code builds and (nosetest) unit test execution for testing, coveralls.io for test coverage and requires.io for dependency management.

Challenge

While the hooks helped check code for quality metrics, they were not a direct solution. Lewis McGibbney- NASA Jet Propulsion Laboratory, was seeking an automated static analysis tool which can

• Fit easily in the development workflow
• Reduce the risk of additional issues in the incoming code
• Detect complex security issues and give accurate results

Solution

Started analysis within 5 minutes

DeepSource’s native integration with GitHub enabled Lewis to complete the setup in minutes and start scanning the source code immediately.

Discovering issues in Pull Requests and Commits, automatically

Earlier, Podaacpy was entirely dependent on source code builds and (nosetest) unit test execution on TravisCI for quality testing— a post merger affair. After installing DeepSource, the analysis triggers automatically with every pull request or commit, and flags all the issues in the GitHub checks itself— a pre merger affair. It helps in two ways:

• Checks fit well in the review workflow, making it convenient for developers to act on the issues
• Earlier the issues are detected, the easier (& cheaper) it is to resolve them

Highly relevant results, leveling up developer confidence

DeepSource’s Python analyzers review the code at source level for 520+ types of issues, showing the most relevant results by separating them from the noise. Talking about the accuracy, Lewis says that the results were very easy to interpret and correct.

Merging secure, reliable code with in-depth security analysis

As a part of NASA, there is no denying the extreme level of secure coding Podaacpy demands. Spotting and resolving security flaws at the earliest is one of their top priorities. DeepSource’s Static Application Security Testing (SAST) analyzers continuously scan the source code for hundreds of known security flaws (like OWASP Top 10) to ensure each of them are addressed before the code is merged.

Results

DeepSource helped Podaacpy integrate static analysis in their code review process easily and quickly. Using DeepSource, helps them catch issues much earlier in the life cycle, take remediation measures accordingly and maintain the overall project code quality.