Continuous Static Analysis using Pronto

Code quality and consistency is important. There are a ton of great open source tools and libraries that provide insights. For example: Rubocop checks your style and Brakeman scans for security vulnerabilities. You can run them easily and get a summary. But especially on a bigger codebase, that can take a while and result in a long list of issues.

What we really want is immediate feedback on the most recent code. That’s where Pronto gem comes in. It takes these various tools and only runs them on the specified changes. It also has various ways to output the result, including commenting on a pull request.

Let’s go over on how to configure Pronto to run on every pull request with the help of Travis CI. Start by adding Pronto to your Gemfile:

gem 'pronto'
gem 'pronto-rubocop'
gem 'pronto-flay'

Next, generate a new GitHub access token. Go to your Settings -> Personal access tokens or just follow this link. Pronto will only need repo/public_repo scopes to write comments, so you can uncheck everything else.

We’ll need to make this token availabe to Pronto via environment variable. Go to the settings of your Travis CI build and configure it there. Name it GITHUB_ACCESS_TOKEN and set the value to the previously generated token. You can read more about how to do that in the official docs here. Note a security limitation: it will only be available to builds started by repo owners.

Now, the build script itself. There are better ways to do it, but for simplicity’s sake let’s just put it in .travis.yml:

script:
- 'export PULL_REQUEST_ID=${TRAVIS_PULL_REQUEST} &&
   bundle exec pronto run -f github_pr'
language: ruby
rvm:
- 1.9.3
- 2.1.1

That will run Pronto outputting result as comments on the pull request. By default, it checks the diff between the current HEAD and master.

That’s it! Continous Static Analysis achieved. Create a pull request including some bad code and watch the magic happen. You can configure it similarly using other CI servers. At Vinted, we run it on all our Ruby repositories with the help of Jenkins. Hopefully, you’ll also find it useful.