[Static Code Analysis] Enforce coding standards using semgrep

As a startup, and working with microservices, it’s challenging to maintain the coding standards across all the services.

source: pixabay

NOTE: No subscription? No problem. You can access the friend link here. :) You can also access all my friend links on my GitHub repo: Friend-Links.

After writing 10–12 microservices using golang, we realized that the coding standards are very different across all the services and would be very difficult to maintain in the future.

The common problems we observed like:

1. package names: as a good practice they should not contain flying or lying dashes in the names. It makes the package name ugly and harder to read. For example, binary_tree, phone_book.
2. Using of different modules for same functionality across different services. For example, as a logging purpose, there were multiple libraries have been used across the project including logrus, zerolog, and others.
3. Missing defer keywords for calling body.Close() , for http functions that may lead to memory leaks.
4. Avoiding string concatenation using + operator, and encouraging team to use strings.Builder or bytes.Buffer .
5. Proper usage of errors and panic keywords.
6. Avoiding type assertions like myvar.(myType).
7. Adding a check to verify if the graceful shutdown for the server is happening or not.

And, in addition to the above scenarios there could be multiple situations where we have to enforce standards for stable codebase.

Let me introduce you to SemGrep, and more details can be found here. Using semgrep, we are able to identify common security bugs as well as locate the codebase that is not following the standard. It is static analysis tool, more powerful than linter, to scan source code for potential security risks and fix them early in development process. The power of semgrep lies in writing rules. There are many community rules available and in addition to that we can implement our own organization based rules.

Let’s start with a sample repository for demonstration purpose. Please clone the sample golang repository named learnyougo from here (hosted on github).