Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/user/project/merge_requests/code_quality.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/user/project/merge_requests/code_quality.md')
-rw-r--r--doc/user/project/merge_requests/code_quality.md41
1 files changed, 22 insertions, 19 deletions
diff --git a/doc/user/project/merge_requests/code_quality.md b/doc/user/project/merge_requests/code_quality.md
index d50056c9450..5a98338a81b 100644
--- a/doc/user/project/merge_requests/code_quality.md
+++ b/doc/user/project/merge_requests/code_quality.md
@@ -1,7 +1,7 @@
---
stage: Verify
group: Testing
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
type: reference, howto
---
@@ -45,7 +45,7 @@ Watch a quick walkthrough of Code Quality in action:
<iframe src="https://www.youtube.com/embed/B32LxtJKo9M" frameborder="0" allowfullscreen="true"> </iframe>
</figure>
-NOTE: **Note:**
+NOTE:
For one customer, the auditor found that having Code Quality, SAST, and Container Scanning all automated in GitLab CI/CD was almost better than a manual review! [Read more](https://about.gitlab.com/customers/bi_worldwide/).
See also the Code Climate list of [Supported Languages for Maintainability](https://docs.codeclimate.com/docs/supported-languages-for-maintainability).
@@ -84,8 +84,8 @@ include:
- template: Code-Quality.gitlab-ci.yml
```
-The above example will create a `code_quality` job in your CI/CD pipeline which
-will scan your source code for code quality issues. The report will be saved as a
+The above example creates a `code_quality` job in your CI/CD pipeline which
+scans your source code for code quality issues. The report is saved as a
[Code Quality report artifact](../../../ci/pipelines/job_artifacts.md#artifactsreportscodequality)
that you can later download and analyze.
@@ -131,18 +131,18 @@ stages:
- test
```
-TIP: **Tip:**
-This information will be automatically extracted and shown right in the merge request widget.
+NOTE:
+This information is automatically extracted and shown right in the merge request widget.
-CAUTION: **Caution:**
+WARNING:
On self-managed instances, if a malicious actor compromises the Code Quality job
-definition they will be able to execute privileged Docker commands on the runner
+definition they could execute privileged Docker commands on the runner
host. Having proper access control policies mitigates this attack vector by
allowing access only to trusted actors.
### Disabling the code quality job
-The `code_quality` job will not run if the `$CODE_QUALITY_DISABLED` environment
+The `code_quality` job doesn't run if the `$CODE_QUALITY_DISABLED` environment
variable is present. Please refer to the environment variables [documentation](../../../ci/variables/README.md)
to learn more about how to define one.
@@ -185,7 +185,7 @@ job1:
- if: '$CI_COMMIT_TAG' # Run job1 in pipelines for tags
```
-To make these work together, you will need to overwrite the code quality `rules`
+To make these work together, you need to overwrite the code quality `rules`
so that they match your current `rules`. From the example above, it could look like:
```yaml
@@ -228,6 +228,7 @@ with the following properties:
| ---------------------- | -------------------------------------------------------------------------------------- |
| `description` | A description of the code quality violation. |
| `fingerprint` | A unique fingerprint to identify the code quality violation. For example, an MD5 hash. |
+| `severity` | A severity string (can be `info`, `minor`, `major`, `critical`, or `blocker`). |
| `location.path` | The relative path to the file containing the code quality violation. |
| `location.lines.begin` | The line on which the code quality violation occurred. |
@@ -238,6 +239,7 @@ Example:
{
"description": "'unused' is assigned a value but never used.",
"fingerprint": "7815696ecbf1c96e6894b779456d330e",
+ "severity": "minor",
"location": {
"path": "lib/index.js",
"lines": {
@@ -248,22 +250,22 @@ Example:
]
```
-NOTE: **Note:**
+NOTE:
Although the Code Climate spec supports more properties, those are ignored by
GitLab.
-## Code Quality reports **(STARTER)**
+## Code Quality reports
-Once the Code Quality job has completed:
+After the Code Quality job completes:
-- The full list of code quality violations generated by a pipeline is shown in the
- Code Quality tab of the Pipeline Details page.
- Potential changes to code quality are shown directly in the merge request.
The Code Quality widget in the merge request compares the reports from the base and head of the branch,
- then lists any violations that will be resolved or created when the branch is merged.
+ then lists any violations that are resolved or created when the branch is merged.
- The full JSON report is available as a
[downloadable artifact](../../../ci/pipelines/job_artifacts.md#downloading-artifacts)
for the `code_quality` job.
+- The full list of code quality violations generated by a pipeline is shown in the
+ Code Quality tab of the Pipeline Details page. **(STARTER)**
### Generating an HTML report
@@ -341,13 +343,14 @@ is still used.
This can be due to multiple reasons:
- You just added the Code Quality job in your `.gitlab-ci.yml`. The report does not
- have anything to compare to yet, so no information can be displayed. Future merge
- requests will have something to compare to.
+ have anything to compare to yet, so no information can be displayed. It only displays
+ after future merge requests have something to compare to.
- Your pipeline is not set to run the code quality job on your default branch. If there is no report generated from the default branch, your MR branch reports will not have anything to compare to.
- If no [degradation or error is detected](https://docs.codeclimate.com/docs/maintainability#section-checks),
- nothing will be displayed.
+ nothing is displayed.
- The [`artifacts:expire_in`](../../../ci/yaml/README.md#artifactsexpire_in) CI/CD
setting can cause the Code Quality artifact(s) to expire faster than desired.
+- If you use the [`REPORT_STDOUT` environment variable](https://gitlab.com/gitlab-org/ci-cd/codequality#environment-variables), no report file is generated and nothing displays in the merge request.
- Large `codeclimate.json` files (esp. >10 MB) are [known to prevent the report from being displayed](https://gitlab.com/gitlab-org/gitlab/-/issues/2737).
As a work-around, try removing [properties](https://github.com/codeclimate/platform/blob/master/spec/analyzers/SPEC.md#data-types)
that are [ignored by GitLab](#implementing-a-custom-tool). You can:
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-14 23:27:01 +0300