Hunter  Krajcik

Hunter Krajcik


Bridgecrew's Yor Provides Automated Tagging for Infrastructure as Code

Bridgecrew  recently released Yor , their open-source tool for automated infrastructure as code tagging. Yor automatically adds tags to infrastructure configurations which are then applied to the running cloud resources, simplifying connecting the active resources back to the code that created them. Yor currently supports  Terraform ,  CloudFormation , and  Serverless .

By default, Yor will add a number of tags to each resource block. This includes the name of the git organization, repository, the file that contains the template that created the resource, the timestamp of the commit, and the list of modifiers for the file. A unique identifier is added that simplifies tying the running resource back to the code block.

Tags added by Yor into a Terraform resource block

Tags added by Yor into a Terraform resource block (credit:  Bridgecrew)

It is possible to extend these default tags with  custom tags. Custom tags can be  simple key:value pairings,  dynamically generated key:value tags, or  custom taggers. For example, a simple key can be defined by setting the environment variable YOR_SIMPLE_TAGS with a JSON object. This will add these tags to all objects whenever Yor is run.

#serverless #terraform #compliance #devops #news

What is GEEK

Buddha Community

Bridgecrew's Yor Provides Automated Tagging for Infrastructure as Code
Fannie  Zemlak

Fannie Zemlak


Softagram - Making Code Reviews Humane

The story of Softagram is a long one and has many twists. Everything started in a small company long time ago, from the area of static analysis tools development. After many phases, Softagram is focusing on helping developers to get visual feedback on the code change: how is the software design evolving in the pull request under review.

Benefits of code change visualization and dependency checks

While it is trivial to write 20 KLOC apps without help of tooling, usually things start getting complicated when the system grows over 100 KLOC.

The risk of god class anti-pattern, and the risk of mixing up with the responsibilities are increasing exponentially while the software grows larger.

To help with that, software evolution can be tracked safely with explicit dependency change reports provided automatically to each pull request. Blocking bad PR becomes easy, and having visual reports also has a democratizing effect on code review.

Example visualization

Basic building blocks of Softagram

  • Architectural analysis of the code, identifying how delta is impacting to the code base. Language specific analyzers are able to extract the essential internal/external dependency structures from each of the mainstream programming languages.

  • Checking for rule violations or anomalies in the delta, e.g. finding out cyclical dependencies. Graph theory comes to big help when finding out unwanted or weird dependencies.

  • Building visualization for humans. Complex structures such as software is not easy to represent without help of graph visualization. Here comes the vital role of change graph visualization technology developed within the last few years.

#automated-code-review #code-review-automation #code-reviews #devsecops #software-development #code-review #coding #good-company

Tyrique  Littel

Tyrique Littel


Static Code Analysis: What It Is? How to Use It?

Static code analysis refers to the technique of approximating the runtime behavior of a program. In other words, it is the process of predicting the output of a program without actually executing it.

Lately, however, the term “Static Code Analysis” is more commonly used to refer to one of the applications of this technique rather than the technique itself — program comprehension — understanding the program and detecting issues in it (anything from syntax errors to type mismatches, performance hogs likely bugs, security loopholes, etc.). This is the usage we’d be referring to throughout this post.

“The refinement of techniques for the prompt discovery of error serves as well as any other as a hallmark of what we mean by science.”

  • J. Robert Oppenheimer


We cover a lot of ground in this post. The aim is to build an understanding of static code analysis and to equip you with the basic theory, and the right tools so that you can write analyzers on your own.

We start our journey with laying down the essential parts of the pipeline which a compiler follows to understand what a piece of code does. We learn where to tap points in this pipeline to plug in our analyzers and extract meaningful information. In the latter half, we get our feet wet, and write four such static analyzers, completely from scratch, in Python.

Note that although the ideas here are discussed in light of Python, static code analyzers across all programming languages are carved out along similar lines. We chose Python because of the availability of an easy to use ast module, and wide adoption of the language itself.

How does it all work?

Before a computer can finally “understand” and execute a piece of code, it goes through a series of complicated transformations:

static analysis workflow

As you can see in the diagram (go ahead, zoom it!), the static analyzers feed on the output of these stages. To be able to better understand the static analysis techniques, let’s look at each of these steps in some more detail:


The first thing that a compiler does when trying to understand a piece of code is to break it down into smaller chunks, also known as tokens. Tokens are akin to what words are in a language.

A token might consist of either a single character, like (, or literals (like integers, strings, e.g., 7Bob, etc.), or reserved keywords of that language (e.g, def in Python). Characters which do not contribute towards the semantics of a program, like trailing whitespace, comments, etc. are often discarded by the scanner.

Python provides the tokenize module in its standard library to let you play around with tokens:



import io


import tokenize



code = b"color = input('Enter your favourite color: ')"



for token in tokenize.tokenize(io.BytesIO(code).readline):





TokenInfo(type=62 (ENCODING),  string='utf-8')


TokenInfo(type=1  (NAME),      string='color')


TokenInfo(type=54 (OP),        string='=')


TokenInfo(type=1  (NAME),      string='input')


TokenInfo(type=54 (OP),        string='(')


TokenInfo(type=3  (STRING),    string="'Enter your favourite color: '")


TokenInfo(type=54 (OP),        string=')')


TokenInfo(type=4  (NEWLINE),   string='')


TokenInfo(type=0  (ENDMARKER), string='')

(Note that for the sake of readability, I’ve omitted a few columns from the result above — metadata like starting index, ending index, a copy of the line on which a token occurs, etc.)

#code quality #code review #static analysis #static code analysis #code analysis #static analysis tools #code review tips #static code analyzer #static code analysis tool #static analyzer

Origin Scale

Origin Scale


Automation Management System

Want to try automated inventory management system for small businesses? Originscale automation software automate your data flow across orders, inventory, and purchasing. TRY FOR FREE

#automation #automation software #automated inventory management #automated inventory management system #automation management system #inventory automation

Wiley  Mayer

Wiley Mayer


Infrastructure as Code vs. Infrastructure as Software

Infrastructure as Code has been the hottest trend in cloud-native application development in recent years. By transforming infrastructure management into simple coded runtimes and routines, Infrastructure as Code or IaC allows developers to be more involved in the deployment part of their CI/CD pipelines. Even the most complex cloud infrastructure can be created with several lines of code.

IaC also means that server management, resource provisioning, and even long-term maintenance of complex cloud infrastructures are entirely simplified. Tools like Terraform certainly make maintaining a production environment that is both capable and efficient easy, even when there is no dedicated infrastructure team to handle the associated tasks.

A new trend that we’re seeing right now is further simplification of IaC, mainly known as Infrastructure as Software or IaS. Now that cloud services and the providers behind them are easier to access and control using tools and software, it is not impossible for the entire cloud infrastructure to be provisioned and managed as software libraries.

How does Infrastructure as Code differ from Infrastructure as Software? Which approach is better? We are going to answer these questions, and several others about these two trends, in this article.

IaC and IaS

The two approaches have some stark differences, but we are going to take a closer look at each of them first before we start differentiating the two. Infrastructure as Code is obviously the older approach of the two, and it has been very popular among developers. Using tools designed for managing infrastructure through lines of code, you can either manage the configurations of your cloud infrastructure or manage the provisioning of cloud resources; or both.

Terraform, a popular tool used by millions of developers, applies the second approach. The tool is not just handy for managing multiple configurations and making sure that key infrastructure variables are coded properly; it is also capable of provisioning resources and automating server deployment as needed. Terraform is very extensive in this respect.

Upon close inspection, Infrastructure as Software performs similar⁠—if not the same⁠—tasks using similar tools. You can deploy new server instances or configure the entire architecture using a few lines of codes. You can also automate provisioning and management, and you can still integrate IaS with your existing CI/CD pipelines.

Services that are available today support both approaches in most cases. The tools that fall into these two categories basically use the same API calls and available cloud resources to perform their runtimes, but they take different approaches when it comes to management. That actually brings us to our next point.

IaC vs. IaS

Now that we know how the two approaches are relatively similar, it is time to get the obvious out of the way. Infrastructure as Code and Infrastructure as Software has one huge difference, and that difference lies in the programming languages used by the tools. The easiest way to understand this difference is by comparing Terraform with Pulumi, which is a popular IaS tool.

Terraform requires you to use its native programming language. The HCL language is used for low-level programming. While the language is also used by other tools, the way it is used by Terraform is not always as straightforward as it seems. Terraform also supports JSON syntax but parsing and generating can quickly become bottlenecks as you try to organize massive cloud infrastructure environments.

Pulumi, on the other hand, uses programming languages you are already familiar with. It actually supports many of them, including Python, Go, and JavaScript. Don’t forget that loops and the programming structure of these familiar languages are carried over, so you define your cloud infrastructure the way you code functions in your cloud-native apps.

Since the programming language being used carries its own best practices and things like package management, you can implement the same set of elements into your IaS routine. No need to worry about having difficulties pushing infrastructure modules or doing plenty of adjustments in order for the configuration to be deployed at all.

#blog #code #continuous delivery #continuous integration #ci/cd pipeline #infrastructure as code #infrastructure as software #pulumi #terraform

Samanta  Moore

Samanta Moore


Guidelines for Java Code Reviews

Get a jump-start on your next code review session with this list.

Having another pair of eyes scan your code is always useful and helps you spot mistakes before you break production. You need not be an expert to review someone’s code. Some experience with the programming language and a review checklist should help you get started. We’ve put together a list of things you should keep in mind when you’re reviewing Java code. Read on!

1. Follow Java Code Conventions

2. Replace Imperative Code With Lambdas and Streams

3. Beware of the NullPointerException

4. Directly Assigning References From Client Code to a Field

5. Handle Exceptions With Care

#java #code quality #java tutorial #code analysis #code reviews #code review tips #code analysis tools #java tutorial for beginners #java code review