Starting with the Fall 2022 Semester, CIS-294 web projects now include automated testing for basic security and code quality. These tests run every time commits are pushed to the website git repository, and we will not merge changes to the production branch until all tests pass.
Some of the included tests can be run in your local environment before committing, helping you to check for mistakes and write higher quality code.
Static Application Security Testing (SAST)
SAST scanners check your source code for known vulnerabilities. Available testing includes the phpcs-security-audit for PHP applications. This is separate from the PHP CodeSniffer checks for code quality below.
SAST scanning is included with GitLab and can also be configured for C# and Java applications.
Secret Detection
Secret Detection will identify when secrets such as keys, passwords, API tokens, and other sensitive information as committed to the repository. Secret Detection uses the Gitleaks tool to scan the repository for secrets.
Rector - Instant Upgrades and Automated Refactoring
Rector instantly upgrades and refactors the PHP code of your application. Its primary purpose is to help developers automatically update their code to the latest version of PHP, but it will also help enforce coding quality and standards.
Testing locally
You can test your code locally before committing by running Rector from the command line. To view potential changes, cd to your application directory and run:
./vendor/bin/rector process --dry-run
You can optionally specify a single file to check. If you want Rector to make changes for you, simply remove the --dry-run flag.
Enabled tests
You can view the rector.php file in the website repository to see which tests are currently enabled.
PHP Coding Standards Fixer
The PHP Coding Standards Fixer (PHP CS Fixer) tool fixes your code to follow standards and can modernize your code automatically as PHP versions change over time. Our CIS-294 project uses the current Symfony rule set with one custom adjustment for spacing in string concatenation. PHP CS Fixer is an essential development tool that ensures your code remains clean and consistent.
Testing locally
You can test your code locally before committing by running Rector from the command line. To view potential changes, cd to your application directory and run:
./vendor/bin/php-cs-fixer check --verbose --diff
You can optionally specify a single file to check. If you want the fixer to make changes for you, run php-cs-fixer fix instead. Always check your code manually with git diff or git add -p to review changes before committing.
Linting Twig templates
The lint:twig command checks that your Twig templates don't have any syntax errors. It's useful to run it before deploying your application to production. See the documentation for complete details.
Testing locally
You can test your code locally using the Symfony console before committing. To view potential changes, cd to your application directory and run:
bin/console lint:twig --show-deprecations templates
Stylelint and Prettier
Stylelint is a CSS linter that helps you avoid errors and enforce conventions. Prettier is an opinionated code formatter that can be used to help keep your CSS and JS files formatted consistently. We use Stylelint and Prettier as part of the automated testing in the QA pipeline for the CIS-294 website. Installing Stylelint and Prettier locally makes CSS testing and cleanup an easy part of the development process.
Testing with Stylelint
The CIS-294 Symfony website repository includes two files in the project root:
- .stylelintrc - contains settings based on Drupal's CSS coding standards but modified for four spaces of indenting.
- .stylelintignore - tells Stylelint to ignore the normalize.css file that we will download for the project. This file does not follow the same standards, and we do not want to modify it, because it provides a well-recognized baseline for web projects.
To test your CSS changes, run this command in the project directory:
stylelint public/css
Most problems that Stylelint encounters can be fixed automatically with the --fix switch.
stylelint --fix public/css
Testing with Prettier
The CIS-294 Symfony website repository includes two files in the project root:
- .prettierrc.json - is the required settings file. It may either be empty or contain custom settings. Prettier uses settings stored in .editorconfig by default, but may need adjustment for your project.
- .prettierignore - tells Prettier to ignore the normalize.css file that we will download for the project. This file does not follow the same standards, and we do not want to modify it, because it provides a well-recognized baseline for web projects.
To test your CSS changes, run this command in the project directory:
prettier --check public/css
Problems that Prettier encounters can be fixed automatically with the --write switch.
prettier --write public/css
Prettier may also be used with your JavaScript files if you add any to your project, but these are not tested by default in the GitLab CI/CD pipeline.
Ingoring normalize.css
This project uses normalize.css, a standard chosen by many projects including Drupal Core. This file does not match our standards, but should not be modified. (You should override any changes to normalize.css in your own files instead.) Therefore, we use the .stylelintignore and .prettierignore files in the project repository to skip this file when scanning. All other project CSS files should be reviewed.