While I have been always a staunch supporter of free and open-source apps, it’s hard to manually review code of every app and I often look forward to code review tools.
These tools help you quickly detect poor programming habits, key changes in a component’s features, high-risk components, security bugs, etc. Moreover, these tools are often GUI-based indicators which makes it easy to understand without expertise in the said programming language. With that said, not all code review apps are made equal. So, here are the best code review tools for both individuals & enterprises.
Best Code Review Tools
Gerrit is a web-based code review tool developed by Google and requires a JDK server to run. It works in sync with GitHub. So, before you push the code into production, it goes through Gerrit where your peers can review the code. Gerrit supports pushing a project via git commands using SSH or HTTPS. For instance, you want to upload your project to Gerrit for review. You can ssh your Gerrit server and use “git push” to upload your repositories to Gerrit.
Gerrit also offers a set of plugins like CodeMirror, Phabriactor to link with other code review tools and get additional functionalities.
- Integrates well with GitHub
- Works with git enabled SSH and HTTPs servers
- Supports limited languages like C, C++,
RhodeCode is another peer code review tool like Gerrit that works in sync with GitHub. However, it also integrates well with Mercurial & Subversion. In comparison to Gerrit, it provides a richer and much more intuitive interface. You can comment inline and make changes with the code through the RhodeCode web interface itself. Unlike Gerrit extensions, RhodeCode provides JSON-RPC API for you to build third-party tools using it. My most favorite feature is the visual changelog that provides a birds-eye view of the developmental changes and helps to keep a track.
In addition to this, you also security features like repository rule notifications. It informs the admin about suspicious activities in the repo. You can also limit the access of the repo to certain IP ranges.
- Peer code review tool
- Inline editor within the RhodeCode web interface
- Security options to audit, ACL, IP-filtering, etc
3. Find Security Bugs
Find Security Bugs, contrary to the name, is a plugin to find all types of bugs in your code. It can detect bad code practice, correctness, performance bottlenecks, security bugs, dodgy code, multithreaded correctness, etc. The plugin works in sync with the Maven Central repository. However, if you use an IDE. It can be locally used in conjunction with Netbeans, Eclipse, IntelliJ, Jenkins, and Sonar Qube. For instance, I was using Eclipse. On the Eclipse marketplace, it’s available under the name “SpotBugs”. So, the installation process was fairly easy and straightforward.
The only caveat with Spotbugs is it only works with Java code and Java EE applications.
Supported Languages: Java, Java EE
- Works in sync with Maven central repository
- Plugin for Eclipse, Jenkins, Netbeans, etc
Download Find SecurityBugs
SearchDiggity is a project that amalgamates popular hacking tools like GoogleDiggity, BingDiggity, SHODAN Diggity, FlashDiggity, etc. It’s mostly a tool to security check your web app or application server. It uses Google, Bing, and SHODAN search engine to attack and infiltrate your website or server. It uses a combination of regular expressions in search queries to leak data. For instance, SearchDiggity can check if your AWS keys are stored in plain text or if your website log in is prone to SQL Injection.
It’s a must-have if your web server handles a huge amount of web traffic and hosts a lot of data.
In case you get the “Google Bot Detected, pausing scan for 15 mins” error, you can change SearchDiggity to use the official paid API’s provided by Google, Bing, and SHODAN under Help>Contents.
- Ability to check SQL Injection, vulnerable ports on your web server
- Works using Google, Bing, and SHODAN search engine
- Windows only tool
Phabricator is a set of free web code review tools. It’s a LAMP (Linux, Apache, MySQL, PHP) application written in PHP and is more of an auditing and collaboration tool like GitHub.
You can try out Phabricator before installing it on your LAMP server. It has a hosted web instance called Phacility. You can sync in your GitHub or SVN code repositories to this instance directly. The most important tool in Phabricator is Differential. It works similar to GitHub commits. Once a change is pushed, it notifies all the users to review the change. It presents a complete run-down of the changes and code. After approval, the change is approved and can be pushed into production.
Supported Languages: NA
- LAMP server
- Collaboration and review changes in code with other users
- Auditing of user actions on the webserver
- Doesn’t work on a Windows machine
6. MS Application Inspector
Microsoft recently launched its code review tool called Application Inspector. As per Microsoft, this tool was built to analyze open-source software and what the code, libraries perform in a nutshell. In order to use the Application Inspector, you would have to install the “dotnet-sdk” package. It outputs the report in an HTML file. I tried it on the Nylas mail app and the report summary is pretty concise.
The presentation is well broken down and categorizes the software features, protocols used, APIs called, etc. For instance, in terms of data storage, Nylas mail uses SQL and a bit of NoSQL for PubSub cloud messaging services. I just have to click on the Data storage and “View” button beside Details. It’ll show you the associated rules on the right and upon clicking on it, you get the code review in the pop-up. It’s pretty easy and quick to jump and review code.
- Concise report, easy to link, and review code
- Supports a number of languages
Download MS Application Inspector
I use Microsoft Application Inspector due to the run-and-gun approach of the app. It’s supported a vast range of languages and provides a fairly good idea about the code. In case you have your own dedicated web server, Gerrit or Phabricator is a good alternative for GitHub. For more issues or queries, let me know in the comments below.