Skip to content
⭐️ Use repo badges (build passing, coverage, etc) in your readme/markdown file to signal code quality in a project.
HTML
Branch: master
Clone or download
iteles Merge pull request #36 from dwyl/replace-nodesecurity-badge-with-snyk…
…-issue-#32

Replace Nodesecurity [RIP] with Snyk Badge
Latest commit 1c2c7d5 Nov 29, 2018

README.md

Code Repository Badges build passing

Why? start with why

As people who are passionate about writing great code we display "badges" in our code repositories to signal to fellow developers that we set ourselves high standards1 for the code we write, think of them as the software-equivalent of the brand on your jeans or other reliable product.

What?

We use the following badges (listed in order of importance):

  • Documentation - Inline docs most people don't think of documentation as the "priority" for their (technical) project, instead people focus on solving the problem challenge e.g. by writing some code, and if it works, they add a TODO to "improve the docs" ... It may initially be counter-intuitive to think of Documentation as being the highest priority or first activity in a technical project but there are several reasons why it is:

    • Clearly setting out your own understanding of "the challenge" and then formulating a Question to be answered is the basis for "The Scientific Method". Without it you are like a blind-folded camel in the desert; unlikely to go straight to the oasis!
    • Describing your "success factors" or "acceptance criteria" before you start so you know when you've achieved your goal!
    • Communicating with current collaborators what problem you are/were trying to solve.
    • Making it immediately clear to everyone if you have succeeded in solving the challenge
    • Saves time in the short-run because you are immediately focused on the challenge and don't waste time on distractions.
  • Security - Known Vulnerabilities - Snyk Dependency Security Vulnerability Checking for your project: https://snyk.io/ is a free service provided by the lovely people at Snyk that checks if any of your dependencies have a security vulnerability. This badge is a great way to reassure people using your app/site that security is being checked.

Top tip: Guy Podjarny @guypod the founder of Snyk hosts "The Secure Developer" Podcast.
It's a "must" for all devs! Subscribe if you aren't already: https://www.heavybit.com/library/podcasts/the-secure-developer

  • Continuous Integration - Build Status - "build passing" indicates that the project's tests all pass as expected. If you see that the build for a project is "broken" it means the software does not work as advertised! This is a clear sign that you should not be using it (until it gets fixed!) ... check the repo's issues to see if it's a known problem, if not, report it!
    We use Travis CI for our CI. We wrote a little how-to/tutorial to help you (and your team) get started: https://github.com/dwyl/learn-travis

  • Test/Code Coverage - codecov.io Code Coverage - coverage is the measure of how much of the code in a project is tested. Anything below 100% coverage means the module/library has potential bugs which are unknown to the authors/users. We avoid using modules with less than 100% coverage and encourage others to question why the authors did not put in the time to test their code... ALL our code is tested. we cannot guarantee every line is "bug-free", (and always welcome people reporting any issues!) however we are meticulous about testing our work and always add regression/edge test cases where bugs are discovered!

  • CodeClimate - Code Climate - is the code quality score for a project measured on a number of factors including Complexity/Simplicity, Readability, Maintainability, Repetition and Line-count-per-file . The maximum score is 4.0 and we obviously strive to achieve this level in all our work. https://github.com/dwyl/learn-codeclimate

  • JavaScript the goodparts (code style/linting) - JavaScript Style Guide: Good Parts ... "Third Party" Code analysis services like CodeClimate (above) are really useful to have an "objective" (impartial) measure for the complexity/maintainability of your codebase, however you may want to take code-style/readability to the next level by using a specific style across all your projects ... Having harmony in your codebase is really useful/practical because it reduces the "thinking time". People working on the project need in order to understand (and thus maintain/extend) existing code. There are a few JavaScript "style guides" which help you & your team write consistent JS. We like goodparts because of these reasons, however we encourage you to make up your own mind as to which style to use (preferably based on sound reasoning not fashion...)

  • Dependencies - Dependency Status - knowing your module/project has (and works with) the latest versions of all its dependencies is a good way to signal that any bug-fixes/performance improvements/security patches etc in the component modules/libraries are considered in by the authors. We use https://david-dm.org/ to track our dependencies. david-dm is lovingly maintained by @alanshaw of TableFlip (a fellow dwyler!) and is a great resource for the node.js community!

  • devDependencies - devDependencies Status - your devDependencies are the modules used in testing/building your project. These do not need to be the latest versions because you will typically not install your devDependencies on your production server (so there aren't security vulnerabilities in production of having out-of-date devDependencies...) however, we encourage use of latest devDependencies because it means better stability in the build (fewer bugs in our tools!) and it makes it easier for new people joining the project because when they npm install they know everything is the latest version.

  • NPM Module Version - NPM Version this is a simple convenience to signal to fellow developers which version is the latest for your module. (saves them having to look at the package.json) If you want to include one in your readme, go to: http://badge.fury.io/for/js and type in your npm package name.

  • NPM Module Download Stats - NPM Download Stats - while this can be seen as a "vanity metric" it can also be useful to know if your project is actually being used by people in the community to know if you need keep supporting it.

How?

Documentation Inch-CI

While including a badge from "Inch-CI" in no way "guarantees" that your project is "comprehensively" documented it serves to remind you (and your team) that documentation (i.e. communication) is a priority and signals to others if you have the solution to their "challenge".

Visit: http://inch-ci.org/learn_more and paste your GitHub username (or organisation name) and repository name into the form then click Evaluate.

Then you can copy the badge directly from the resulting page. e.g:

[![Inline docs](http://inch-ci.org/github/{ORG-or-USERNAME}/{REPO-NAME}.svg?branch=master)](http://inch-ci.org/github/{ORG-or-USERNAME}/{REPO-NAME})

Build Passing Build Status

[![Build Status](https://travis-ci.org/{ORG-or-USERNAME}/{REPO-NAME}.png?branch=master)](https://travis-ci.org/{ORG-or-USERNAME}/{REPO-NAME})

You'll need to setup your project on Travis-CI and write unit tests (preferably TDD!) for this to work ... if you're stuck ask us how!

CodeClimate

Setup your repository by adding it on code climate then copy the badge markdown from them!

For more detailed instructions see: https://github.com/dwyl/learn-codeclimate

Coverage

The new kid on the block for Test Coverage is "CodeCov": https://codecov.io/#features
We love their features especially the fact that they check coverage for pull requests! see: https://github.com/dwyl/learn-istanbul#tracking-coverage-as-a-service

To setup codecov simply add the following lines to your .travis.yml file:

before_install:
  - pip install --user codecov
after_success:
  - codecov --file coverage/lcov.info --disable search

And remember to output a coverage report in your tests using istanbul, by adding it to your test script in your package.json so that travis can send the coverage report to codecov e.g:

"scripts": {
  "test": "./node_modules/.bin/istanbul cover ./node_modules/tape/bin/tape ./test/*.js"
}

If you are new to test coverage using istanbul check out: learn-istanbul

Working example: hits/.travis.yml

Note: you can still use CodeClimate for Coverage if you prefer,
we're excited that there is more choice in the JS testing space!

goodparts JavaScript Code Style JavaScript Style Guide: Good Parts

Once you have installed goodparts and used it to lint your code, see: https://github.com/dwyl/goodparts#how you can include a badge in your repo to inform others of your choice of code style.

[![JavaScript Style Guide: Good Parts](https://img.shields.io/badge/code%20style-goodparts-brightgreen.svg?style=flat)](https://github.com/dwyl/goodparts "JavaScript The Good Parts")

See: https://github.com/dwyl/goodparts

Why? start with why

## Why? [![start with why](https://img.shields.io/badge/start%20with-why%3F-brightgreen.svg?style=flat)](http://www.ted.com/talks/simon_sinek_how_great_leaders_inspire_action)

Node.js Version your Project/Module Supports: NPM version

[![Node version](https://img.shields.io/node/v/[NPM-MODULE-NAME].svg?style=flat)](http://nodejs.org/download/)

NPM Download Statistics

To show download stats for your NPM package, use https://nodei.co/ e.g:

NPM Download Stats

If you want the image to be clickable use the following Markdown:

[![https://nodei.co/npm/YOUR-MODULE-NAME.png?downloads=true&downloadRank=true&stars=true](https://nodei.co/npm/YOUR-MODULE-NAME.png?downloads=true&downloadRank=true&stars=true)](https://www.npmjs.com/package/YOUR-MODULE-NAME)

Contributing contributions welcome

If you want to encourage people to contribute to your project, by reminding them that you welcome their input use this badge!

## Contributing [![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/dwyl/esta/issues)

Gitter (Chat for Developers!)

Join the chat at https://gitter.im/dwyl/chat

[![Join the chat at https://gitter.im/{ORG-or-USERNAME}/{REPO-NAME}](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/dwyl/?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)

dwyl chat button:

If you are working on a project in the dwyl organisation and want to include the button to let people join our public chat channel, copy paste this markdown snippet into the README.md of the project you are working on:

[![Join the chat at https://gitter.im/dwyl/chat](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/dwyl/chat?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)

(GitHub Repo) Hit Counter HitCount

Ever wanted to know how many people have viewed your GitHub Repo?
We did ... So we wrote a tiny script that counts views! 😮

Visit: http://hits.dwyl.com to get your "Hit Count" badge.

Template:

[![HitCount](http://hits.dwyl.com/{username}/{project-name}.svg)](http://hits.dwyl.com/{username}/{project-name})

Example:

[![HitCount](http://hits.dwyl.com/dwyl/start-here.svg)](http://hits.dwyl.com/dwyl/start-here)

Yes, we know that for some people, "hits" = "How Idiots Track Success" ... but, in the absence of better analytics, page views are a good metric to be aware of! 📈

Snyk Proactive Security Vulnerability Detection

  1. Visit: https://snyk.io

01-snyk-home-page

  1. Click the "Signup with GitHub" button/link:

02-snyk-signup

  1. Click the button to "Athorise Snyk":

03-snyk-authorise

  1. Click to "Connect with GitHub":

04-snyk-integrations-select-github

  1. Again click "Connect with GitHub":

05-connect-to-github

  1. By default Snyk requests access to both public and private repos, Select whatever is relevant to you and continue:

06-snyk-wants-private-repos-by-default

  1. I selected only public repositories as I always follow the "principal of least privilege":

07-snyk-select-public-repos-only

  1. Confirm the access that Snyk is requesting:

08-snyk-authorise

  1. Connect to Snyk to a GitHub Repository:

09-snyk-connect-to-github-repo

  1. Select the desired repository: (in this case hapi-auth-jwt2 ...)

10-snyk-select-desired-repo

  1. Add selected repo:

11-snyk-add-1-selected-repository

  1. Wait for the repo to be imported by Snyk:

12-snyk-importing

  1. Once the repo has finished importing, refresh the page to see your dashboard:

13-snyk-finished-securing

  1. From the Snyk dashboard. Click on the project you want to view:

14-snyk-dashboard-projects

  1. Copy the Snyk "Badge" for inclusion in your project:

15-snyk-project-page

Badge Format:

[![Known Vulnerabilities](https://snyk.io/test/github/{username}/{repo}/badge.svg)](https://snyk.io/test/github/{username}/{repo})

Official Badge: Known Vulnerabilities

[![Known Vulnerabilities](https://snyk.io/test/github/dwyl/hapi-auth-jwt2/badge.svg?targetFile=package.json)](https://snyk.io/test/github/dwyl/hapi-auth-jwt2?targetFile=package.json)

Flat Square: Known Vulnerabilities

[![Known Vulnerabilities](https://snyk.io/test/github/dwyl/hapi-auth-jwt2/badge.svg?targetFile=package.json)](https://snyk.io/test/github/dwyl/hapi-auth-jwt2?targetFile=package.json)

Note: just having a 3rd party service telling you there aren't any know vulnerabilities does not guarantee that your app is "secure"! You still need to write good code that escapes all input and follows "best practice"! But the snyk badge & service is a useful early warning system.

Thank You!

Help spread the Code Quality Love! ❤️
Please ⭐️ this repo and share it with others by re-tweeting:

repo-bages-please-retweet


Others

If you need to adapt any of the images or create your own: http://shields.io

Extra High-resolution

We needed High-resolution versions of the coding badges for a presentation about testing so we made PNGs from the SVGs ...

These are in the folders in this repo in case they are useful to someone else.

1Other repositories that do not have these badges are not necessarily "worse" or have "low standards", they simply are not making them explicit .

You can’t perform that action at this time.