Conf42 DevSecOps 2021: Building our own custom Code Insight tool at Form3

We are on a journey in scaling up - we are expanding our codebase and our engineering teams as fast as we can! In this talk, we present Code Insight, our tool for scanning our code for vulnerabilities. Watch our talk to find out how we built and rolled out Code Insight to our teams, enabling them to deliver faster than ever before!

Whistle stop tour

This talk shares some key points in our journey to introduce a new static code analysis tools in our teams.
Here are some key highlights of the talk:

  • We are a rapidly growing engineering organisation. This means that we have engineers which are quite new to the codebase contributing to live services. We own 500 repositories in different languages such as Terraform, Go, Java, YAML which our developers contribute to at different frequencies.
  • Form3’s platform is compliant with the highest standards of security and should be actively maintained to remain free from vulnerabilities.
  • Our teams needed a centralised source code scanning solution that could integrate well with our development workflows. A central configuration makes it easy to maintain and change system wide configs.
  • We implemented a GithubApp for code insight that we can integrate into our Travis workflows. Under the hood the app uses Github Webhooks, Amazon API Gateway and AWS Lambda and Fargate spot instances to run our scans. New scans are configured using Docker images.
  • Nightly builds, alongside PR builds, ensure that we have an up-to-date view of our vulnerabilities.
  • Code Insight allowed Form3 to streamline development work. No extra config and easy maintenance were big improvements to our previous code scanning solution.
by Adelina Simion Technology Evangelist