Hands-on workshop for code quality scanning with ESLint, Ruff, jscpd, Lizard, and coverage tools. Learn to integrate a 4-tool scanning architecture into your CI/CD pipelines and visualize results in GitHub Advanced Security, Azure DevOps Advanced Security, and Power BI.
- Click Code → Codespaces → New codespace on this repository.
- Wait for the dev container to build (~3 minutes).
- Open the terminal and start with Lab 00.
-
Clone this repository:
git clone https://github.com/devopsabcs-engineering/code-quality-scan-workshop.git cd code-quality-scan-workshop
-
Clone the companion demo-app repository as a sibling:
git clone https://github.com/devopsabcs-engineering/code-quality-scan-demo-app.git
-
Install prerequisites from Lab 00.
| # | Lab | Duration | Level |
|---|---|---|---|
| 00 | Prerequisites | 30 min | Beginner |
| 01 | Explore Demo Apps | 30 min | Beginner |
| 02 | Linting | 45 min | Intermediate |
| 03 | Complexity Analysis | 30 min | Intermediate |
| 04 | Duplication Detection | 30 min | Intermediate |
| 05 | Coverage Analysis | 45 min | Intermediate |
| 06 | GitHub Actions CI/CD | 30 min | Intermediate |
| 06-ADO | ADO Pipelines CI/CD | 30 min | Intermediate |
| 07 | Remediation (GitHub) | 45 min | Advanced |
| 07-ADO | Remediation (ADO) | 45 min | Advanced |
| 08 | Power BI Dashboard | 45 min | Advanced |
The workshop teaches a 4-tool architecture for comprehensive code quality scanning:
| Tool | Role | Output |
|---|---|---|
| Per-language linters (ESLint, Ruff, .NET Analyzers, Checkstyle, golangci-lint) | Static analysis | Native SARIF |
| jscpd | Code duplication detection | Native SARIF |
| Lizard | Cyclomatic complexity analysis | CSV → SARIF via lizard-to-sarif.py |
| Coverage tools (Jest, pytest-cov, Coverlet, JaCoCo, go test) | Test coverage measurement | Various → SARIF via coverage-to-sarif.py |
All results are normalized to SARIF v2.1.0 and uploaded to GitHub Security tab or ADO Advanced Security for unified triage.
This workshop uses the code-quality-scan-demo-app repository, which contains:
- 5 demo applications (TypeScript, Python, C#, Java, Go) with intentional quality violations
- SARIF converter scripts for Lizard and coverage tools
- CI/CD pipelines for GitHub Actions and Azure DevOps
- Power BI PBIP report for quality dashboards
- Node.js 20+ · Python 3.12+ · .NET 8 SDK · Java 21+ · Go 1.22+
- Docker Desktop (or Codespaces with Docker-in-Docker)
- Visual Studio Code with ESLint, Python, C#, and Go extensions
- GitHub CLI (
gh) authenticated
See CONTRIBUTING.md for guidelines on adding labs, screenshots, and fixes.
This project is licensed under the MIT License — see LICENSE for details.