The cloud-based GitLab CI/CD platform allows development teams to streamline their Continuous integration (CI) and Continuous Delivery (CD) pipelines and accelerate their Software Development Lifecycle (SDLC).
Adding strict, compliance-based static analysis — as provided by Helix QAC — as new stages to existing GitLab CI/CD pipelines will enhance the SDLC still further, and move your DevOps workflows from Continuous Integration to Continuous Compliance.
Read along or jump ahead to the section that interests you most:
➡️ start your free Helix QAC trial
Back to top
Why GitLab Users Should Use Helix QAC in the CI/CD Pipeline
GitLab is an AI-powered DevSecOps platform that provides a Git-repository manager for wiki, issue-tracking, and CI/CD pipeline features. It was developed by GitLab, Inc., and released in 2011.
GitLab CI/CD — the component relating to CI/CD pipeline definitions and workflows — is used by software development teams globally for many different software projects, but increasingly also from a variety of embedded industries, including aerospace and defense, automotive, medical device, and industrial automation.
GitLab CI/CD is popular among developers because it unites developers' workflows, shortens cycle time, reduces engineering risk, helps to ensure more secure applications, and bridges silos and stages. So it makes sense that many development teams also now wish to add static analysis tools like Helix QAC to complement GitLab and add automated, deep, inter-procedural analysis for standards compliance to their CI pipelines.
Back to topHow Helix QAC Complements GitLab
Helix QAC is a static code analyzer that enforces strict and accurate compliance with coding standards for tightly-regulated and safety-critical industries.
Embedded software development teams who use GitLab CI/CD to streamline workflows and shorten DevOps cycle times can benefit from combining GitLab with Helix QAC. Used together, Helix QAC helps teams shift to the left of the linear development timeline by identifying errors, code quality issues, compliance failures and standards deviations early in the development process while changes can still be easily made.
Unlike many static analysis engines, the Helix QAC deep and highly accurate analysis engine also returns little or no false positive and false negative results, so developers don't waste time investigating false alarms, and can trust the results to keep their code safe, secure, and easier to maintain from the start.
Improving on the existing Delta Analysis functionality, recent release updates to Helix QAC feature full CI/CD integration with the Perforce Validate platform via CI-builds. Support for CI-builds extends to analysis jobs running in cloud-based CI pipelines, containerized build tasks and integration into different CI/CD platforms — like GitLab — via the built-in Web API.
Back to topUsing GitLab With Helix QAC
Using CI platforms like GitLab with Helix QAC gives developers a centralized and standardized base from which to work. They help to automate CI with scripting and command-line tools.
There are many ways to integrate Helix QAC's static analysis tools with a continuous integration system such as GitLab (or similar environment), as Helix QAC provides a command-line interface (CLI) and flexible tooling to fit most workflows and any variety of configurations.
For example, Helix QAC can be integrated into a DevOps workflow as part of automatic testing on the merge requests. This means that when a developer considers his feature complete and ready to merge, GitLab will run the analysis and provide feedback if it finds issues or not, without any additional input. This allows the developer to enforce a quality gate, forcing a review if Helix QAC does find new issues that would be added by the feature branch, or on the contrary confirming that the feature branch does not introduce any new issues to the master branch — thereby streamlining the whole merge request process.
Helix QAC's CI and flexible analysis features help teams manage results and identify potential defects introduced by new changes relative to the last full analysis. What's more, developers can communicate about errors or changes faster, without waiting for nightly builds, and access results and other data via the Validate platform across the organization.
These Helix QAC capabilities automate testing in your GitLab pipeline, building in quality gates for multiple and concurrent pipelines to ensure code quality, security, and compliance with coding standards.
Back to topHow the GitLab and Helix QAC Integration Works
To see a demonstration of the GitLab and Helix QAC integration, watch the following video:
Demo video showing the GitLab Helix QAC CI-Builds Integration with Validate.
The demo example shows the process of a developer opening a merge request, starting a CI pipeline containing a Helix QAC analysis configured to perform a delta analysis between the branch being merged and the project it's being merged to. In this case, new issues are being added and thus GitLab fails the pipeline, and a link is provided to review the issues in Validate by the developer or a reviewer.
When developing a project, your CI pipelines can run automatic and systematic Helix QAC analysis at key steps, such as merge requests, or when the master branch is updated.
A regular Helix QAC analysis on the master branch is important, to make sure that the baseline to which other branches will compare is always up to date. The master branch is supposed to always have changes approved through merge requests, so there shouldn't be a failure state if new issues are added.
Example pipeline:
qac integration analysis:
stage: test
only:
-master
script:
-make clean
-rm -rf
pqra
pqraproject.xml
-$HELIX_QACLI_PATH validate config -c -P . -U $VALIDATE_URL -b
$VALIDATE_PROJECT
-$HELIX_QACLI_PATH sync -P . -t INJECT -g --make
-$HELIX_QACLI_PATH validate build -P .The qacli validate config command ensures that the analysis configuration is exactly the one in Validate, allowing proper enforcement of a project's standard and requirements at all steps of the development cycle.
The qacli sync command ensures that all project files are analyzed, in case some files are added or removed between commits.
The qacli validate build command runs the analysis as configured and uploads the results to Validate as a new build.
When running a pipeline for a merge request, the feedback when adding new issues is critical, and thus the pipeline is different:
qac_MR
stage: test
only:
-merge_requests
script:
-make clean
-rm -rf
pqra
pqraproject.xml
-$HELIX_QACLI_PATH validate config -c -P . -U $VALIDATE_URL -b
$VALIDATE_PROJECT
-$HELIX_QACLI_PATH sync -P . -t INJECT -g -- make
-$HELIX_QACLI_PATH validate cibuild -P . -b
$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME-$CI_JOB_ID | tee file.txt
after_script:
- >
if[$CI_JOB_STATUS == 'success']; then
echo "no issued found !"
else
grep http://file.txt> out.txt
glab mr note $CI_MERGE_REQUEST_IID --unique --message $(cat out.txt)
fiThe script is very similar to the one for the master branch but differs in the sense that the command qacli validate cibuild is now used. This new command analyzes the project, but more importantly checks through a delta analysis if you are adding new issues compared to the master branch. The results are then uploaded to Validate as a specific ci-build, and if new issues are found, the job fails. The after_script is used to automatically add a note to the merge request with a link to the ci-build results in the Validate web interface.
The ci-build is the flagship feature of the 2024.2 release of Helix QAC, as it builds on the already existing delta analysis to streamline the reporting of issues in the following ways:
- Provides immediate feedback if new issues are being added, allowing to simply fail a pipeline in that case.
- Allows you to review issues in the Validate web interface directly, avoiding any back-and-forth of needing to re-run the analysis locally to check on any new issues.
- Issues marked as deviations (such as ignore status) can pass the default quality gate, allowing said issues, and thus the pipeline, to continue successfully.
In this demo, the ci-builds command shows that all issues raised during a merge request need to be either fixed or deviated properly to pass the CI check. This guarantees that the master branch has all issues accepted, known, and documented.
In the web message browser, you're able to see all of the issues and determine exactly what happened. Just like for any other issue in Validate, you can assign it an owner, give it a status, and enter a comment. In this case, you should put in a status to fix it or ask the developer who entered the merge request to fix this code.
In the case that the merge request passes, or after the developer has fixed the code, you'll see fewer and fewer issues, or the issues you have left can be ignored.
Going further, while this demo example shows a basic pipeline, this can be expanded with many more functionalities. For example, Validate has an API that can be used to enhance the integration in various ways, such as:
- Making the comment appearing in the merge request have more information on how many issues are introduced, with which level of severity.
- Applying known systematic deviations and suppressions automatically when new issues are discovered.
- Using a custom quality gate to identify whether the job should succeed or not, instead of relying on the default ci-build return code.
The flexibility of the CI build features in Helix QAC empowers developers to customize the pipeline according to your requirements.
Back to topGet Started With GitLab and Helix QAC
Helix QAC is the ideal static analysis tool to add strict coding standards and functional safety compliance to your CI/CD pipelines running with GitLab CI/CD. The Helix QAC CI/CD integration automates analysis and ensures that development teams have safe and secure code, consistent style, and an easier-to-maintain codebase.
Start optimizing your DevOps compliance process with GitLab and Helix QAC today. Register for a free trial.