Quality assurance

GlobaLeaks stands alone among whistleblowing software by maintaining rigorous software quality standards through a comprehensive Quality Assurance (QA) process, ensuring the platform remains unmatched in robustness, security, and overall quality.

Metric

Score

OpenSSF Best Practices

ossf-best-practices

OpenSSF Scorecard

ossf-scorecard

Build Status

build-stable

Tests Status

tests-stable

Tests Coverage

coverage-stable

Code Quality

quality-stable

Documentation

docs-stable

MDN HTTP Observatory

mdn-http-observatory

Security Headers

security-headers

SSLLabs

ssllabs-status

Project Best Practices

The best practices adopted within the project are publicly documented and peer-reviewed using the methodology defined by the Core Infrastructure Initiative (CII) Best Practices project. On top of this is adopted as well the OpenSSF Scorecard that evaluates various security practices such as vulnerability management, dependency updates, and code quality, ensuring the project meets industry standards.

For more details on the best practices adopted in this project, you can visit the project pages for the CII Best Practices and the OpenSSF Scorecard.

Code Review Process

To ensure high code quality and maintain the integrity of the project, GlobaLeaks enforces mandatory code reviews for all its contributions. Code reviews play a key role in maintaining consistency, identifying potential issues early, and promoting best practices. Every submitted pull request undergoes peer review by the GlobaLeaks maintainers and community where the code is scrutinized for clarity, adherence to project guidelines, potential security vulnerabilities, and performance optimizations. Reviewers provide feedback and suggestions, and the author of the PR is responsible for addressing any concerns raised. Once feedback is incorporated, the code is re-reviewed by the maintainers, and upon approval, the PR is merged into the main codebase. This collaborative process helps catch issues before they are deployed, ensuring that only high-quality, well-tested code is integrated into the project.

For more details on this matter, you could check the CONTRIBUTING guidelines.

Automated Testing and Code Coverage

The development methodology incorporates a comprehensive suite of automated tests, including unit, integration, and end-to-end tests, to ensure the highest standards of correctness and prevent regressions. A strict requirement of at least 90% code coverage is enforced, ensuring that the vast majority of the codebase is thoroughly tested. Test execution is fully automated through Continuous Integration (CI), promptly identifying any untested or faulty code and preventing it from being merged into the main codebase.

For more details on test coverage, you can view the Test Coverage on Codacy and Test Status on GitHub.

Code Quality Assurance

Code quality is maintained through a combination of static code analysis, automated linters, and mandatory code reviews. Static analysis tools identify potential vulnerabilities, performance bottlenecks, and violations of best practices, while linters ensure code consistency and readability. Code reviews are required for all pull requests, helping maintain high standards and reducing the chance of introducing errors.

For more details on code quality, refer to the Code Quality Dashboard on Codacy.

Continuous Integration and Deployment

Every commit and pull request is automatically tested using CI/CD pipelines, ensuring that faulty or untested code is not merged. Security scans and dependency checks are also automated as part of the CI process, helping identify potential security vulnerabilities or issues with third-party libraries. Before deployment, releases undergo pre-production testing to ensure stability.

You can view the Build Status on GitHub.

Performance and Security Testing

The project undergoes load and stress testing to simulate real-world usage scenarios and ensure it can handle high traffic. Security best practices are enforced through regular security audits and penetration testing, identifying vulnerabilities before they can be exploited. This ensures the system is both performant and secure.

For further information, check the evaluations by Probely Security Header, MDN HTTP Observatory and Qualys SSL Labs.