Securing and delivering high-quality code with innersource metrics
With innersource, it’s important to measure both the amount of innersource activity and the quality of the code being created. Here’s how.
Innersource creates high quality user experiences and productive developers
The open source software community has organically developed techniques that ensure the code all of us rely on is high quality, reusable, and secure even though it is worked on by people all across the world.
When an organization, such as a company or an agency, employs similar methods within their engineering department it is known as innersource. Common innersource techniques include creating software templates and reusable components through collaboration across different development teams. These templates are then used across all the projects and services within a company to provide a consistent user experience and increase developer productivity by up to 87%.
As you develop an innersource practice within your organization it is important to measure both the amount of innersource activity and the quality of the code that is being created. Below we will focus on how to ensure the code you are using across your products and services is high quality and secure.
Secure your most used code
With the help of the GitHub Professional Services Team, a major government agency created a portal their developers could use to discover existing reusable software based on an open source SAP project. Once developers were able to easily discover relevant repositories they quickly began incorporating them into all of their current work. This meant that any problems in the original repositories would affect many different products and services, so ensuring that the original code was bug- and vulnerability-free had an outsized effect on the overall quality of the code base.
As secure code was the agency’s top priority, we built metrics into the discovery portal to provide visibility into the security status of their most innersourced repositories. These metrics are automatically updated daily, and allow the agency to prioritize their security efforts by keeping the most used repositories secure.
These metrics, along with the insights gathered from enabling GitHub Advanced Security secret scanning and code scanning on all 400+ of their innersource repositories, drove a 50% reduction in vulnerabilities. This means all the products and services dependent on these innersource repositories are more secure.
How to collect and secure your innersource
The government agency was able to develop, secure, and share reusable code internally to significantly accelerate and secure software development. Here are four simple steps your organization can take to accelerate development through innersource adoption:
- Identifying reusable software across the teams in your enterprise.
- Collecting and making those repositories discoverable.
- Tracking metrics related to the security and quality of these critical repositories.
- Taking targeted actions to improve those metrics and celebrate the results!
Learn more about how organizations are accelerating development and creating top company cultures.
If you need support or further guidance, let us know at https://services.github.com/#contact. We’d be happy to use our experience to help accelerate and secure your software development!
Tags:
Written by
Related posts
Enhance build security and reach SLSA Level 3 with GitHub Artifact Attestations
Learn how GitHub Artifact Attestations can enhance your build security and help your organization achieve SLSA Level 3. This post breaks down the basics of SLSA, explains the importance of artifact attestations, and provides a step-by-step guide to securing your build process.
Streamlining your MLOps pipeline with GitHub Actions and Arm64 runners
Explore how Arm’s optimized performance and cost-efficient architecture, coupled with PyTorch, can enhance machine learning operations, from model training to deployment and learn how to leverage CI/CD for machine learning workflows, while reducing time, cost, and errors in the process.
GitHub Enterprise: The best migration path from AWS CodeCommit
AWS CodeCommit is discontinuing new customer access and will no longer introduce new features. Learn how to migrate to GitHub Enterprise and why it’s the best option for you.