Building a software development project is a bit like a game of Jenga.
All elements create one perfect tower. Usually, it might be tweaked and worked on with no consequences. But if it has even one vulnerable place, a wrong move might ruin all the hard work.
Okay, so it’s not a perfect analogy. A software program requires much more work than a pile of wooden blocks and we don’t necessarily strip it of its parts, but rather add the next ones.
However, the “poke one and all will fall” metaphor still stands. If your project has any weak points, they might doom the entire construction.
It doesn’t matter how well written the rest of your code is if that one tool you used is outdated and might cause serious security breaches. And the more sensitive data your product is dealing with, the more careful you have to be.
A code audit is vital to ensure your product is of good quality, secure, and ready to launch.
In this article, you will find a detailed guide on what a code audit is, why you need it and how to perform it, step by step. As a Python-centered software house, we decided to focus on how to run an audit of Python-based code. However, you will find some of the tips and guidelines relevant regardless of your technology choice.
We will also provide you with a checklist and a sample report from an audit so that you can see what a well-prepared, comprehensive auditing process looks like. The exemplary audit is over 20 pages long and will serve as a fantastic point of reference for your future work! Download the checklist and sample report here!
With our guide, you will be able to run a Python code audit yourself, and learn what you should expect from one. Read on!
“Code audit is a comprehensive analysis of source code in a programming project with the intent of discovering bugs, security breaches or violations of programming conventions,” according to Wikipedia. I know that quoting Wikipedia in an article is like quoting Merriam-Webster during a wedding speech—but this time they got it so right that they deserve credit!
The intention of every code audit is ensuring that a given program is:
Skip any of these, and you’re sacrificing the quality and security of your code, which may—and most probably will—have disastrous consequences. Poor documentation and tech debt might slow down or even halt your project; bugs and security breaches might cost you clients, reputation, and good user ratings. And that’s just the start.
With a code audit, you’ll be sure your code is secure, bug-free and ready for handover.
After reading the section above, you might think: okay, but everything you’ve just described can be achieved with the help of a code review, and we run these regularly!
It’s true that the terms might sometimes be used interchangeably, but there are a few subtle differences between them.
Code review is contained within one team—the developers review each other's code, and they focus only on one specific part.
A code audit, on the other hand, always concerns the whole project and is performed by a person outside of the team—be it other developers, or even an outside company.
While code reviews are useful and necessary, performing a code audit every once in a while makes a tremendous difference. Let me use another metaphor here: reviews are like checking different parts of your car for potential malfunctions. Of course, it’s necessary to see if the headlights operate correctly, if both wipers are fine, and if your brakes do their job… But unless you start the car, take a drive, and assess how everything works together, you won’t know how good the whole machine actually is.
As the unwritten rule goes, the more people see your code, the better. And the more you fix, the more faultlessly the project will perform in the long run.
For a limited time, we can run a free code audit for you. Our senior developers will help find any potential issues, make recommendations on how to fix them, and advise you on how to improve the quality and maintainability of your code.
The offer is limited, so the code audit is offered on a “first come, first served” basis.
Head over here to schedule your free code audit from STX Next.
You might find yourself in need of running a code audit on many different stages of development and different situations:
A code audit serves many different purposes. They all depend on where you stand.
From a developers’ point of view, you get the following advantages:
An audit will help you avoid technical debt. Trust me, “that’s a problem for future me” is not a good approach when it comes to software development.
As a team leader, you’ll find that:
And from a strictly business perspective, you get the following advantages:
An up-to-date, fresh and technologically relevant project is more attractive for developers. High-quality code will attract high-quality talents!
Audited code helps simplify and streamline the development process, which in turn means work can progress faster with fewer blockers.
In this section, we will introduce a step-by-step process of how to run a Python code audit.
Each subsection details the crucial elements of the code audit. It will give you an idea of how to structure the document.
We also included tips on how to ensure you follow the best possible practices from the very beginning. You can apply them even before the audit!
To see what the end result should look like, consult our example provided in this free PDF. It’s over 20 pages long and based on a real-life code audit we performed.
Let’s get started!
In the beginning, it’s important to check for a version control system that tracks and provides changes to the source (like GIT, for example). Verify if it’s well-maintained.
Tip: Consider working according to the Gitflow Workflow, which “dictates what kind of branches to set up and how to merge them together.” Pay attention to the right names of the branches. If your product is particularly vast, consider using appropriate Git tags. It makes managing a larger project infinitely easier.
The point of this section is to verify if the tech stack is the optimal choice for the project and if it’s internally compatible.
When you start verifying the technology choices, the first step should be to check if all applications used are named according to the LTS version and if they are up-to-date.
Then, it’s time to judge if all the components are well-tested and if they fit each other.
What does it mean in practice? For example, Django apps go together with Postgres much more often than with other database engines, like MySQL. While the less popular choices are not necessarily technologically weaker, opting for them will drastically reduce your opportunities to find help with any potential problems.
Such aspects are important to be taken into account in order to assess the sustainability of the project.
It’s always worth checking which services are used to support the application. You should pay attention to the software providing hosting services (uwsgi, gunicorn, nginx) and the hosting method (whether it’s cloud or local).
Tip: There is no clear answer which methods are right—each hosting type has its advantages and disadvantages. Everything depends on the type of project you’re working with.
However, I sincerely recommend cloud hosting. It will not only help you save money (no need to care about the hardware, less maintenance, increased productivity), but you also gain much higher availability of the app. Most cloud providers offer over 99,99%!
The next step is to verify whether the application contains files which are responsible for the virtualization of the project.
Tip: I highly advise using Docker. It allows solving a lot of potential problems and bugs during the development stage, as the development version functions in an environment identical to the product version.
Then, it’s time to check whether the ReadMe file contains all the necessary elements:
While revising your project catalog, you should check if it includes files responsible for continuous integration and deployment (CI/CD).
Tip: Well-constructed CI/CD pipelines can greatly benefit your project. They allow for a more effective way of building the program, but they also include scripts responsible for testing the application and verifying its validity during code-building.
Check the project configuration and verify if it doesn’t contain any passwords that a third person could find.
Tip: It’s advisable to keep all logins and passwords necessary to run the application in environment variables—whether in a machine on which the application runs or in the tool responsible for CI/CD.
Check if there’s an error-tracking system in place. One of the most popular ones is Sentry.
This section will look differently depending on the programming language and the packages/libs you use.
With Python, you need to check carefully whether the code is compliant with the PEP 8 style guide and the PEP 257 docstring conventions.
The good news is, you don’t have to do it all manually. There are tools that might help you along the way.
Even though the tools can greatly automate and speed up your work, it’s still worth it to analyze the code manually in order to find any potential:
Code audits can help improve your code and get rid of any existing issues.
But if upon running the code audit the list of things to improve feels too long, try getting familiar with a few good practices. While not all of them may be applied in every single team, here are a few that are worth taking into consideration:
We hope our guide on how to run a code audit will help you perform one on your own, or assess what a good audit document should look like.
If you want to get to work, we recommend you download our PDF—it consists of a checklist and a real-life audit example for reference.
For a limited time, we’re once again offering free code audits! If you want to get your code professionally audited for zero money, click here to schedule your Python audit.
And if you want to find out more about how to ensure the better quality of your code, why not check out the following resources:
Is there anything else we can do for you? Just drop us a line and we’ll get back to you in no time!
Global Office Park C
Piętro 1
ul. Zabrska 20
40-083 Katowice, Poland
Prins Mauritslaan 42a,
Hague, South Holland
2582, NL