Mar 8 · 3 min read · When managing a Drupal distribution for a massive intergovernmental corporation with developers working across three continents, "code review" cannot be the first line of defense against poor syntax. By the time a senior architect is reviewing a Pull...
Join discussion
Mar 8 · 3 min read · Modernizing a legacy PHP application presents a paradox: you critically need strict static analysis to prevent future bugs, but turning on a tool like PHPStan immediately throws 5,000 errors, completely breaking the CI pipeline. During a recent stabi...
Join discussion
Mar 4 · 5 min read · Most linters catch style problems. Semgrep catches real bugs: SQL injection, hardcoded secrets, insecure deserialization, SSRF vulnerabilities, and misuse of cryptographic APIs. It works on source code using pattern matching that understands syntax —...
Join discussionMar 3 · 8 min read · Static Analysis Beyond Linting: CodeQL, Semgrep, SonarQube, and Snyk Code Linters enforce style. Static analysis finds bugs. The difference matters. ESLint will tell you about unused variables and inconsistent formatting. CodeQL will tell you that us...
Join discussionMar 3 · 9 min read · Knip: Finding Dead Code and Unused Dependencies in JavaScript Projects Every codebase accumulates dead code. A utility function written for a feature that got reverted. A dependency added for one component that nobody uses anymore. An exported type ...
Join discussionMar 3 · 7 min read · AI-Powered Code Review and Analysis Tools AI code review tools have matured from novelty to necessity. They catch bugs humans miss, enforce consistency without nagging, and review PRs at 3 AM when your teammates are asleep. But they're not a replacem...
Join discussionFeb 8 · 9 min read · Static Testing Basics In contrast to dynamic testing, in static testing the software under test does not need to be executed. Code, process specification, system architecture specification or other work products are evaluated through manual examinati...
Join discussion
Feb 6 · 2 min read · The pattern I kept seeing While shipping LLM features, I noticed something uncomfortable: The security failures weren’t exotic.They were boring, obvious, and easy to miss. Things like: LLM calls happening before authentication checks Entire user or...
Join discussionJan 4 · 2 min read · The holidays are officially over for me. We’re back to work at full bore. Hopefully people haven’t given up on their New Year’s Resolutions so far. This is going to be the first real week of the year for testing people, so start off on the right foot...
Join discussion
