DEV Community: Daleska

🛰️ Observability Practices with Prometheus and Grafana Monitoring a Node.js API

Daleska — Sat, 05 Jul 2025 20:05:34 +0000

📌 Introduction

In today's cloud-native and microservices-based systems, observability has become a critical component for ensuring system health and performance. While traditional monitoring focuses on known failure scenarios, observability empowers teams to explore the unknown by collecting telemetry data like metrics, logs, and traces.

This article walks through a real-world implementation of observability using Prometheus and Grafana to monitor a simple Node.js API. We'll explore how to instrument the application, export metrics, collect them with Prometheus, and visualize them in Grafana.

By the end of this guide, you will have:

A running Node.js REST API that exposes useful metrics
Prometheus configured to scrape those metrics
Grafana visualizing system behavior in real time

🧠 What is Observability?

Observability answers the question: “What’s going on inside my system?”

It relies on three fundamental pillars:

Pillar	Description
Metrics	Numeric representation of data over time (e.g., CPU usage)
Logs	Text records of events (e.g., errors, requests)
Traces	Track request flow across distributed services

Unlike basic uptime monitoring, observability helps answer why something is wrong, not just what is wrong.

🧰 Tools and Technologies Used

Node.js + Express: Lightweight web server to simulate an API
prom-client: Prometheus client library for Node.js
Prometheus: Time-series database that scrapes and stores metrics
Grafana: Visualization tool for dashboards and alerts
Docker + Docker Compose: To containerize and orchestrate services
GitHub: For source code versioning and sharing

⚙️ System Architecture

User
|
v
Node.js API (Express)
|
└── /metrics (prom-client)
|
Prometheus
|
Grafana

🛠️ Step-by-Step Implementation

1️⃣ Setting up the Node.js API

1.1 Install dependencies

npm init -y
npm install express prom-client

1.2 API Code (index.js)

const express = require('express');
const client = require('prom-client');
const app = express();

// Enable collection of default metrics like memory usage, CPU, etc.
client.collectDefaultMetrics();

const httpRequestDurationMicroseconds = new client.Histogram({
  name: 'http_request_duration_ms',
  help: 'Duration of HTTP requests in ms',
  labelNames: ['method', 'route', 'code'],
  buckets: [50, 100, 300, 500, 750, 1000, 2000]
});

app.use((req, res, next) => {
  const start = Date.now();
  res.on('finish', () => {
    const duration = Date.now() - start;
    httpRequestDurationMicroseconds
      .labels(req.method, req.route?.path || req.path, res.statusCode)
      .observe(duration);
  });
  next();
});

app.get('/hello', (req, res) => {
  res.send('Hello, observability world!');
});

app.get('/metrics', async (req, res) => {
  res.set('Content-Type', client.register.contentType);
  res.end(await client.register.metrics());
});

app.listen(3000, () => {
  console.log('Server listening on http://localhost:3000');
});

2️⃣ Prometheus Configuration

1.1 Create a file named prometheus.yml:

global:
  scrape_interval: 5s

scrape_configs:
  - job_name: 'nodeapp'
    static_configs:
      - targets: ['nodeapp:3000']

Prometheus will now scrape metrics from /metrics every 5 seconds.

3️⃣ Dockerizing Everything

Dockerfile

FROM node:18
WORKDIR /app
COPY . .
RUN npm install
CMD ["node", "index.js"]

docker-compose.yml

version: '3.8'

services:
  nodeapp:
    build: .
    ports:
      - "3000:3000"

  prometheus:
    image: prom/prometheus
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
    ports:
      - "9090:9090"

  grafana:
    image: grafana/grafana
    ports:
      - "3001:3000"

4️⃣ Running the Project

Start everything with:

docker-compose up --build

Then, go to:

`http://localhost:3000/hello → API endpoint

http://localhost:3000/metrics → Raw Prometheus metrics

http://localhost:9090 → Prometheus dashboard

http://localhost:3001 → Grafana (login: admin/admin)`

You can find the full source code and instructions here:

🔗 GitHub Repo

Automated CI/CD with GitHub Actions: From Testing to Production Deployment

Daleska — Sat, 05 Jul 2025 04:18:58 +0000

Introduction

In modern software engineering practices, the integration and deployment of code is as important as writing the code itself. Continuous Integration (CI) and Continuous Deployment (CD) are essential methodologies for ensuring that changes in code are tested, integrated, and deployed in an automated and efficient manner. GitHub Actions is a powerful tool for automating these workflows directly within GitHub repositories, facilitating both the execution of automated tests and the deployment of applications to production environments.

In this article, we will explore how to set up a comprehensive CI/CD pipeline using GitHub Actions. Specifically, we will demonstrate how to automate the process of running tests whenever changes are pushed to the repository, and how to automatically deploy the application to a production environment such as Heroku, upon successful completion of the tests.

Prerequisites

Before starting with the configuration, ensure you have the following:

A project with automated tests set up (we’ll be using Node.js and Jest in this case).
A repository on GitHub.
Access to a production server or cloud service, such as Heroku.

Setting Up the CI/CD Workflow with GitHub Actions

1. Create the GitHub Actions Configuration File

GitHub Actions uses YAML configuration files to define workflows. These workflows specify the various jobs and steps that GitHub will execute automatically upon certain triggers (e.g., pushing code to the repository).

Create a directory .github/workflows in the root of your repository if it does not already exist.
Inside this folder, create a file named ci-cd.yml. This file will define the CI/CD pipeline.

Here’s an example configuration for automating tests and deploying the application to Heroku:

name: CI/CD Pipeline

on:
  push:
    branches:
      - main  # Triggers the workflow when there is a push to the main branch

jobs:
  # Job to run the tests
  test:
    runs-on: ubuntu-latest  # Specifies the environment (Ubuntu latest version)

    steps:
      - name: Checkout code
        uses: actions/checkout@v2  # Checks out the repository code

      - name: Set up Node.js
        uses: actions/setup-node@v2
        with:
          node-version: '14'  # Specifies the Node.js version for the environment

      - name: Install dependencies
        run: npm install  # Installs the project dependencies

      - name: Run tests
        run: npm test  # Runs the tests using npm

  # Job to deploy the app to production (only if tests pass)
  deploy:
    needs: test  # Ensures that the deploy job runs only if the test job is successful
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Heroku credentials
        uses: akshatshah/heroku-action@v1
        with:
          heroku_api_key: ${{ secrets.HEROKU_API_KEY }}  # Using GitHub Secrets for Heroku API key

      - name: Deploy to Heroku
        run: |
          git remote add heroku https://git.heroku.com/your-app.git
          git push heroku main  # Deploys the application to Heroku.

Explanation of the Workflow:

on.push.branches: This section defines the event that triggers the workflow. Here, it is configured to run whenever code is pushed to the main branch.
jobs.test:

This job will run on Ubuntu.

It consists of several steps:

Checkout code: This step pulls the latest code from the repository.

Set up Node.js: Ensures that the correct version of Node.js is available for the application.

Install dependencies: Installs all the necessary dependencies listed in your package.json.

Run tests: Executes the tests using npm test.

jobs.deploy:

This job is set to run only after the test job is successful (needs: test).

It deploys the application to Heroku using a stored API key in GitHub Secrets. This makes the deployment secure.

2. Configuring Tests with Jest

To automate the testing process, we need to configure a testing framework. In this tutorial, we will use Jest, a popular testing framework for JavaScript applications.

Install Jest as a Development Dependency:

npm install --save-dev jest

Create a simple test file in the tests folder:

// __tests__/app.test.js
test('sumar 2 + 2', () => {
  expect(2 + 2).toBe(4);
});

Make sure your package.json has a test script:

`"scripts": {
  "test": "jest"
}

3. Create GitHub Secrets

To connect GitHub Actions to your production server (for example, Heroku), you need to configure credentials in GitHub Secrets.

Go to your GitHub repository.
In the top menu, click Settings.
From the left sidebar, select Secrets and variables > Actions.
Add a new secret with the name HEROKU_API_KEY and paste your Heroku API key as the value.

4. Verify the Workflow

Once everything is configured, make a "push" to your repository and verify that the workflow runs automatically. You can do this in the Actions tab of your repository on GitHub. If everything is set up correctly, GitHub Actions will run the tests, and if they pass, it will deploy the application to production.

Conclusion

GitHub Actions is an incredibly powerful tool for automating your CI/CD workflows. In this article, we’ve configured a workflow that not only runs tests automatically but also deploys our application to a production environment using Heroku, all from within GitHub.

This example is just a starting point. GitHub Actions has many more features, such as integrating other CI/CD services, generating documentation, or even notifying your team automatically about the status of tests and deployments.

Example Repository

Here’s the link to my example repository on GitHub where you can see the full code and configuration of this workflow:

GitHub Repository - Example CI/CD with GitHub Actions

KICS: A Developer-Friendly SAST Tool for Securing Infrastructure as Code

Daleska — Wed, 30 Apr 2025 05:08:13 +0000

In the cloud-native era, where speed, scalability, and automation dominate, Infrastructure as Code (IaC) has emerged as a critical practice for DevOps and platform engineering teams. Tools like Terraform, Pulumi, and OpenTofu allow infrastructure to be defined, versioned, and deployed with the same rigor as application code.

But just like any other code, infrastructure code is prone to security misconfigurations, errors, and vulnerabilities. A single misconfigured security group or publicly accessible storage bucket can result in devastating data breaches. This is where SAST tools for IaC play a vital role.

Among the many open-source tools available, KICS (Keeping Infrastructure as Code Secure) stands out for its breadth of support, ease of use, and community-driven rules engine. In this article, we’ll explore what KICS is, how it works, and how it can be applied to a real-world IaC project to prevent security issues before deployment.

🔍 What is KICS?

KICS is an open-source static code analysis tool developed by Checkmarx for scanning IaC files and detecting security vulnerabilities and misconfigurations. It performs static analysis, meaning it analyzes code without executing it. This makes it fast, safe, and ideal for early development stages.

Supported technologies include:

✅ Terraform
✅ Pulumi
✅ CloudFormation
✅ Kubernetes
✅ Ansible
✅ Dockerfile
✅ Azure ARM Templates

With over 1,500+ pre-built security queries, KICS checks for:

Open ports to the public internet
Unencrypted storage
Hardcoded secrets
Privilege escalation risks
Misconfigured IAM policies

⚙️ How KICS Works

KICS scans your infrastructure code and compares it to a database of misconfiguration rules written in YAML or JSON. Each finding includes:

🔎 Description of the vulnerability
🔒 Security context (CIS Benchmarks, etc.)
📍 File name and line number
🛠️ Suggested remediation
⚠️ Severity (Low, Medium, High, Critical)

It runs via:

Docker (checkmarx/kics)
CLI (kics scan -p ./path)
GitHub Actions / GitLab / Jenkins

🚧 Example: Terraform Scan

Here's a common misconfiguration in Terraform:

resource "aws_security_group" "open_sg" {
  name        = "open-sg"
  description = "Allow SSH from all"
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Run KICS:
docker run -v $(pwd):/path checkmarx/kics:latest scan -p /path

Output:
[CRITICAL] aws_security_group.open_sg allows 0.0.0.0/0 for SSH Remediation: Restrict to known IPs only.

CI/CD Integration Example (GitHub Actions)
`name: KICS Scan

on:
push:
branches:
- main

jobs:
kics-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run KICS Scan
uses: checkmarx/kics-action@v1
with:
path: './'
`

📊 Reporting Formats

KICS supports:

JSON: for automation

HTML: for humans

SARIF: for GitHub Advanced Security

Export to your security dashboards or ticket systems easily.

✅ TL;DR:

KICS scans your IaC code (Terraform, Pulumi, K8s, Docker, etc.) for vulnerabilities and misconfigurations. It's open-source, fast, supports CI/CD, and helps you fix issues before deployment. Say goodbye to insecure cloud deployments!

📊 Interactive Dashboards with Dash: Python Data Visualization

Daleska — Fri, 25 Apr 2025 22:53:25 +0000

If you’ve ever wanted to build an interactive dashboard in Python without dealing with frontend code, Dash is the tool you need. Dash is a powerful and easy-to-use framework that allows you to create interactive web apps with dynamic data visualizations. In this article, you’ll learn how to build an interactive dashboard from scratch, connect it to a database, and visualize your data easily using Plotly.

What is Dash?

Dash is a Python framework created by Plotly for building interactive web applications focused on data visualization. With Dash, you can create dashboards with interactive charts without writing complex frontend code. It supports a high level of interactivity, making it ideal for real-time data analysis.

One of Dash’s biggest advantages is that it allows you to work entirely in Python using Plotly to create advanced visualizations—no need to learn HTML, CSS, or JavaScript. That makes Dash perfect for both developers and data analysts alike.

Why Use Dash?

Here are a few reasons to consider Dash for your next data project:

Ease of use: Building interactive dashboards is simple and straightforward.
Interactivity: Add callbacks to make charts react to user inputs in real time.
Flexibility: Integrate with multiple data sources, including SQL databases, Excel, and CSV files.
Scalability: From simple apps to complex analytical dashboards—Dash grows with your needs.

In short, Dash is ideal for anyone looking to create dynamic, custom data visualizations with minimal complexity.

Archivos del Proyecto:

app.py: This file contains the logic of the Dash application.
config.py: Holds the credentials and configuration for the database connection.
requirements.txt: Lists all the dependencies required to run the project.

📦 Step 1: Install Dependencies

First, make sure you have all required libraries installed. Create a requirements.txt file like this:

dash pandas mysql-connector-python plotly

Then, install everything with:
pip install -r requirements.txt

🔌 Step 2: Connect to a MySQL Database

We'll use MySQL as our data source. You’ll need to configure your database connection in config.py like this:

# config.py

DB_CONFIG = {
    "host": "localhost",      
    "user": "root",           
    "password": "",          
    "database": "tienda_ventas"   
}

Now, in your app.py, write a function to fetch the data:

# app.py

import dash
from dash import html, dcc
from dash.dependencies import Input, Output
import plotly.express as px
import pandas as pd
import mysql.connector
from config import DB_CONFIG  # Usamos config para la conexión

def get_data():
    conn = mysql.connector.connect(
        host=DB_CONFIG["host"],
        user=DB_CONFIG["user"],
        password=DB_CONFIG["password"],
        database=DB_CONFIG["database"]
    )

    query = """
    SELECT p.nombre AS producto, p.categoria, p.precio, v.cantidad, v.fecha
    FROM ventas v
    JOIN productos p ON v.producto_id = p.id
    """
    df = pd.read_sql(query, conn)
    conn.close()
    return df

# Obtener datos
df = get_data()

We use mysql.connector.connect() to connect, and pd.read_sql() to query and load data into a Pandas DataFrame.

🛠️ Step 3: Build the Dash App

Let’s build the actual dashboard. We'll use a dropdown to select product categories, a line chart for daily sales, and a bar chart for total sales by product.

# app.py

# Crear app
app = dash.Dash(__name__)
app.title = "Dashboard de Ventas"

# Layout
app.layout = html.Div([
    html.H1("📊 Dashboard de Ventas", style={'textAlign': 'center'}),

    dcc.Dropdown(
        id='categoria-dropdown',
        options=[{'label': cat, 'value': cat} for cat in df['categoria'].unique()],
        value=df['categoria'].unique()[0],
        style={'width': '50%', 'margin': 'auto'}
    ),

    dcc.Graph(id='grafico-ventas'),

    html.Hr(),

    dcc.Graph(
        figure=px.bar(
            df.groupby('producto')['cantidad'].sum().reset_index(),
            x='producto',
            y='cantidad',
            title="Ventas totales por producto"
        )
    )
])

@app.callback(
    Output('grafico-ventas', 'figure'),
    Input('categoria-dropdown', 'value')
)
def update_graph(categoria):
    filtrado = df[df['categoria'] == categoria]
    fig = px.line(filtrado, x='fecha', y='cantidad', color='producto',
                  title=f"Ventas por día - Categoría: {categoria}")
    return fig

# Ejecutar
if __name__ == '__main__':
    app.run(debug=True)

Code Breakdown

Dropdown: Users select a product category; charts update based on this selection.
Line Chart: Shows daily sales per product in the selected category.
Bar Chart: Displays total units sold per product.

To run your dashboard locally, simply run the app.py file:
archivo app.py
After a few seconds, you'll see this in your terminal:
Running on http://127.0.0.1:8050/

Open that URL in your browser, and voilà! 🎉 You’ll see your fully functional dashboard in action.

Repositorio en GitHub

Software Design Principles with Ruby (Applying SOLID)

Daleska — Sat, 19 Apr 2025 14:04:17 +0000

“Clean code is its own best documentation.” — Steve McConnell

When we start programming, it's common to focus on just making it work. But true skill lies in making it maintainable, readable, and easy to extend over time.

That's where the SOLID principles come in. In this article, I’ll show you what they are, why they matter, and how to apply them with a real Ruby example to see how powerful they can be.

🧱 What is SOLID?

SOLID is a set of five object-oriented design principles introduced by Robert C. Martin to improve code quality and make it scalable and maintainable.

The Principles:

S - Single Responsibility Principle (SRP)
O - Open/Closed Principle (OCP)
L - Liskov Substitution Principle (LSP)
I - Interface Segregation Principle (ISP)
D - Dependency Inversion Principle (DIP)

SRP - Single Responsibility Principle: A class should have only one reason to change — a single responsibility.
OCP - Open/Closed Principle: Software should be open for extension but closed for modification. You should be able to add new functionality without changing existing code.
LSP - Liskov Substitution Principle: Subclasses should be substitutable for their base classes without altering the correctness of the program.
ISP - Interface Segregation Principle: Clients should not be forced to depend on interfaces they do not use. Prefer small, specific interfaces over large ones.
DIP - Dependency Inversion Principle: High-level modules should not depend on low-level modules. Both should depend on abstractions.

📚 Case Study: Report Generator

Let’s imagine we are building an app that generates reports in multiple formats. We start with PDF and HTML, but then Markdown and DOCX get added.

Let’s see how to apply SOLID to this scenario.

❌ Version 1: Rigid and Hard to Scale

class Report
  attr_reader :title, :content

  def initialize(title, content)
    @title = title
    @content = content
  end

  def generate_pdf
    puts "Generating PDF for #{@title}"
  end

  def generate_html
    puts "Generating HTML for #{@title}"
  end
end

This version works, but it violates two major principles:

SRP: Report has two responsibilities: storing data and generating formats.
OCP: To add a new format (e.g. DOCX), you must modify this class.

✅ Refactored: SOLID Principles Applied

# SRP (Single Responsibility Principle):
# This class is only responsible for storing the report's data.
class Report
  attr_reader :title, :content

  def initialize(title, content)
    @title = title
    @content = content
  end
end

# DIP (Dependency Inversion Principle):
# Abstract class that defines an interface for formatters.
# High-level classes will depend on this abstraction.
class ReportFormatter
  def format(report)
    raise NotImplementedError, 'This method must be implemented'
  end
end

# SRP and LSP
class PDFFormatter < ReportFormatter
  def format(report)
    puts "Generating PDF for #{report.title}"
  end
end

# SRP and LSP
class HTMLFormatter < ReportFormatter
  def format(report)
    puts "Generating HTML for #{report.title}"
  end
end

# OCP, SRP, LSP
class MarkdownFormatter < ReportFormatter
  def format(report)
    puts "# #{report.title}\n\n#{report.content}"
  end
end

# Client using the system
# DIP: Does not depend on a specific class, only on the abstraction
report = Report.new("Sales Report", "This is the content of the report")

formatter = HTMLFormatter.new
formatter.format(report)

formatter = PDFFormatter.new
formatter.format(report)

formatter = MarkdownFormatter.new
formatter.format(report)

What did we improve?

SRP: Report only handles data, not formatting.
OCP: We can add MarkdownFormatter without modifying any existing classes.ninguna clase existente.
LSP: Any formatter can be used as a ReportFormatter without breaking the system.
DIP: The client depends on the abstraction (ReportFormatter), not on specific implementations.

Enterprise Design Patterns: Applying the Data Mapper pattern with Java

Daleska — Wed, 16 Apr 2025 01:34:47 +0000

In this article, we will explore the Data Mappe pattern, one of the patterns proposed by Martin Fowler in his catalog Patterns of Enterprise Application Architecture. We will see how to implement it in Java without using a database, ideal for those who want to understand the concept without extra technical complications.

🧠 What is the Data Mapper Pattern?

It is an enterprise architecture pattern that separates business logic from data access logic. Unlike the Active Record pattern, where the same object knows how to save or load its data, Data Mapper introduces an intermediate layer (the "Mapper") that handles transferring data between the domain model and the data source (in this case, simulated).

Why is it useful?

Avoids mixing business logic with persistence.
Improves maintainability and scalability of the system.
Facilitates writing unit tests (no need for a DB).
Allows changing the persistence mechanism without affecting domain classes.

Implementation in Java

Below is a complete example using Java, simulating persistence in memory with a HashMap.

Suggested Package Structure:

🧱 1. Model `User.java`

package model;

public class User {
    private int id;
    private String name;
    private String email;

    public User() {}

    public User(int id, String name, String email) {
        this.id = id;
        this.name = name;
        this.email = email;
    }

    // Getters y Setters

    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public String getEmail() {
        return email;
    }

    public void setEmail(String email) {
        this.email = email;
    }
}

🧱 2. Interface `UserMapper.java`

package mapper;

import model.User;
import java.util.List;

public interface UserMapper {
    User findById(int id);
    List<User> findAll();
    void insert(User user);
    void update(User user);
    void delete(int id);
}

🧱 3. Implementation `UserMapperImpl.java`

package mapper;

import model.User;
import java.util.*;

public class UserMapperImpl implements UserMapper {
    private Map<Integer, User> database = new HashMap<>();

    @Override
    public User findById(int id) {
        return database.get(id);
    }

    @Override
    public List<User> findAll() {
        return new ArrayList<>(database.values());
    }

    @Override
    public void insert(User user) {
        database.put(user.getId(), user);
    }

    @Override
    public void update(User user) {
        if (database.containsKey(user.getId())) {
            database.put(user.getId(), user);
        }
    }

    @Override
    public void delete(int id) {
        database.remove(id);
    }
}

🧱 4. Test Class `UserService.java`

package service;

import mapper.UserMapper;
import mapper.UserMapperImpl;
import model.User;

public class UserService {
    public static void main(String[] args) {
        UserMapper userMapper = new UserMapperImpl();

        User u1 = new User(1, "Juan", "juan@gmail.com");
        userMapper.insert(u1);

        User u2 = new User(2, "Lucía", "lucia@gmail.com");
        userMapper.insert(u2);

        System.out.println("📋 Todos los usuarios:");
        userMapper.findAll().forEach(u -> 
            System.out.println(u.getId() + " - " + u.getName())
        );

        System.out.println("✏️ Actualizando usuario:");
        u1.setName("Juan Pérez");
        userMapper.update(u1);
        System.out.println("Nuevo nombre: " + userMapper.findById(1).getName());

        System.out.println("🗑️ Eliminando usuario con ID 2");
        userMapper.delete(2);

        System.out.println("✅ Usuarios actuales:");
        userMapper.findAll().forEach(u -> 
            System.out.println(u.getId() + " - " + u.getName())
        );
    }
}

Output

All users: 1 - Juan 2 - Lucía Updating user: New name: Juan Pérez Deleting user with ID 2 Current users: 1 - Juan Pérez

You can see the code on GitHub: GitHub Project Link

The Data Mapper pattern is a powerful tool within the set of Enterprise Design Patterns, especially when aiming to maintain a clean and decoupled architecture. Separating data access logic from business logic not only improves the maintainability of the system but also facilitates its long-term evolution and scalability.

This Java example demonstrates how this pattern can be applied without the need for a real database, using in-memory structures to focus on conceptual understanding. This approach is particularly useful in educational environments, prototypes, or when validating the architecture before connecting to a more complex persistence system.

Adopting patterns like Data Mapper not only promotes good design but also trains the development mindset toward solid software engineering principles, which are key in real-world enterprise projects.

🛡️ Simple Guide to Using PMD in Your Application

Daleska — Sat, 12 Apr 2025 16:03:50 +0000

🛡️ How to Apply PMD as a SAST Tool to Your Application

In the modern development world, where cyberattacks are increasing every day, security can no longer be left for the end. One of the most effective ways to protect your applications is to apply SAST (Static Application Security Testing) from the start of development. In this article, I’ll show you how to use PMD, a free static analysis tool that will help keep your code clean, efficient, and with fewer security risks.

🔍 What is PMD?

PMD is an open-source tool that analyzes source code (mainly in Java, but also supports Apex, JavaScript, XML, among others) and detects:

Duplicated code
Unused variables
Poorly structured statements
Excessively complex code
Bad programming practices

Although it is not solely focused on security, its ability to identify risky patterns makes it ideal for improving code health from a security perspective.

🛠️ How to Apply PMD to Your Application?

Step 1: Install PMD

You can download the tool from its official website:

👉 https://pmd.github.io

Download the .zip file corresponding to your operating system.
Extract the files to a folder of your choice.
(Optional) Add the bin/ folder to your system's environment variables to use it from any terminal.

Step 2: Prepare Your Application

Make sure you have a Java application with a clear structure (such as src/main/java). PMD will directly analyze the .java files, so no need to compile the app.

Step 3: Run the Analysis

Open your terminal and run the following command:

pmd check -d src -R rulesets/java/quickstart.xml -f html > reporte.html

🧩 Practical Example

Want to see a real example of how PMD was applied to a Java application? You can check out this GitHub repository where the analysis was executed, and an HTML report was generated with the findings:

🔗 See example on GitHub

Conclusion

Applying SAST tools like PMD early in the development process not only improves code quality but also strengthens the overall security of the application. Although PMD is not exclusively focused on finding security vulnerabilities, it does allow you to detect dangerous patterns, unnecessary complexities, and bad practices that could lead to more severe issues.

Integrating it into your workflow is straightforward, and with minimal effort, you can start automating reviews that might otherwise go unnoticed. Whether you're working on a personal project or in a professional environment, using PMD is a smart step toward more robust and reliable development.

Deploying an Application on Azure: Guide

Daleska — Sat, 06 Jul 2024 00:33:57 +0000

In today's world of cloud computing, Microsoft Azure stands out as one of the leading platforms enabling developers and businesses to deploy applications efficiently and at scale. This article will guide you through the essential steps to deploy an application on Azure, from initial setup to production deployment.

Step 1: Creating an Azure Account

Before you begin, you'll need a Microsoft Azure account. If you don't have one yet, you can sign up at azure.microsoft.com and create a free or paid account depending on your needs.

Step 2: Creating a Resource Group

In Azure, a Resource Group acts as a logical container that groups related resources for an application. Follow these steps to create one:

Sign in to the Azure Portal.
Click on "Create a resource" in the side menu.
Select "Resource group" and click on "Create".
Fill in the details such as the resource group name, region, and then click on "Review + Create" and finally on "Create".

Step 3: Creating a Web Application (Example with Azure App Service)

Azure App Service allows you to deploy and scale web applications quickly and easily. To create one:

In the Azure Portal, select your newly created Resource Group.
Click on "Add" to add a new resource.
Search for "App Service" and select "Create".
Complete the details such as application name, development stack (e.g., .NET, Node.js), and service plan (consumption plan or an App Service plan).
Click on "Review + Create" and then on "Create".

Step 4: Application Deployment

Once your App Service is configured, you can deploy your application:

Open the settings of your App Service from the Azure Portal.
In the "Deployment" section, choose the option that best fits your application (e.g., FTP, GitHub, Azure DevOps).
Follow the instructions to connect your repository or upload your
code.

Step 5: Configuration and Management

Azure offers various tools to configure and manage your application:

Application Settings: Adjust environment variables, connection settings, and more from the Azure Portal.
Monitoring and Scaling: Use Azure Monitor to track your application's performance and adjust scaling as needed.
Security: Implement security measures such as SSL certificates, multi-factor authentication, and access policies.

Step 6: Optimization and Maintenance

Once deployed, optimize your application to improve performance and ensure it stays updated with the latest software versions and security patches.

Deploying applications on Azure not only enhances accessibility and scalability through its diverse service options but also streamlines operational efficiencies and enhances security protocols. With this guide, you now possess a robust foundation to harness Azure's cloud capabilities effectively, enabling seamless project expansion and innovation while ensuring optimal performance and reliability across your applications.

The Evolution of API Development Styles: The GraphQL Architecture

Daleska — Mon, 10 Jun 2024 19:48:12 +0000

In the changing landscape of modern application development, the selection of API architecture style has become a critical factor in ensuring the efficiency, scalability and adaptability of solutions. While traditional approaches have been widely used, an increasingly popular alternative is the use of GraphQL.

What is GraphQL?

1. Type system: GraphQL has a type system that defines how data is
structured in the API, making it easy to explore and understand the
API.
2. Flexible queries: Clients can perform complex, nested queries to
get the data they need, rather than having to make multiple requests
to different endpoints.
3. Execution environment: GraphQL has a server-side execution
environment that interprets client queries, retrieves the necessary
data and returns a response in JSON format.
4. API evolution: GraphQL facilitates API evolution, since clients
can continue to use the same API even if the server adds or modifies
fields, as long as it does not remove fields that clients are
already using.

Benefits of GraphQL API Architecture

- Efficiency in data usage: GraphQL allows clients to get only the
data they need, which reduces network traffic and improves
performance.
- Flexibility and control: Clients can request exactly the data they
need, giving them more control over the information they receive.
- API evolution: GraphQL makes it easy to evolve APIs without
breaking compatibility with existing clients.
- Integrated documentation: GraphQL's type system provides integrated
API documentation, making it easy to explore and use.
- Reduced complexity: GraphQL simplifies the architecture by
eliminating the need for multiple endpoints and response formats.

GraphQL Use Cases

- Web and mobile applications: GraphQL enables clients to get only
the data they need, improving performance and user experience.
- Microservices: GraphQL can act as an integration layer between
multiple microservices, simplifying the interaction between them.
- IoT applications: GraphQL can be useful for managing communication
and data flow between IoT devices and the core application.
- Large-scale data applications: GraphQL facilitates querying and
manipulating large data sets, without the need for multiple requests.

Example

Schema Definition

Suppose we have a simple API to manage a list of books. We will start by defining the GraphQL schema:

type Book {
  id: ID!
  title: String!
  author: String!
  published: Int
}

type Query {
  books: [Book]
  book(id: ID!): Book
}

type Mutation {
  createBook(title: String!, author: String!, published: Int): Book
  updateBook(id: ID!, title: String, author: String, published: Int): Book
  deleteBook(id: ID!): Book
}

In this schema, we have:

Type Book: Represents a book, with fields such as id, title, author and published.
Type Query: Defines query operations, such as getting a list of books or a book by its ID (book).
Mutation type: Defines mutation operations, such as creating a new book (createBook), updating an existing book (updateBook) and deleting a book (deleteBook).

Query Example

Suppose we want to get a list of books with their titles and authors:

query {
  books {
    id
    title
    author
  }
}

The response would look something similar to this:

{
  "data": {
    "books": [
      {
        "id": "1",
        "title": "The Great Gatsby",
        "author": "F. Scott Fitzgerald"
      },
      {
        "id": "2",
        "title": "To Kill a Mockingbird",
        "author": "Harper Lee"
      },
      {
        "id": "3",
        "title": "1984",
        "author": "George Orwell"
      }
    ]
  }
}

Functional Programming in Python: A Practical Basic Guide to Functors, Monads, and Promises.

Daleska — Thu, 18 Apr 2024 04:56:35 +0000

Functional programming has gained popularity in recent years due to its focus on building programs using pure functions and composition. In Python, a versatile and widely used language, we can also leverage the concepts of functors, monads and promises to write cleaner and more readable code. In this article, we will explore how to use these concepts in Python and provide code examples to illustrate their application.

Functors

Functionors are structures that allow us to apply functions to wrapped values within a context. In Python, we can take advantage of the built-in capabilities of data types such as lists, dictionaries or sets to accomplish this efficiently.

We want to apply a function that converts all strings in a list to uppercase. We can use the list functor in Python to accomplish this efficiently: 🧑‍💻

strings = ["hello", "world", "python"]

upper_strings = list(map(str.upper, strings))

print(upper_strings) # Output: ['HELLO', 'WORLD', 'PYTHON']

Monads

Monads are an extension of functors that allow us to chain operations that return values wrapped in a context. In Python, we can take advantage of libraries such as pymonad to work with monads and simplify the handling of side effects and complex situations.

We want to calculate the area of a triangle, but the base or height values could be None if they are not provided. We can use the Maybe monad to handle these optional values safely: 🧑‍💻

from pymonad.maybe import Maybe

def calculate_triangle_area(base, height): if base is not None and height is not None: return Maybe.just(0.5 * base * height) else: return Maybe.nothing()

base = 5 height = None

triangle_area = calculate_triangle_area(base, height)

if triangle_area.is_just(): print("Área del triángulo:", triangle_area.just) else: print("No se pudo calcular el área del triángulo.")

Promises

Promises are another important concept in functional programming that allow us to handle asynchronous operations in a more concise and structured way. In Python, we can use libraries such as asyncio to work with promises and take advantage of asynchronous programming.

Suppose we want to make three HTTP requests asynchronously and process the responses when they are available. We can use the aiohttp library together with asyncio to work with promises and perform asynchronous operations: 🧑‍💻

import asyncio import aiohttp

async def fetch_data(url): async with aiohttp.ClientSession() as session: async with session.get(url) as response: return await response.text()

async def main(): urls = ["https://api.example.com/data1", "https://api.example.com/data2", "https://api.example.com/data3"] tasks = [fetch_data(url) for url in urls] results = await asyncio.gather(*tasks) for result in results: print("Respuesta:", result)

asyncio.run(main())

We have explored how to apply the concepts of functors, monads and promises in Python to write cleaner and more readable code. Functors allow us to apply functions to values wrapped in a context, monads allow us to chain operations and handle optional values, and promises help us handle asynchronous operations in a structured way. These concepts are useful for building more robust and flexible programs in Python, taking advantage of the benefits of functional programming. 😉

DEV Community: Daleska

🛰️ Observability Practices with Prometheus and Grafana Monitoring a Node.js API

📌 Introduction

🧠 What is Observability?

🧰 Tools and Technologies Used

⚙️ System Architecture

🛠️ Step-by-Step Implementation

1️⃣ Setting up the Node.js API

1.1 Install dependencies

1.2 API Code (index.js)

2️⃣ Prometheus Configuration

1.1 Create a file named prometheus.yml:

3️⃣ Dockerizing Everything

4️⃣ Running the Project

You can find the full source code and instructions here:

Automated CI/CD with GitHub Actions: From Testing to Production Deployment

Introduction

Prerequisites

Setting Up the CI/CD Workflow with GitHub Actions

1. Create the GitHub Actions Configuration File

Explanation of the Workflow:

2. Configuring Tests with Jest

Install Jest as a Development Dependency:

3. Create GitHub Secrets

4. Verify the Workflow

Conclusion

Example Repository

KICS: A Developer-Friendly SAST Tool for Securing Infrastructure as Code

🔍 What is KICS?

⚙️ How KICS Works

🚧 Example: Terraform Scan

📊 Reporting Formats

✅ TL;DR:

📊 Interactive Dashboards with Dash: Python Data Visualization

What is Dash?

Why Use Dash?

Archivos del Proyecto:

📦 Step 1: Install Dependencies

🔌 Step 2: Connect to a MySQL Database

🛠️ Step 3: Build the Dash App

Code Breakdown

Software Design Principles with Ruby (Applying SOLID)

🧱 What is SOLID?

The Principles:

📚 Case Study: Report Generator

❌ Version 1: Rigid and Hard to Scale

✅ Refactored: SOLID Principles Applied

What did we improve?

Enterprise Design Patterns: Applying the Data Mapper pattern with Java

🧠 What is the Data Mapper Pattern?

Why is it useful?

Implementation in Java

Suggested Package Structure:

🧱 1. Model User.java

🧱 2. Interface UserMapper.java

🧱 3. Implementation UserMapperImpl.java

🧱 4. Test Class UserService.java

Output

🛡️ Simple Guide to Using PMD in Your Application

🔍 What is PMD?

🛠️ How to Apply PMD to Your Application?

Step 1: Install PMD

Step 2: Prepare Your Application

Step 3: Run the Analysis

🧩 Practical Example

Conclusion

Deploying an Application on Azure: Guide

Step 1: Creating an Azure Account

Step 2: Creating a Resource Group

Step 3: Creating a Web Application (Example with Azure App Service)

Step 4: Application Deployment

Step 5: Configuration and Management

Step 6: Optimization and Maintenance

The Evolution of API Development Styles: The GraphQL Architecture

What is GraphQL?

Benefits of GraphQL API Architecture

GraphQL Use Cases

Example

Schema Definition

Query Example

🧱 1. Model `User.java`

🧱 2. Interface `UserMapper.java`

🧱 3. Implementation `UserMapperImpl.java`

🧱 4. Test Class `UserService.java`