Due to the sheer size of many highly trafficked software repositories -- Node.js's NPM, for instance -- the average developer is often left to parse metrics like GitHub stars to determine the quality of the code they're considering.
BitHound, a Kitchener, Ontario-based code analytics firm, is preparing to offer public access to a service that does much of the dirty work, entering a burgeoning field where there's both rising demand and existing competition.
CEO Dan Silivestru co-founded BitHound in late 2013, running the service for some time as a closed beta. As of this week, the plan is to throw open the doors to all comers, to offer the service for free in perpetuity to open source projects, and to charge a monthly fee for its use on closed-source development.
Silivestru described the service's aim as "not one of discoverability, but more about the understanding of choosing wisely." By auditing and analyzing so many projects and providing users with an overall quality score, "you can now look at a glance at all the dependencies within a project, and understand how they rank from a quality perspective, and how they compare to the quality you're delivering within your own software." When you deliver someone else's bad packages with your own software, it degrades quality, he argued.
Aside from running common static code analysis on third-party packages, BitHound determines code quality via several other metrics, including known security issues and the general stability and maintainability of the project. Security is a big enough concern for the company that it has collaborated with the Node Security Project, where alerts for given NPM projects can be made part of BitHound's own analysis.
Another possible competitor is Black Duck Software's OSS Logistics, which also features code auditing and origin tracking. However, OSS Logistics is part of a larger workflow centered as much around business logistics (compliance with open source licenses) as on code quality.