Free cloud service evaluates JavaScript code quality

Free for open source projects, BitHound analyzes JavaScript code to ferret out subpar Node packages

magnifying glass illuminate light

Due to the sheer size of many highly trafficked software repositories -- Node.js's NPM, for instance -- the average developer is often left to parse metrics like GitHub stars to determine the quality of the code they're considering.

BitHound, a Kitchener, Ontario-based code analytics firm, is preparing to offer public access to a service that does much of the dirty work, entering a burgeoning field where there's both rising demand and existing competition.

The service analyzes a project's JavaScript repositories in GitHub and generates reports based on the code quality. For third-party packages, BitHound provides perspective into the quality of those projects: the rate of code churn, the consistency of committers, test results for the code, and so on. The idea is to spare the user from running such checks not only on their code, but on any third-party code they may be working with.

CEO Dan Silivestru co-founded BitHound in late 2013, running the service for some time as a closed beta. As of this week, the plan is to throw open the doors to all comers, to offer the service for free in perpetuity to open source projects, and to charge a monthly fee for its use on closed-source development.

Silivestru described the service's aim as "not one of discoverability, but more about the understanding of choosing wisely." By auditing and analyzing so many projects and providing users with an overall quality score, "you can now look at a glance at all the dependencies within a project, and understand how they rank from a quality perspective, and how they compare to the quality you're delivering within your own software." When you deliver someone else's bad packages with your own software, it degrades quality, he argued.

Aside from running common static code analysis on third-party packages, BitHound determines code quality via several other metrics, including known security issues and the general stability and maintainability of the project. Security is a big enough concern for the company that it has collaborated with the Node Security Project, where alerts for given NPM projects can be made part of BitHound's own analysis.

JavaScript is not the only language BitHound intends to deal with, but plans for expanding beyond Node.js are still vague. "It depends on the bulk of our customer base, where their interests lie," Silivestru said. Many users do not have their core competency with JavaScript, he noted, so they've requested other common languages: Ruby, Python, PHP. The company's plan is to start with "the Web stack itself" -- JavaScript and its Web tie-ins -- and move outward. Silivestru also claimed that 70 percent of the technology the company uses for code auditing is language-agnostic and could be retooled for other languages.

BitHound faces at least two other competitors. Silivestru cited Code Climate, which performs automated code review on JavaScript code in GitHub repositories. Code Climate also audits Ruby and supports PHP in a public beta.

Another possible competitor is Black Duck Software's OSS Logistics, which also features code auditing and origin tracking. However, OSS Logistics is part of a larger workflow centered as much around business logistics (compliance with open source licenses) as on code quality.