Climb the maturity ladder with the Recommended Source Control Track

Estimated Time: 1 hour

Introduction

Is your organization seeking to standardize its repository security & configurations? This tutorial is for you!

It's common for many organizations to ask engineering teams to enforce repository policies. These policies can include branch protection rules, standardizing PR approval settings, and more!

In this tutorial, we'll walk through the available Spotify-provided integrations specific to the SCM tool used in your organization. Soundcheck supports all the most popular integrations out of the box to ensure your organization can start standardizing its repository controls smoothly & efficiently.

Requirements

1. Completed Soundcheck Backend Setup
2. Completed Soundcheck Frontend Setup
3. Completed one of our supported SCM-specific prerequisites
   • Github
   • Gitlab
   • Azure DevOps

Understanding the Recommended Settings Track

What is a Track?

Tracks encourage alignment to architectural best practices and standards and are analogous to an organization’s long-term tech health initiatives.

What is a Check?

Checks indicate where the software aligns with or deviates from organizational standards and best practices.

Soundcheck populates a Recommended Source Control track with a set of pre-populated checks on the first startup of Soundcheck. It inspires what a real track & set of checks may look like in the wild.

If you're interested in learning more about the shape of a track or check, we recommend checking out the following documentation for further reading:

• Overall Shape of a Track
• Overall Shape of a Check

Configuring the Recommended Settings Track

Github
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/github/check-pull-request-requires-review.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/github/check-force-pushes-disabled.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/github/check-repository-has-owner.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/github/check-deletions-are-forbidden.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/github/track-recommended-github-settings.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/github/check-admins-must-follow-rules.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/github/check-branch-is-not-locked.yaml

Gitlab
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/gitlab/check-denies_force_push.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/gitlab/check-uses_javascript.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/gitlab/check-code_owner_approval_required.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/gitlab/check-only_allows_merge_if_all_discussions_are_resolved.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/gitlab/check-not_archived.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/gitlab/track-recommended-gitlab-settings-track.yaml

Azure DevOps
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/azure/track-recommended-azure-settings.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/azure/azure-devops-fact-collector.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/azure/check-enforcing-status-checks.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/azure/check-force-pushes-disabled.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/azure/check-deletions-are-forbidden.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/azure/check-repository-has-project.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/azure/check-pull-request-requires-review.yaml
https://21894833.fs1.hubspotusercontent-na1.net/hubfs/21894833/.COM-resources/recommended-source-control-settings-tutorial-files/azure/check-branch-default-main.yaml

NOTE: If you're new to Soundcheck & use GitHub, skip this step! The plugin comes pre-loaded with a Recommended GitHub Settings track for your convenience.

Up above, we provide a track inspired by Spotify's own recommended standards we use for our internal Backstage. Please feel free to download the tracks & checks associated with your organization's SCM.

Ready-to-Go Collector YAML

What is an integration?

An integration is a soundcheck extension module that allows soundcheck to fetch (collect) data from various sources (Github, Gitlab, DataDog, etc.).

NOTE We recently renamed collectors to integrations in Soundcheck UI but in the backend they are still referred to as collectors.

What is a Collector?

A fact collector collects one or more facts about entities, and Soundcheck can be extended with additional fact collectors. Collectors are responsible for integrating with TPIs or other Backstage plugins to gather information related to Backstage entities in your Software Catalog.

What is a Fact?

Facts represent data related to an entity in your Software Catalog. The data can be formatted in any desired format, defined by the fact collector. Each fact collector will have its fact schema representing what type of facts are returned to the collector.

Initializing the GitHub Fact Collector

Here's an example of the GitHub Fact Collector configuration. The collector YAML will vary slightly based on your SCM as you follow the tutorial.

These files should be copied into your Backstage directory at the following locations at the top of the file, commented out.

# ./packages/backend/src/plugins/soundcheck/collectors/github-fact-collector.yaml
---
frequency:
  hours: 1
initialDelay:
  seconds: 5
filter:
  kind: component
cache:
  duration:
    hours: 24
collects:
  - factName: branch_protections
    type: BranchProtections
    branch: main
  - factName: repository_details
    type: RepositoryDetails

# app-config.yaml
soundcheck:
  results:
    history:
    enable: true
    retentionTimeInDays: 90
    cleanupFrequencyCron: '0 0 0 * * *'
    cleanupTimeoutInMinutes: 5
  certifications:
    history:
      enable: true
      retentionTimeInDays: 90
      cleanupFrequencyCron: '0 0 0 * * *'
      cleanupTimeoutInMinutes: 5
  collectors:
    github:
      - $include: ./packages/backend/src/plugins/soundcheck/collectors/github-fact-collector.yaml

Soundcheck scheduling best practices

When you schedule a collector, it collects facts on all entities that match the collector's filter. If the fact for an entity is updated compared to its cached version (or if there is no cached fact, Soundcheck finds all checks that depend on that fact and automatically executes them to produce check results.

When you schedule a check, it executes on all entities that match the check's filter, Soundcheck will request a collection of the required facts on all entities matching that filter if the fact isn't already cached, then execute the check to produce a check result.

Scheduling using collectors is the highly recommended approach. Collector scheduling respects rate-limiting settings whereas check scheduling does not.

Most facts come from a fact collector. The only exceptions to this are the internal-built Catalog facts & Soundcheck certification facts provided natively by the core Soundcheck module. For these facts, users only have the option to schedule checks (which then go fetch relevant facts).

Voilà!

Once the configuration is added, feel free to start Backstage! You'll know you're successful when you visit an entity to see its check results showing pass / fail results in your Soundcheck UI.

Congratulations! You're measuring how well your organization follows repository best practices!

What's next?

Great question! From here, you have a few paths available to you:

• Organizational standards vary. We encourage adopters to use this track as a starting place for adding new facts & checks to enforce technical standards important for their organization. This example provides everything needed to use as inspiration for additional checks & facts.
• This may have inspired ideas for new tracks for other initiatives besides Recommended Source Control best practices. We have other tutorials & other excellent documentation for configuring additional fact collectors for integrations with other important integrations your organization cares about.