Code/Ticket Traceability
The code/ticket traceability report shows you how consistently software engineers write code in version control systems like GitHub, GitLab, Azure DevOps, or Bitbucket that is traceable to tickets or issues in systems like Jira or GitHub Issues.
The report first looks at how many commits are untraceable because they are made directly to a main/master branch, or to a shared integration branch such as develop, staging or qa.
Next, the report looks for code that is untraceable because it is merged directly (e.g., using the git merge command) to main without using a pull request (called a merge request in GitLab).
Finally, the report shows how often code links to a known ticket. It searches branch names, commit messages, pull request titles, and pull request bodies for ticket links.
Because real life is never 100% perfect, the scores are weighted by how much time developers spend on untraceable code. This helps you focus on improving in areas that will have the biggest impact, with the goal of driving down the percentage of untraceable work.
This report also lets you drill down into teams, people, and specific pull requests to identify the biggest sources of untraceable work.
Why Is Code/Ticket Traceability Important?
Code/ticket traceability is important because it lets you see where people – your most valuable resource – are spending their time.
Cost Capitalization
Traceability is crucial for accurately allocating developer salary costs to tasks, projects, and initiatives in your ticketing system.
Cost allocation is a requirement if you’re doing R&D or cost capitalization for accounting (which is now mandatory for U.S. companies due to Section 174). But, even if you’re not capitalizing development costs on your balance sheet, CEOs, CFOs, and boards often want to see where their engineering salary costs are going for management purposes.
Without automated code/ticket traceability, organizations often resort to manual time tracking. Not only does manual time tracking actually waste developers’ time; it is less accurate because people tend not to log separate entries for small tasks and interruptions, which can have a big impact in aggregate.
Change Control Compliance
Code/ticket traceability is also a critical component of a secure software development process.
If developers write code that makes it into production without having an associated pull request and ticket, then there is no record of whether it was properly reviewed and prioritized according to the organization’s change control policies.
Failure to follow change control guidelines can result in insecure or improperly vetted code reaching customers, which can compromise the organization’s security.
Furthermore, if you undergo a security audit for standards like SOC 2, untraceable code puts you at risk of having an audit exception if discovered by the auditor. The code/ticket traceability report can also be a great piece of evidence to provide to auditors to demonstrate consistent compliance with change control procedures.
How Does the Code/Ticket Traceability Report Work?
The code/ticket traceability works by identifying all of the commits made by each author in your organization. It then associates these commits with merges and pull requests. Finally, it looks at commit messages, branch names, pull request titles, and pull request bodies to find ticket IDs that link back to your ticketing system.
The report then calculates how much time is spent on each commit to provide an overall score showing the percentage of traceable coding time, which is aggregated by team, person, and pull request.
FAQ
How does the code/ticket traceability report match ticket identifiers?
The code/ticket traceability matches ticket identifiers using a regular expression pattern that looks for valid ticket identifiers. It is case-insensitive and tolerates certain typos.
Additionally, the report verifies that any matches correspond to actual tickets, so, e.g., DEV-99999999 would not count as traceable unless a ticket with that ID actually exists.
Where does the report look for ticket identifiers?
The report looks for ticket identifier matches in the branch name (also called a “ref”), pull request title, and pull request body. It also looks in commit messages, but commits with ticket identifiers in the commit message can still fail the “use of branches” and “use of pull requests” scorecard checks in this report if they are on a main/master branch or not part of a pull request because they bypass the change control process.
Does the report handle squash and rebase merges?
Yes, the report properly follows commits through squash and rebase merges using metadata available in pull request records so that they are treated the same way as regular merges. Code written in squashed or rebased commits will be checked for use of pull requests and ticket traceability.
How does the report handle Git flows with multiple levels of pull requests?
For Git flows with multiple levels of pull requests, like having a side branch that is merged into a feature branch, then into development, and finally into main/master, the report searches for ticket identifiers in all pull requests until the code reaches an integration branch.
In the above example, if the first side branch pull request does not have a ticket identifier, but the PR from the feature branch into development does, then commits on the side branch will be properly counted as linking to a ticket.
However, if the feature branch PR also does not have a ticket, but the PR from development into master mentions some ticket in the body, then the side and feature branch commits will not count as linking to a ticket because they did not have a ticket before reaching development – an integration branch associated with multiple features. In this scenario, mentions of tickets when merging from development to master are disregarded because it’s unclear which specific commits they are associated with.
What version control systems are supported?
minware currently supports GitHub, GitLab, Bitbucket, and Azure DevOps Git version control systems.
What ticketing systems are supported?
minware currently supports Jira and GitHub Issues as ticketing systems.
How are deleted or moved tickets handled?
The report is currently unable to identify code that is linked to a ticket that no longer exists at its original ID because it has been deleted or moved. Deleting tickets is generally an anti-pattern and instead they should be resolved as “won’t fix” or a similar status to preserve traceability.
How is code from bots or outside contributors treated?
This report excludes commits from bots and users outside of your organization in forked repositories so that they don’t count against the metrics.
