开发者术语表

The systematic examination of source code by one or more developers to identify bugs, security vulnerabilities, and improve code quality before merging into the main codebase.

The process of analyzing source code without executing it to find potential bugs, security vulnerabilities, and code quality issues.

The implied cost of additional rework caused by choosing an easy (limited) solution now instead of using a better approach that would take longer.

A surface indication in the source code that usually corresponds to a deeper problem in the system. Not a bug itself, but a sign that refactoring may be needed.

The process of restructuring existing code without changing its external behavior to improve readability, reduce complexity, and make it easier to maintain.

The process of running a program that analyzes code for potential errors, bugs, stylistic issues, and suspicious constructs.

Code that is easy to understand, simple to modify, and clearly expresses the intent of the programmer. A philosophy popularized by Robert C. Martin.

Existing code that is difficult to change due to lack of tests, poor documentation, outdated technologies, or original developers no longer available.

一种软件开发原则，规定系统中的每一条知识都应该有一个单一的、权威的表示。

一种设计原则，规定系统保持简单时工作最佳，而不是变得复杂。简单应该是关键目标。

一个极限编程原则，规定程序员不应该添加功能直到真正需要，避免投机性功能。

运行时永远不会执行的代码，包括不可达代码、未使用的函数和隐藏在永远为假条件后的代码。

Static Application Security Testing — a method of analyzing source code for security vulnerabilities without executing the program.

Dynamic Application Security Testing — a method of testing running applications for security vulnerabilities by simulating attacks.

The Open Worldwide Application Security Project — a nonprofit foundation that works to improve software security through community-led open-source projects.

A regularly updated list of the 10 most critical security risks to web applications, published by OWASP as a standard awareness document for developers.

一种攻击方式，通过诱骗已认证用户点击恶意链接或提交表单，强迫他们在Web应用中执行非预期的操作。

验证用户、设备或系统身份的过程。回答"你是谁？"这个问题（与授权相对，授权回答"你能做什么？"）。

安全存储、分发和轮换敏感数据（如API密钥、密码、数据库凭据和证书）的实践。

应用程序依赖的第三方库或包中的安全弱点，可被利用来危害应用程序。

自动分析代码以发现安全漏洞、bug和代码质量问题，通常集成到CI/CD管道中。

An approach that integrates security practices into every phase of the DevOps pipeline, making security a shared responsibility across development, security, and operations teams.

A code injection technique that exploits security vulnerabilities in an application's database layer by inserting malicious SQL statements into input fields.

A security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, potentially stealing session cookies, credentials, or performing actions on behalf of victims.

The use of artificial intelligence and machine learning to automatically analyze code changes and provide feedback on quality, security, and best practices.

The use of automated tools to analyze code and provide feedback without manual human intervention, typically integrated into CI/CD pipelines.

一种AI架构，多个专业智能体协作处理复杂任务，每个智能体专注于特定领域，如安全、性能或代码质量。

Continuous Integration and Continuous Delivery/Deployment — a set of practices that automate the building, testing, and deployment of code changes.

A set of practices combining software development (Dev) and IT operations (Ops) that aims to shorten the development lifecycle and deliver high-quality software continuously.

GitHub内置的CI/CD平台，允许您使用YAML配置文件直接从仓库自动化软件工作流程。

A practice of moving testing, quality, and security processes earlier in the software development lifecycle to find and fix issues sooner.

在创建git commit之前自动运行的脚本，用于强制执行代码质量标准、运行linter并防止提交有问题的代码。

A software testing method where individual units or components of code are tested in isolation to verify they work correctly.

A metric that measures the percentage of code executed during testing, indicating how much of the codebase is covered by automated tests.

一种测试方法，从头到尾验证整个应用程序工作流程，模拟真实用户场景，包括UI、API、数据库和外部集成。

A software development practice where tests are written before the actual code, following a cycle of: write a failing test, write minimal code to pass, then refactor.

Testing that verifies different modules or services work correctly together, typically testing interactions between components rather than individual units.

必须被测试覆盖的代码最低百分比，在CI/CD管道中强制执行以确保新代码不会降低整体测试覆盖率。

一种通过向代码引入小的更改（突变）并检查测试是否检测到它们来评估测试质量的技术。未检测到的突变表示测试较弱。

A method of submitting code changes for review before merging into the main branch. Also known as merge request (MR) in GitLab.

A distributed version control system that tracks changes in source code during software development, enabling multiple developers to work together.

GitLab's term for a pull request — a method of submitting code changes for review before merging into another branch. Functionally identical to GitHub's pull request.

A snapshot of changes in a Git repository that records modifications to files along with a message describing what changed and why.

An independent line of development in Git that allows developers to work on features, fixes, or experiments without affecting the main codebase.

A branching model for Git that defines a strict branching structure designed around project releases, using dedicated branches for features, releases, and hotfixes.

A source-control branching model where developers collaborate on code in a single branch called "trunk" (or main), avoiding long-lived feature branches.

A software metric that measures the number of independent paths through a program's source code, indicating code complexity and testability.

Four key metrics identified by the DevOps Research and Assessment (DORA) team that measure software delivery performance: deployment frequency, lead time for changes, change failure rate, and time to restore service.

Five design principles for object-oriented programming that promote maintainable, flexible, and understandable code: Single Responsibility, Open-Closed, Liskov Substitution, Interface Segregation, and Dependency Inversion.

衡量代码理解、测试和维护难度的定量指标，基于分支、嵌套深度和依赖等因素。