Source Code Properties of Defective Infrastructure as Code Scripts

TL;DR

This study empirically investigates source code properties of Infrastructure as Code scripts, identifying key indicators like lines of code and hard-coded strings that correlate with defects, and develops prediction models to improve script quality.

Contribution

It identifies ten source code properties linked to defective IaC scripts and constructs defect prediction models using these properties, validated on multiple datasets.

Findings

Lines of code and hard-coded strings strongly correlate with defects.

Practitioners agree that include and hard-coded string are important properties.

Prediction models achieve 0.70-0.78 precision and 0.54-0.67 recall.

Abstract

Context: In continuous deployment, software and services are rapidly deployed to end-users using an automated deployment pipeline. Defects in infrastructure as code (IaC) scripts can hinder the reliability of the automated deployment pipeline. We hypothesize that certain properties of IaC source code such as lines of code and hard-coded strings used as configuration values, show correlation with defective IaC scripts. Objective: The objective of this paper is to help practitioners in increasing the quality of infrastructure as code (IaC) scripts through an empirical study that identifies source code properties of defective IaC scripts. Methodology: We apply qualitative analysis on defect-related commits mined from open source software repositories to identify source code properties that correlate with defective IaC scripts. Next, we survey practitioners to assess the practitioner's agreement level with the identified properties. We also construct defect prediction models using the identified properties for 2,439 scripts collected from four datasets. Results: We identify 10 source code properties that correlate with defective IaC scripts. Of the identified 10 properties we observe lines of code and hard-coded string to show the strongest correlation with defective IaC scripts. Hard-coded string is the property of specifying configuration value as hard-coded string. According to our survey analysis, majority of the practitioners show agreement for two properties: include, the property of executing external modules or scripts, and hard-coded string. Using the identified properties, our constructed defect prediction models show a precision of 0.70~0.78, and a recall of 0.54~0.67.