Successful software development goes beyond just code. Whether in the cloud or a physical server, IT infrastructure contains the networks, data, and hardware required to support enterprise applications. Keeping this infrastructure up and running is critical—yet with thousands of interconnected metrics and data, it’s challenging to evaluate and diagnose problems at first glance. Originally founded as an open source project by a sole developer, Netdata seamlessly delivers insights that IT infrastructure teams need. And with an entirely remote workforce of 35 employees across 21 timezones—from Ireland to Australia—the performance and health monitoring system is facing its biggest growth yet.
With a promise to provide real-time insights while growing to scale, the Netdata team needed a way to stay nimble—and tools that could match. To start, they embraced their roots: open source repositories on GitHub. Their free, open source tool is downloaded 600,000 times a day. “We use GitHub for everything,” explained CEO and Founder Costa Tsaousis. “By actively participating in the open source community, we’re able to tap into millions of users offering immediate feedback and improvements for our software.”
But even with open source feedback and community contributions, maintaining a lean development team puts developers in charge of both building and securing code. As Netdata’s codebase grew, so did the risk of security alerts—when new code was merged, fresh security vulnerabilities were found. Developing features and addressing vulnerability alerts was a difficult and slow balancing act, something that Tsaousis couldn’t rationalize with the company’s own fast-moving innovation: “If a computer can find problems before they reach production, you should take advantage of that.” So the team turned to a new security solution: GitHub Advanced Security with the powerful semantic code analysis engine, CodeQL.
Quickly, their new security toolkit became integral to Netdata’s development process. Thanks to CodeQL, developers were able to find and fix vulnerabilities as they wrote code—long before vulnerabilities could even be identified by their previous security analysis tool. This streamlined development, enabling the team to be more efficient while ensuring code quality. “If Advanced Security reports error issues, the pull request isn’t allowed to be merged,” explained CTO Dimosthenis Kaponis. “If an issue is found, we’re informed immediately. We go over anything the tool has highlighted, and we make sure that it’s resolved before releasing a stable release.”
And since the tool is built right into the developer workflow, reliability and stability are a must. For Kaponis, helping developers focus their time on the code that matters is the priority—not tracking down security vulnerabilities flagged by mistake. “If a tool’s not reliable, then at some point we’ll be forced to disable it. That’s not the case here. Advanced Security provides the minimum number of false positives.” Fewer false positives mean fewer workflow interruptions—and creates trust that the security alerts developers do receive are crucial. “Without built-in security, you have to go through a number of additional steps when you review the code. For the developer who will press the merge button, it inspires confidence.”
GitHub Advanced Security is there for every pull request and excels compared to other static analysis tools we have used.
It’s not often that adding a new developer tool means less friction, but deploying these security features early frees up Netdata’s developers to do what they do best: getting secure applications to users faster. “Sometimes with a tool, you only want the insights, but don’t want to make it part of your daily workflow.” Kaponis said. “For us, it’s the opposite. GitHub Advanced Security is there for every pull request and excels compared to other static analysis tools we have used.”
Like security, incorporating CI/CD on the same platform where developers code now makes context-switching an exception, not the rule, for Senior SRE James Mills. “It’s right there, and it’s completely integrated. You don’t have to go traipsing off to some other tool and then sign into another thing. When I need to have a look at the status of our job and log sets, it’s right there.” Cycle recovery times are just a few days, with the team “fixing forward” instead of trying to recover or rollback changes. “Actions is really first-class for me,” said Mills.
Mills’ mindset is shared by Tsaousis and the entire team, from open source contributors to senior engineers. Several of Netdata’s open source contributors have now been hired on as staff, and the company has added a closed-source cloud service to its open source agent. Engineers have more freedom and use GitHub to collaborate through private and public repositories, but also to find new contributors. “GitHub changed the world. Today it’s a reference,” said Tsaousis. “It’s a de facto standard. All engineers know GitHub.”
GitHub and open source continue to be common threads in Netdata’s success, from hiring to their product roadmap. “I’ve been a C-level executive for 25 years,” Tsaousis said, “and I have always used open source software. It provides a lot more flexibility than a commercial solution and allows you to be in control.” Specifically, “GitHub has allowed our developers to spend more time writing code.” Now with more secure applications and a streamlined workflow, the team has a path forward to innovation: “We want to be the best monitoring tool available among commercial and open source solutions, and that all starts on GitHub.”
number of developers