test2101

Code Verify: A Complete Beginner’s Guide

Written by

adm

in

Implementing Code Verify: Step-by-Step Tutorial

Date: February 4, 2026

Introduction
Code Verify helps ensure the integrity of shipped JavaScript by matching deployed bundles to verified source code. This tutorial walks through a practical, end-to-end implementation so you can validate builds in CI and at runtime.

Prerequisites

  • Node.js (14+) and npm/yarn installed
  • A Git repository for your project
  • Familiarity with your build tool (Webpack, Vite, Rollup, etc.)
  • Access to the Code Verify service or CLI (assumed installed as a package named code-verify or similar)

Step 1 — Install Code Verify tools

  1. In your project root run: 
    bash
    npm install –save-dev code-verify
  2. Verify installation: 
    bash
    npx code-verify –version

Step 2 — Integrate with your build process

  1. Add a step to generate verification metadata during bundling. For Webpack, add the plugin to your webpack.config.js: 
    js
    const CodeVerifyPlugin = require(‘code-verify’).WebpackPlugin;

module.exports = {
// …existing config
  plugins: [
    new CodeVerifyPlugin({
      output: ‘code-verify-manifest.json’, // generated artifact
      includeSourceMaps: true
    })
  ]
};
  2. For Vite or Rollup, use equivalent plugin hooks to emit a manifest file containing bundle hashes and source map links.

Step 3 — Produce and upload artifacts in CI

  1. Build artifacts in CI (GitHub Actions example): 
    yaml
    name: CI on: [push]
jobs:
  build:
    runs-on: ubuntu-latest     steps:
      - uses: actions/checkout@v4       - uses: actions/setup-node@v4       - run: npm ci       - run: npm run build       - run: npx code-verify upload --manifest=dist/code-verify-manifest.json --api-key=${{ secrets.CODE_VERIFY_APIKEY }}
  2. Confirm successful upload in CI logs. The upload registers bundle hashes and source map references with Code Verify.

Step 4 — Add runtime verification to your app

  1. Include the runtime validator script in your HTML (served from your app or a CDN): 
    html
    <script src=/path/to/code-verify-runtime.js async></script>
<script>
  window.addEventListener(‘load’, () => {
    window.CodeVerify && window.CodeVerify.verify({
      manifestUrl: ’/code-verify-manifest.json’,
      onSuccess: () => console.log(‘Code verified’),
      onFailure: (err) => console.warn(‘Code verification failed’, err)
    });
  });
</script>
  2. Configure how failures are handled: log, present user-friendly banner, block sensitive features, or report to a monitoring endpoint.

Step 5 — Configure reporting and alerts

  1. Use the runtime callback to POST verification failures to your monitoring service: 
    js
    onFailure: (err) => {
  fetch(’/report-verification-failure’, {
    method: ‘POST’,
    headers: {‘Content-Type’: ‘application/json’},
    body: JSON.stringify({error: err, url: location.href})
  });
}
  2. In your monitoring/incident system set thresholds and alerts for repeated or widespread failures.

Step 6 — Verify source map availability and security

  • Ensure source maps referenced in the manifest are uploaded and accessible to Code Verify during verification.
  • If source maps contain sensitive info, host them in a controlled location and provide access only to the verification service or use inlined partial maps that avoid sensitive data. Consider stripping comments or secrets before mapping.

Step 7 — Testing and rollout

  1. Test on staging: run builds, upload manifests, and load staging app to validate success/failure flows.
  2. Canary rollout: enable runtime verification for a small percentage of users to monitor false positives.
  3. Full rollout: enable for all users once confidence is high.

Best Practices

  • Automate manifest creation and upload in CI to prevent human error.
  • Pin Code Verify tool versions in CI for reproducible behavior.
  • Treat verification failures as high-severity for production builds.
  • Keep source maps encrypted or access-restricted if they contain sensitive symbols.
  • Log minimal metadata when reporting failures to preserve privacy and performance.

Troubleshooting

  • “Manifest not found” — confirm manifest output path and upload step in CI.
  • “Hash mismatch” — ensure identical build inputs (Node version, deps, build flags) between local/CI and uploaded manifest. Rebuild reproducibly.
  • “Source map load error” — check hosting CORS and availability.

Conclusion Implementing Code Verify requires CI integration to emit and upload a verification manifest, plus a lightweight runtime verifier that checks deployed bundles against that manifest. Automate uploads, test in staging, and handle failures with clear reporting and escalation paths to keep your software supply chain trustworthy.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts