Code Hygiene Is Not Optional

Intro – Why Untested Code Breaks Clean Systems

In hospitals, people rarely die from surgery itself.
They die from something far simpler: infection.
And in most cases, the infection starts with skipped hand hygiene.

Software systems are no different.

You build on top of rock-solid layers:

  • Linux — hardened through decades of collaboration

  • PHP — mature and predictable

  • Apache, Composer packages, CI pipelines, … — forged in production fire like the Rings of Power.

And still… your application breaks.

Not because the Webserver failed. Not because Linux kernel panicked.
But because your glue code silently can break everything it touchs.

This is not a post about tooling.
It’s about ritualized code hygiene.
It’s about testing as the minimum barrier to keep fragile logic from contaminating stable systems.

Chapter 1 – The Infection Starts With You

Your code is the infection vector.

Your infrastructure isn’t the problem:

  • Debian doesn’t “just break”

  • PHP doesn’t randomly reverse logic

  • Your dependencies aren’t the ones pushing broken PRs at 18:47 on a Friday

The problem is:

  • That null check you skipped

  • The brittle integration you “hoped” would hold

  • That silent catch block swallowing errors since sprint 4

This isn’t rare. This is normal.

Small Codebase, Large Failure Surface

Custom application logic often makes up just 1–5% of the total deployed codebase.
And yet, according to a 2017 report by Contrast Security, it causes up to 93% of vulnerabilities.

Why?

Because your code is:

  • The only part that changes weekly

  • The only part no one else reviews

  • The only part tested by two people under pressure

  • The only part that encodes assumptions instead of contracts

You are the one introducing uncertainty into a system that’s otherwise stable by design.

“Standing on the shoulders of giants means nothing if you’re bleeding on them.”

Chapter 2 – Testing Isn’t Optional

“No one praises a surgeon for washing their hands. But everyone remembers when they don’t.”

Testing is not about perfection.
It’s about not infecting the patient.

In software, your “patient” is production.
And every line of untested code has the ability to infect the system.

Testing Is Hygiene, Not Heroism

You don’t test because your code is dirty.
You test because it’s about to touch something critical.

Types of hygiene:

  • Unit tests: Isolate logic. Prevent regressions in small components.

  • Integration tests: Validate assumptions between systems.

  • End-to-end tests: Simulate the messy, unpredictable real world.

If you skip tests, you’re gambling that nothing goes wrong.
That’s not engineering — that’s negligence.

CI/CD is your sink

Manual discipline breaks down under pressure.
That’s why hospitals automate hygiene compliance. You should too.

CI must:

  • Run tests for every commit

  • Fail builds with broken assumptions

  • Enforce linting, style, and type checks

“If your CI lets bugs through, it’s no better than a sink with no soap.”

Chapter 3 – Trust Is Earned Through Testing

“You wouldn’t install a library with no tests —
So why are you shipping code like that yourself?”

In open source:

  • Tests earn trust

  • CI proves maturity

  • Examples guide usage

  • Bad hygiene is a red flag

That’s the standard.
And developers follow it — because it’s visible.

Internal Code Deserves the Same Discipline

The only difference between internal and open source code is accountability.
But users don’t care where the bug came from — they care that it happened.

If your internal module:

  • Has no tests …

  • Silently swallows errors …

  • Uses side effects instead of contracts …

  • Breaks when someone breathes on it …

… it wouldn’t survive 24 hours on GitHub.

So why is that tolerated in your own work?

Make Hygiene Observable

You can’t fix what you don’t measure:

  • Display test coverage

  • Badge your CI results

  • Show failure recovery times

  • Celebrate uptime from prevention, not just firefighting

“Don’t trust code because it’s yours. Trust it because it proves itself.”

Chapter 4 – Culture Eats Checklists for Breakfast

“Most bugs aren’t caused by bad engineers. They’re caused by broken culture.”

Everyone agrees testing matters.
Yet it’s the first thing dropped when deadlines hit or pressure rises.

That’s not a failure of knowledge.
It’s a failure of engineering culture.

Tiredness Is Predictable — Build Systems That Withstand It

Hospitals learned this the hard way:

  • In high-stress environments, handwashing compliance drops

  • Posters didn’t help

  • Systems and visibility did

Your team is no different.

Relying on personal willpower won’t scale.


Testing must be:

  • Enforced through CI

  • Expected in reviews

  • Measured and surfaced publicly (internal)

“Every untested PR that merges is a cultural decision — not just a technical one.”

Reward Boring Brilliance, Not 2AM Heroism

If the engineer who prevented the outage gets ignored,
but the one who patched it at 2:30AM gets praised —
you’re glorifying firefighting over engineering.

Change what you reward:

  • Tests that caught real bugs

  • Refactors that reduced surface area

  • CI improvements that shortened feedback loops

“You don’t notice best sysadmins.
You don’t notice best developers either — until they’re gone.”

Conclusion – Trusted Code Is Tested Code

“If you wouldn’t trust a surgeon without gloves,
why should anyone trust your untested code?”

You operate in a sterile, stable system:

  • Linux: hardened by thousands

  • PHP: versioned, predictable

  • Composer: peer-reviewed libraries

  • CI tools: ready to automate safety

And then your application breaks — because of you.
Not the system.
Not the tools.
Not the third-party code.

Your glue logic.
Your assumptions.
Your missing tests.

Testing is no tech debt. It’s not extra work. It’s not for “enterprise” teams only. Or whatever people say about it.

Testing is basic hygiene.
It’s how you earn trust — trust in your own application.

Call to Action

Today

  • Write a test for the thing you just merged.

  • Turn on CI checks for the project if it’s still running on “good intentions”.

This Week

  • Audit your riskiest integration logic.

  • Wrap it in tests. Track failure rates. Start small.

This Quarter

  • Make tests part of your definition of done.

  • Enforce quality gates in your CI.

  • Treat skipped tests like skipped security reviews — unacceptable.

“Good code is boring.
Safe code is essential.
Tested code is trusted.”

 

Ähnliche Beiträge:

Keine verwandten Beiträge.

Published by

voku

Lars Moelleken | Ich bin root, ich darf das!