Make WordPress Core

Opened 2 years ago

#56785 new enhancement

Automatically catch potential security issues before release

Reported by: iandunn's profile iandunn Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

It's much less effort to fix a security bug before it makes it into a release, and that also prevents users from being impacted. Automated tools are notoriously noisy, but have gotten better over the years, so it may be worth considering.

I recently tested out SonarCloud and it seems like it could be a good fit. It primarily focuses on new PRs/commits, which is much more manageable than tools that report a backlog of false positives.

It can comment on PRs with a report, and we could setup permissions so that any committer could dismiss false positives while reviewing. It could also scan (the GitHub mirror of) trunk, for commits that don't use the PR workflow. The ruleset can be customized, so we can only focus on security issues.

I'm not partial to any particular tool, though; are there others that folks like? I just noticed GitHub is trialing a static analyzer, but haven't tried it. If there are several good contenders, we could experiment with a few and then weigh the tradeoffs.

Change History (0)

Note: See TracTickets for help on using tickets.