Opened 2 years ago
#56785 new enhancement
Automatically catch potential security issues before release
Reported by: | iandunn | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
It's much less effort to fix a security bug before it makes it into a release, and that also prevents users from being impacted. Automated tools are notoriously noisy, but have gotten better over the years, so it may be worth considering.
I recently tested out SonarCloud and it seems like it could be a good fit. It primarily focuses on new PRs/commits, which is much more manageable than tools that report a backlog of false positives.
It can comment on PRs with a report, and we could setup permissions so that any committer could dismiss false positives while reviewing. It could also scan (the GitHub mirror of) trunk
, for commits that don't use the PR workflow. The ruleset can be customized, so we can only focus on security issues.
I'm not partial to any particular tool, though; are there others that folks like? I just noticed GitHub is trialing a static analyzer, but haven't tried it. If there are several good contenders, we could experiment with a few and then weigh the tradeoffs.