Opened 3 years ago
Last modified 16 months ago
#56785 new enhancement
Automatically catch potential security issues before release
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Build/Test Tools | Keywords: | 2nd-opinion |
| Focuses: | Cc: |
Description
It's much less effort to fix a security bug before it makes it into a release, and that also prevents users from being impacted. Automated tools are notoriously noisy, but have gotten better over the years, so it may be worth considering.
I recently tested out SonarCloud and it seems like it could be a good fit. It primarily focuses on new PRs/commits, which is much more manageable than tools that report a backlog of false positives.
It can comment on PRs with a report, and we could setup permissions so that any committer could dismiss false positives while reviewing. It could also scan (the GitHub mirror of) trunk, for commits that don't use the PR workflow. The ruleset can be customized, so we can only focus on security issues.
I'm not partial to any particular tool, though; are there others that folks like? I just noticed GitHub is trialing a static analyzer, but haven't tried it. If there are several good contenders, we could experiment with a few and then weigh the tradeoffs.