:microscope: integrate static analysis

[jadudm]

At a glance

In order to get authority to operate as a product owner I want my system to be safe, trustworthy, and compliant

Acceptance Criteria

We use DRY behavior-driven development wherever possible.

### then...
- [ ] Snyk
- [ ] https://github.com/golangci/golangci-lint
- [ ] GH CodeQL (https://docs.github.com/en/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning#enabling-code-scanning-using-actions)

Shepherd

• UX shepherd:
• Design shepherd:
• Engineering shepherd:

Background

https://handbook.tts.gsa.gov/launching-software/security/#static-analysis

Security Considerations

Required per CM-4.

This is about compliance, in part. So, yes. There are no negative consequences we know of to integrating static analysis.

---

Process checklist

- [ ] Has a clear story statement - [ ] Can reasonably be done in a few days (otherwise, split this up!) - [ ] Shepherds have been identified - [ ] UX youexes all the things - [ ] Design designs all the things - [ ] Engineering engineers all the things - [ ] Meets acceptance criteria - [ ] Meets [QASP conditions](https://derisking-guide.18f.gov/qasp/) - [ ] Presented in a review - [ ] Includes screenshots or references to artifacts - [ ] Tagged with the sprint where it was finished - [ ] Archived ### If there's UI... - [ ] Screen reader - Listen to the experience with a screen reader extension, ensure the information presented in order - [ ] Keyboard navigation - Run through acceptance criteria with keyboard tabs, ensure it works. - [ ] Text scaling - Adjust viewport to 1280 pixels wide and zoom to 200%, ensure everything renders as expected. Document 400% zoom issues with USWDS if appropriate.

[jadudm]

https://handbook.tts.gsa.gov/launching-software/lifecycle/

[jadudm]

Now that we believe this is going to production, we need to get some simple things in place. Static analysis, or the start of, is a good, simple thing to add.