I want security code scanning
so that my resulting component project has
a security scanning start offered
a sensible default scan coverage
a placeholder of good practice
Scanning Spec Draft
Given that I plan to use several programming languages and technologies, namely:
Kotlin
GitHub Pages
Ruby
Libraries
Ktor
When I commit a composite code change on:
Acceptable atomic push to protected (exception)
acceptable behavior on
CI/CD spike bootstrap
Minor docs correction
Pull Request merge to protected
Release preparation push
Then all of the codebase in scope is scanned for
Shallow probing and discovery (aka code lint, etc )
Static probing and discovery (aka static code analysis, etc)
And some basic scanning information links are included
Alternatives considered
GitLab offers a significant advantage both in maturity of solutions and availability of workups from our customers.
It is rejected for the time being due to historic considerations.
Plan to 'scoot over', as described by management (asei-boss) exists.
Code Scanning
Scanning Spec Draft
Given that I plan to use several programming languages and technologies, namely:
When I commit a composite code change on:
Then all of the codebase in scope is scanned for
And some basic scanning information links are included
Alternatives considered
GitLab offers a significant advantage both in maturity of solutions and availability of workups from our customers. It is rejected for the time being due to historic considerations. Plan to 'scoot over', as described by management (asei-boss) exists.
Additional context
Existing tools in use
Potential Hopefuls