Feature request - bootstrap security code scanning

[rdd13r]

Code Scanning

I want security code scanning so that my resulting component project has

• a security scanning start offered
• a sensible default scan coverage
• a placeholder of good practice

Scanning Spec Draft

Given that I plan to use several programming languages and technologies, namely:

• Kotlin
• GitHub Pages
  • Ruby
• Libraries
  • Ktor

When I commit a composite code change on:

• Acceptable atomic push to protected (exception)
  • acceptable behavior on
  • CI/CD spike bootstrap
  • Minor docs correction
• Pull Request merge to protected
• Release preparation push

Then all of the codebase in scope is scanned for

• Shallow probing and discovery (aka code lint, etc )
• Static probing and discovery (aka static code analysis, etc)

And some basic scanning information links are included

Alternatives considered

GitLab offers a significant advantage both in maturity of solutions and availability of workups from our customers. It is rejected for the time being due to historic considerations. Plan to 'scoot over', as described by management (asei-boss) exists.

Additional context

Existing tools in use

• CodeQL
• Qodana
• detekt
• klint
• SonarQube

Potential Hopefuls

• https://www.codacy.com/
• https://github.com/reviewdog/
• TBD

[rdd13r]

Here is the final consideration behind the devops for the fixture:

• CodeQL suffices for the low relevance ruby based docs pages
• IntelliJ, Gradle detekt is sufficient coverage for a basic component
• Qodana over GH action or locally in Docker is an adequate alternate
• Proprietary SonarQube scan, though available, is not exportable and is of no added value for this component's purpose
• Other scanners aren't necessary or even comparable
• Review Dog isn't useful for a solo project (perhaps eventually)