Skip to content

Commit

Permalink
Add LGTM to the SAST check (#1232)
Browse files Browse the repository at this point in the history
According to https://github.com/apps/lgtm-com
"LGTM is a code analysis platform for identifying vulnerabilities early and preventing
them from reaching production". It's used by `systemd`, `lxc` and a lot of other large
open source projects. The check is
still kind of broken in the sense that it fails to detect
projects where every PR is analyzed by LGTM before getting merged
but it's better than nothing I guess.

Co-authored-by: Naveen <[email protected]>
  • Loading branch information
evverx and naveensrinivasan authored Nov 10, 2021
1 parent ae271b4 commit 6a2fb2e
Show file tree
Hide file tree
Showing 4 changed files with 6 additions and 4 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,7 @@ Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz
Maintained | Is the project maintained?
Pinned-Dependencies | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)?
Packaging | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ?
SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)?
SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [LGTM](https://lgtm.com), [SonarCloud](https://sonarcloud.io)?
Security-Policy | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)?
Signed-Releases | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)?
Token-Permissions | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)?
Expand Down
2 changes: 1 addition & 1 deletion checks/sast.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (
// CheckSAST is the registered name for SAST.
const CheckSAST = "SAST"

var sastTools = map[string]bool{"github-code-scanning": true, "sonarcloud": true}
var sastTools = map[string]bool{"github-code-scanning": true, "lgtm-com": true, "sonarcloud": true}

//nolint:gochecknoinits
func init() {
Expand Down
3 changes: 2 additions & 1 deletion docs/checks.md
Original file line number Diff line number Diff line change
Expand Up @@ -428,7 +428,8 @@ tools can prevent known classes of bugs from being inadvertently introduced in t
codebase.

The checks currently looks for known Github apps such as
[CodeQL](https://codeql.github.com/) (github-code-scanning) and
[CodeQL](https://codeql.github.com/) (github-code-scanning),
[LGTM](https://lgtm.com/) and
[SonarCloud](https://sonarcloud.io/) in the recent (~30) merged PRs, or the use
of "github/codeql-action" in a GitHub workflow.

Expand Down
3 changes: 2 additions & 1 deletion docs/checks/internal/checks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -513,7 +513,8 @@ checks:
codebase.
The checks currently looks for known Github apps such as
[CodeQL](https://codeql.github.com/) (github-code-scanning) and
[CodeQL](https://codeql.github.com/) (github-code-scanning),
[LGTM](https://lgtm.com/) and
[SonarCloud](https://sonarcloud.io/) in the recent (~30) merged PRs, or the use
of "github/codeql-action" in a GitHub workflow.
Expand Down

0 comments on commit 6a2fb2e

Please sign in to comment.