From 6a2fb2edc25c41b08d15c91b3b2a77861bca769b Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Wed, 10 Nov 2021 21:09:11 +0300 Subject: [PATCH] Add LGTM to the SAST check (#1232) According to https://github.com/apps/lgtm-com "LGTM is a code analysis platform for identifying vulnerabilities early and preventing them from reaching production". It's used by `systemd`, `lxc` and a lot of other large open source projects. The check is still kind of broken in the sense that it fails to detect projects where every PR is analyzed by LGTM before getting merged but it's better than nothing I guess. Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> --- README.md | 2 +- checks/sast.go | 2 +- docs/checks.md | 3 ++- docs/checks/internal/checks.yaml | 3 ++- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 52a69012574..50c5131a4f7 100644 --- a/README.md +++ b/README.md @@ -361,7 +361,7 @@ Fuzzing | Does the project use fuzzing tools, e.g. [OSS-Fuzz Maintained | Is the project maintained? Pinned-Dependencies | Does the project declare and pin [dependencies](https://docs.github.com/en/free-pro-team@latest/github/visualizing-repository-data-with-graphs/about-the-dependency-graph#supported-package-ecosystems)? Packaging | Does the project build and publish official packages from CI/CD, e.g. [GitHub Publishing](https://docs.github.com/en/free-pro-team@latest/actions/guides/about-packaging-with-github-actions#workflows-for-publishing-packages) ? -SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [SonarCloud](https://sonarcloud.io)? +SAST | Does the project use static code analysis tools, e.g. [CodeQL](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/enabling-code-scanning-for-a-repository#enabling-code-scanning-using-actions), [LGTM](https://lgtm.com), [SonarCloud](https://sonarcloud.io)? Security-Policy | Does the project contain a [security policy](https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository)? Signed-Releases | Does the project cryptographically [sign releases](https://wiki.debian.org/Creating%20signed%20GitHub%20releases)? Token-Permissions | Does the project declare GitHub workflow tokens as [read only](https://docs.github.com/en/actions/reference/authentication-in-a-workflow)? diff --git a/checks/sast.go b/checks/sast.go index 7c3888dd9b2..e6b17f65ce3 100644 --- a/checks/sast.go +++ b/checks/sast.go @@ -25,7 +25,7 @@ import ( // CheckSAST is the registered name for SAST. const CheckSAST = "SAST" -var sastTools = map[string]bool{"github-code-scanning": true, "sonarcloud": true} +var sastTools = map[string]bool{"github-code-scanning": true, "lgtm-com": true, "sonarcloud": true} //nolint:gochecknoinits func init() { diff --git a/docs/checks.md b/docs/checks.md index 068ba1c55bf..1202c24b79e 100644 --- a/docs/checks.md +++ b/docs/checks.md @@ -428,7 +428,8 @@ tools can prevent known classes of bugs from being inadvertently introduced in t codebase. The checks currently looks for known Github apps such as -[CodeQL](https://codeql.github.com/) (github-code-scanning) and +[CodeQL](https://codeql.github.com/) (github-code-scanning), +[LGTM](https://lgtm.com/) and [SonarCloud](https://sonarcloud.io/) in the recent (~30) merged PRs, or the use of "github/codeql-action" in a GitHub workflow. diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml index 04a68b0ae04..897b507feac 100644 --- a/docs/checks/internal/checks.yaml +++ b/docs/checks/internal/checks.yaml @@ -513,7 +513,8 @@ checks: codebase. The checks currently looks for known Github apps such as - [CodeQL](https://codeql.github.com/) (github-code-scanning) and + [CodeQL](https://codeql.github.com/) (github-code-scanning), + [LGTM](https://lgtm.com/) and [SonarCloud](https://sonarcloud.io/) in the recent (~30) merged PRs, or the use of "github/codeql-action" in a GitHub workflow.