PHPC-2326: Run static analysis #1539
Conversation
alcaeus
force-pushed
the
phpc-2326-static-analysis
branch
from
27fde1f to
6be0380
Compare
alcaeus
force-pushed
the
phpc-2326-static-analysis
branch
from
6be0380 to
a439899
Compare
scripts/update-submodule-sources.php
Outdated
| @@ -32,6 +32,7 @@ | |||
| foreach ($vars as $var => $path) { | |||
| $cutNth = 2 + substr_count($path, '/'); | |||
|
|
|||
| // nosemgrep | |||
There was a problem hiding this comment.
What is the point of this? I assume shell_exec is the problem here.
Does Semgrep check M4 files? If not, you can exclude the entire scripts/ directory.
Either way, the PHP files under scripts/ shouldn't require scanning.
There was a problem hiding this comment.
Excluded the bin and scripts directories as they only contain internal files
alcaeus
force-pushed
the
phpc-2326-static-analysis
branch
from
a439899 to
e4a7b12
Compare
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
alcaeus
changed the title
PHPC-2326
This PR is a proof-of-concept to use Semgrep to run static analysis. An advantage over the Coverity setup is the ability to run scans on pull requests and prevent merging of a pull request as long as issues are available. Note that this proof of concept makes use of Semgrep OSS without an account, so there is no possibility to triage issues. I'll revisit our options (there is a free tier for up to 10 contributors, but it only talks about private repositories) before continuing with the effort, but wanted to show how this could work.