Google Git
Sign in
fuchsia / shac-project / shac / 07ecc7ea9e8430416220c1cfd6ced1a29fc480b9
commit07ecc7ea9e8430416220c1cfd6ced1a29fc480b9[log] [tgz]
authorOliver Newman <olivernewman@google.com>Wed Aug 16 14:23:18 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Aug 16 14:23:18 2023 +0000
tree754167ab281aa9f89922beef660e05b0adddd34a
parentaa2ee98881db08534bdf29383fc86bfe5b9f8a65 [diff]
[engine] Implement SARIF output

If the `--json-output` flag to `shac check` specifies a path to write
to, or specifies "-" (indicating stdout), shac will write a JSON file to
the specified output conforming to the SARIF schema. This can be used by
any tool or automation that needs to extract structured data from shac;
for example, automation that converts shac findings to robot comments
during code review.

I created a protobuf file for the SARIF schema so it can be copy-pasted
into consumer codebases for easy parsing.

Change-Id: I89dca26f020db015579a537fbf069ac86fbaf6d6
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/900300
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
Commit-Queue: Oliver Newman <olivernewman@google.com>
Reviewed-by: Marc-Antoine Ruel <maruel@google.com>
8 files changed
tree: 754167ab281aa9f89922beef660e05b0adddd34a
  1. .github/
  2. checks/
  3. doc/
  4. images/
  5. internal/
  6. scripts/
  7. vendor/
  8. .gitignore
  9. AUTHORS
  10. codecov.yml
  11. CONTRIBUTING.md
  12. go.mod
  13. go.sum
  14. LICENSE
  15. main.go
  16. OWNERS
  17. PATENTS
  18. README.md
  19. shac.star
  20. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Road map

Planned features/changes, in descending order by priority:

  • [x] Configuring files to exclude from shac analysis in shac.textproto
  • [x] Include unstaged files in analysis, including respecting unstaged shac.star files
  • [x] Automatic fix application with handling for conflicting suggestions
  • [ ] Provide a .shac cache directory that checks can write to
  • [ ] Mount checkout directory read-only
    • [x] By default
    • [ ] Unconditionally
  • [ ] Give checks access to the commit message via ctx.scm
  • [ ] Built-in formatting of Starlark files
  • [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
  • [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
  • [ ] Filesystem sandboxing on MacOS
  • [ ] Windows sandboxing
  • [ ] Testing framework for checks

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.