Google Git
Sign in
fuchsia / shac-project / shac / 23d3f1a91f552170487e3f93057dcfbed378af0c
commit23d3f1a91f552170487e3f93057dcfbed378af0c[log] [tgz]
authorOliver Newman <olivernewman@google.com>Tue Aug 29 20:54:22 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Aug 29 20:54:22 2023 +0000
treeec2e3fa939435113459f5259a83d0702e579adbd
parentdd076d0d87cfeff800f2dcf0c59122bcf61f1b7b [diff]
[execsupport] Delete

Adding locks around forking to prevent leaked nsjail file descriptors
should no longer be necessary now that we open nsjail with O_CLOEXEC,
which prevents the file descriptor from leaking.

Change-Id: Id89a3f493c2322668a71cbd51f99e0bbd7f31efd
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/909333
Reviewed-by: Marc-Antoine Ruel <maruel@google.com>
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
Commit-Queue: Auto-Submit <auto-submit@fuchsia-infra.iam.gserviceaccount.com>
108 files changed
tree: ec2e3fa939435113459f5259a83d0702e579adbd
  1. .github/
  2. checks/
  3. doc/
  4. images/
  5. internal/
  6. scripts/
  7. vendor/
  8. .gitignore
  9. AUTHORS
  10. codecov.yml
  11. CONTRIBUTING.md
  12. go.mod
  13. go.sum
  14. LICENSE
  15. main.go
  16. OWNERS
  17. PATENTS
  18. README.md
  19. shac.star
  20. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Road map

Planned features/changes, in descending order by priority:

  • [x] Configuring files to exclude from shac analysis in shac.textproto
  • [x] Include unstaged files in analysis, including respecting unstaged shac.star files
  • [x] Automatic fix application with handling for conflicting suggestions
  • [ ] Provide a .shac cache directory that checks can write to
  • [ ] Mount checkout directory read-only
    • [x] By default
    • [ ] Unconditionally
  • [ ] Give checks access to the commit message via ctx.scm
  • [ ] Built-in formatting of Starlark files
  • [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
  • [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
  • [ ] Filesystem sandboxing on MacOS
  • [ ] Windows sandboxing
  • [ ] Testing framework for checks

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.