Google Git
Sign in
fuchsia / shac-project / shac / 4a0e9dd4bd68ca7f805e0759952f48430367c5cf
commit4a0e9dd4bd68ca7f805e0759952f48430367c5cf[log] [tgz]
authorOliver Newman <olivernewman@google.com>Wed Sep 27 19:56:04 2023 +0000
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Sep 27 19:56:04 2023 +0000
treeba2af2b80f4396503e781d677c4efde44d899980
parent62acf29a492b8cf23136a3deb549843acd56bb58 [diff]
[engine] Fix gosec

The gosec check was previously failing silently (producing a retcode of
zero) because it was run in a sandbox without the necessary environment
variables set (specifically `GOPACKAGESDRIVER=off` needed to be set for
it to work inside the sandbox).

After fixing the check there were a bunch of fixes required, mostly
related to error propagation.

Change-Id: Ib6ff1ae370d3e07fb9c63cb2bfddf907a526955f
Reviewed-on: https://fuchsia-review.googlesource.com/c/shac-project/shac/+/922774
Commit-Queue: Auto-Submit <auto-submit@fuchsia-infra.iam.gserviceaccount.com>
Fuchsia-Auto-Submit: Oliver Newman <olivernewman@google.com>
Reviewed-by: Anthony Fandrianto <atyfto@google.com>
8 files changed
tree: ba2af2b80f4396503e781d677c4efde44d899980
  1. .github/
  2. checks/
  3. doc/
  4. images/
  5. internal/
  6. scripts/
  7. vendor/
  8. .gitignore
  9. AUTHORS
  10. codecov.yml
  11. CONTRIBUTING.md
  12. go.mod
  13. go.sum
  14. LICENSE
  15. main.go
  16. OWNERS
  17. PATENTS
  18. README.md
  19. shac.star
  20. shac.textproto
README.md

shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

usage demonstration

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

Road map

Planned features/changes, in descending order by priority:

  • [x] Configuring files to exclude from shac analysis in shac.textproto
  • [x] Include unstaged files in analysis, including respecting unstaged shac.star files
  • [x] Automatic fix application with handling for conflicting suggestions
  • [ ] Provide a .shac cache directory that checks can write to
  • [ ] Mount checkout directory read-only
    • [x] By default
    • [ ] Unconditionally
  • [ ] Give checks access to the commit message via ctx.scm
  • [ ] Built-in formatting of Starlark files
  • [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
  • [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
  • [ ] Filesystem sandboxing on MacOS
  • [ ] Windows sandboxing
  • [ ] Testing framework for checks

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.