shac

Shac (Scalable Hermetic Analysis and Checks) is a unified and ergonomic tool and framework for writing and running static analysis checks.

Shac checks are written in Starlark.

Usage

go install go.fuchsia.dev/shac-project/shac@latest
shac check
shac doc shac.star | less

Documentation

• doc/design.md: High-level design information.
• doc/stdlib.md: shac runtime standard library documentation.
• doc/stdlib.star: shac runtime standard library starlark pseudo code.

Road map

Planned features/changes, in descending order by priority:

• [ ] Automatic fix application with handling for conflicting suggestions
• [ ] Configuring files to exclude from shac analysis in shac.textproto
• [ ] Include unstaged files in analysis, including respecting unstaged shac.star files
• [ ] Provide a .shac cache directory that checks can write to
• [ ] Mount checkout directory read-only
• [ ] Give checks access to the commit message via ctx.scm
• [ ] Built-in formatting of Starlark files
• [ ] Configurable “pass-throughs” - non-default environment variables and mounts that can optionally be passed through to the sandbox
• [ ] Add glob arguments to ctx.scm.{all,affected}_files() functions for easier filtering
• [ ] Filesystem sandboxing on MacOS
• [ ] Windows sandboxing

Contributing

⚠ The source of truth is at https://fuchsia.googlesource.com/shac-project/shac.git and uses Gerrit for code review.

See CONTRIBUTING.md to submit changes.